'\" t
.\"     Title: shorewall-lite
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
.\"      Date: 10/19/2014
.\"    Manual: Administrative Commands
.\"    Source: Administrative Commands
.\"  Language: English
.\"
.TH "SHOREWALL\-LITE" "8" "10/19/2014" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
shorewall-lite \- Administration tool for Shoreline Firewall Lite (Shorewall Lite)
.SH "SYNOPSIS"
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBadd\fR \fIinterface\fR[:\fIhost\-list\fR]... \fIzone\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBallow\fR \fIaddress\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBclear\fR\ [\fB\-f\fR] 
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBdelete\fR \fIinterface\fR[:\fIhost\-list\fR]... \fIzone\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBdisable\fR {\ \fIinterface\fR\ |\ \fIprovider\fR\ }
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBdrop\fR \fIaddress\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBdump\fR [\fB\-x\fR] [\fB\-l\fR] [\fB\-m\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBenable\fR {\ \fIinterface\fR\ |\ \fIprovider\fR\ }
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBforget\fR [\fIfilename\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBhelp\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBhits\fR\ [\fB\-t\fR] 
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBipcalc\fR {\fIaddress\fR\ \fImask\fR | \fIaddress\fR/\fIvlsm\fR}
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBiprange\fR \fIaddress1\fR\fB\-\fR\fIaddress2\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBiptrace\fR \fIiptables\ match\ expression\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBlogdrop\fR \fIaddress\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBlogwatch\fR [\fB\-m\fR] [\fIrefresh\-interval\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBlogreject\fR \fIaddress\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBnoiptrace\fR \fIiptables\ match\ expression\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreject\fR \fIaddress\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBreset\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestart\fR [\fB\-n\fR] [\fB\-p\fR] [\fIdirectory\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrestore\fR [\fIfilename\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBrun\fR function [\fIparameter\ \&.\&.\&.\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBsave\fR [\fIfilename\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-b\fR] [\fB\-x\fR] [\fB\-l\fR] [\fB\-t\fR\ {\fBfilter\fR|\fBmangle\fR|\fBnat\fR|\fBraw|rawpost\fR}] [[\fBchain\fR]\ \fIchain\fR...]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-x\fR] \fB{bl|blacklists}\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-f\fR] \fBcapabilities\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] {\fBclassifiers|connections|config|events|filters|ip|ipa|zones|policies|marks\fR}
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] \fBevent\fR\ \fIevent\fR 
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-x\fR] {\fBmangle|nat|routing|raw|rawpost\fR}
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] \fBtc\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] [\fBshow\ |\ list\ |\ ls\ \fR] [\fB\-m\fR] \fBlog\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBstart\fR [\fB\-n\fR] [\fB\-p\fR]
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR\ [\fBnolock\fR]] [\-\fIoptions\fR] \fBstop\fR
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBstatus\fR\ [\fB\-i\fR] 
.HP \w'\fBshorewall\-lite\fR\ 'u
\fBshorewall\-lite\fR [\fBtrace\fR|\fBdebug\fR] [\-\fIoptions\fR] \fBversion\fR\ [\fB\-a\fR] 
.SH "DESCRIPTION"
.PP
The shorewall\-lite utility is used to control the Shoreline Firewall Lite (Shorewall Lite)\&.
.SH "OPTIONS"
.PP
The
\fBtrace\fR
and
\fBdebug\fR
options are used for debugging\&. See
\m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm#Trace\fR\m[]\&.
.PP
The nolock
\fBoption\fR
prevents the command from attempting to acquire the Shorewall\-lite lockfile\&. It is useful if you need to include
\fBshorewall\fR
commands in
/etc/shorewall/started\&.
.PP
The
\fIoptions\fR
control the amount of output that the command produces\&. They consist of a sequence of the letters
\fBv\fR
and
\fBq\fR\&. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. Each
\fBv\fR
adds one to the effective verbosity and each
\fBq\fR
subtracts one from the effective VERBOSITY\&. Alternately,
\fBv\fR
may be followed immediately with one of \-1,0,1,2 to specify a specify VERBOSITY\&. There may be no white\-space between
\fBv\fR
and the VERBOSITY\&.
.PP
The
\fIoptions\fR
may also include the letter
\fBt\fR
which causes all progress messages to be timestamped\&.
.SH "COMMANDS"
.PP
The available commands are listed below\&.
.PP
\fBadd\fR
.RS 4
Adds a list of hosts or subnets to a dynamic zone usually used with VPN\*(Aqs\&.
.sp
The
\fIinterface\fR
argument names an interface defined in the
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file\&. A
\fIhost\-list\fR
is comma\-separated list whose elements are host or network addresses\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBCaution\fR
.ps -1
.br
The
\fBadd\fR
command is not very robust\&. If there are errors in the
\fIhost\-list\fR, you may see a large number of error messages yet a subsequent
\fBshorewall\-lite show zones\fR
command will indicate that all hosts were added\&. If this happens, replace
\fBadd\fR
by
\fBdelete\fR
and run the same command again\&. Then enter the correct command\&.
.sp .5v
.RE
.RE
.PP
\fBallow\fR
.RS 4
Re\-enables receipt of packets from hosts previously blacklisted by a
\fBdrop\fR,
\fBlogdrop\fR,
\fBreject\fR, or
\fBlogreject\fR
command\&.
.RE
.PP
\fBclear\fR
.RS 4
Clear will remove all rules and chains installed by Shorewall\-lite\&. The firewall is then wide open and unprotected\&. Existing connections are untouched\&. Clear is often used to see if the firewall is causing connection problems\&.
.sp
If
\fB\-f\fR
is given, the command will be processed by the compiled script that executed the last successful
\fBstart\fR,
\fBrestart\fR
or
\fBrefresh\fR
command if that script exists\&.
.RE
.PP
\fBdelete\fR
.RS 4
The delete command reverses the effect of an earlier
\fBadd\fR
command\&.
.sp
The
\fIinterface\fR
argument names an interface defined in the
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file\&. A
\fIhost\-list\fR
is comma\-separated list whose elements are a host or network address\&.
.RE
.PP
\fBdisable\fR
.RS 4
Added in Shorewall 4\&.4\&.26\&. Disables the optional provider associated with the specified
\fIinterface\fR
or
\fIprovider\fR\&. Where more than one provider share a single network interface, a
\fIprovider\fR
name must be given\&.
.RE
.PP
\fBdrop\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be silently dropped\&.
.RE
.PP
\fBdump\fR
.RS 4
Produces a verbose report about the firewall configuration for the purpose of problem analysis\&.
.sp
The
\fB\-x\fR
option causes actual packet and byte counts to be displayed\&. Without that option, these counts are abbreviated\&. The
\fB\-m\fR
option causes any MAC addresses included in Shorewall\-lite log messages to be displayed\&.
.sp
The
\fB\-l\fR
option causes the rule number for each Netfilter rule to be displayed\&.
.RE
.PP
\fBenable\fR
.RS 4
Added in Shorewall 4\&.4\&.26\&. Enables the optional provider associated with the specified
\fIinterface\fR
or
\fIprovider\fR\&. Where more than one provider share a single network interface, a
\fIprovider\fR
name must be given\&.
.RE
.PP
\fBforget\fR
.RS 4
Deletes /var/lib/shorewall\-lite/\fIfilename\fR
and /var/lib/shorewall\-lite/save\&. If no
\fIfilename\fR
is given then the file specified by RESTOREFILE in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) is assumed\&.
.RE
.PP
\fBhelp\fR
.RS 4
Displays a syntax summary\&.
.RE
.PP
\fBhits\fR
.RS 4
Generates several reports from Shorewall\-lite log messages in the current log file\&. If the
\fB\-t\fR
option is included, the reports are restricted to log messages generated today\&.
.RE
.PP
\fBipcalc\fR
.RS 4
Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s]\&.
.RE
.PP
\fBiprange\fR
.RS 4
Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses\&.
.RE
.PP
\fBiptrace\fR
.RS 4
This is a low\-level debugging command that causes iptables TRACE log records to be created\&. See iptables(8) for details\&.
.sp
The
\fIiptables match expression\fR
must be one or more matches that may appear in both the raw table OUTPUT and raw table PREROUTING chains\&.
.sp
The trace records are written to the kernel\*(Aqs log buffer with facility = kernel and priority = warning, and they are routed from there by your logging daemon (syslogd, rsyslog, syslog\-ng, \&.\&.\&.) \-\- Shorewall\-lite has no control over where the messages go; consult your logging daemon\*(Aqs documentation\&.
.RE
.PP
\fBlogdrop\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be logged then discarded\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2
(5)\&.
.RE
.PP
\fBlogwatch\fR
.RS 4
Monitors the log file specified by the LOGFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) and produces an audible alarm when new Shorewall\-lite messages are logged\&. The
\fB\-m\fR
option causes the MAC address of each packet source to be displayed if that information is available\&. The
\fIrefresh\-interval\fR
specifies the time in seconds between screen refreshes\&. You can enter a negative number by preceding the number with "\-\-" (e\&.g\&.,
\fBshorewall\-lite logwatch \-\- \-30\fR)\&. In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes\&.
.RE
.PP
\fBlogreject\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be logged then rejected\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2
(5)\&.
.RE
.PP
\fBnoiptrace\fR
.RS 4
This is a low\-level debugging command that cancels a trace started by a preceding
\fBiptrace\fR
command\&.
.sp
The
\fIiptables match expression\fR
must be one given in the
\fBiptrace\fR
command being canceled\&.
.RE
.PP
\fBreset\fR
.RS 4
All the packet and byte counters in the firewall are reset\&.
.RE
.PP
\fBrestart\fR
.RS 4
Restart is similar to
\fBshorewall\-lite start\fR
except that it assumes that the firewall is already started\&. Existing connections are maintained\&.
.sp
The
\fB\-n\fR
option causes Shorewall\-lite to avoid updating the routing table(s)\&.
.sp
The
\fB\-p\fR
option causes the connection tracking table to be flushed; the
\fBconntrack\fR
utility must be installed to use this option\&.
.RE
.PP
\fBrestore\fR
.RS 4
Restore Shorewall\-lite to a state saved using the
\fBshorewall\-lite save\fR
command\&. Existing connections are maintained\&. The
\fIfilename\fR
names a restore file in /var/lib/shorewall\-lite created using
\fBshorewall\-lite save\fR; if no
\fIfilename\fR
is given then Shorewall\-lite will be restored from the file specified by the RESTOREFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&.
.RE
.PP
\fBrun\fR
.RS 4
Added in Shorewall 4\&.6\&.3\&. Executes
\fIcommand\fR
in the context of the generated script passing the supplied
\fIparameter\fRs\&. Normally, the
\fIcommand\fR
will be a function declared in
lib\&.private\&.
.sp
Before executing the
\fIcommand\fR, the script will detect the configuration, setting all SW_* variables and will run your
init
extension script with $COMMAND = \*(Aqrun\*(Aq\&.
.RE
.PP
\fBsave\fR
.RS 4
The dynamic blacklist is stored in /var/lib/shorewall\-lite/save\&. The state of the firewall is stored in /var/lib/shorewall\-lite/\fIfilename\fR
for use by the
\fBshorewall\-lite restore\fR\&. If
\fIfilename\fR
is not given then the state is saved in the file specified by the RESTOREFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&.
.RE
.PP
\fBshow\fR
.RS 4
The show command can have a number of different arguments:
.PP
\fBbl|blacklists\fR
.RS 4
Added in Shorewall 4\&.6\&.2\&. Displays the dynamic chain along with any chains produced by entries in shorewall\-blrules(5)\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
\fBcapabilities\fR
.RS 4
Displays your kernel/iptables capabilities\&. The
\fB\-f\fR
option causes the display to be formatted as a capabilities file for use with
\fBcompile \-e\fR\&.
.RE
.PP
[ [ \fBchain\fR ] \fIchain\fR\&.\&.\&. ]
.RS 4
The rules in each
\fIchain\fR
are displayed using the
\fBiptables \-L\fR
\fIchain\fR
\fB\-n \-v\fR
command\&. If no
\fIchain\fR
is given, all of the chains in the filter table are displayed\&. The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&. The
\fB\-t\fR
option specifies the Netfilter table to display\&. The default is
\fBfilter\fR\&.
.sp
The
\fB\-b\fR
(\*(Aqbrief\*(Aq) option causes rules which have not been used (i\&.e\&. which have zero packet and byte counts) to be omitted from the output\&. Chains with no rules displayed are also omitted from the output\&.
.sp
The
\fB\-l\fR
option causes the rule number for each Netfilter rule to be displayed\&.
.sp
If the
\fBt\fR
option and the
\fBchain\fR
keyword are both omitted and any of the listed
\fIchain\fRs do not exist, a usage message is displayed\&.
.RE
.PP
\fBclassifiers|filters\fR
.RS 4
Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration\&.
.RE
.PP
\fBconfig\fR
.RS 4
Displays distribution\-specific defaults\&.
.RE
.PP
\fBconnections\fR
.RS 4
Displays the IP connections currently being tracked by the firewall\&.
.RE
.PP
\fBevent\fR\fI event\fR
.RS 4
Added in Shorewall 4\&.5\&.19\&. Displays the named event\&.
.RE
.PP
\fBevents\fR
.RS 4
Added in Shorewall 4\&.5\&.19\&. Displays all events\&.
.RE
.PP
\fBip\fR
.RS 4
Displays the system\*(Aqs IPv4 configuration\&.
.RE
.PP
\fBipa\fR
.RS 4
Added in Shorewall 4\&.4\&.17\&. Displays the per\-IP accounting counters (\m[blue]\fBshorewall\-accounting\fR\m[]\&\s-2\u[3]\d\s+2
(5))\&.
.RE
.PP
\fBlog\fR
.RS 4
Displays the last 20 Shorewall\-lite messages from the log file specified by the LOGFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. The
\fB\-m\fR
option causes the MAC address of each packet source to be displayed if that information is available\&.
.RE
.PP
\fBmarks\fR
.RS 4
Added in Shorewall 4\&.4\&.26\&. Displays the various fields in packet marks giving the min and max value (in both decimal and hex) and the applicable mask (in hex)\&.
.RE
.PP
\fBnat\fR
.RS 4
Displays the Netfilter nat table using the command
\fBiptables \-t nat \-L \-n \-v\fR\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
\fBpolicies\fR
.RS 4
Added in Shorewall 4\&.4\&.4\&. Displays the applicable policy between each pair of zones\&. Note that implicit intrazone ACCEPT policies are not displayed for zones associated with a single network where that network doesn\*(Aqt specify
\fBrouteback\fR\&.
.RE
.PP
\fBrouting\fR
.RS 4
Displays the system\*(Aqs IPv4 routing configuration\&.
.RE
.PP
\fBraw\fR
.RS 4
Displays the Netfilter raw table using the command
\fBiptables \-t raw \-L \-n \-v\fR\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
\fBtc\fR
.RS 4
Displays information about queuing disciplines, classes and filters\&.
.RE
.PP
\fBzones\fR
.RS 4
Displays the current composition of the Shorewall zones on the system\&.
.RE
.RE
.PP
\fBstart\fR
.RS 4
Start Shorewall Lite\&. Existing connections through shorewall\-lite managed interfaces are untouched\&. New connections will be allowed only if they are allowed by the firewall rules or policies\&.
.sp
The
\fB\-p\fR
option causes the connection tracking table to be flushed; the
\fBconntrack\fR
utility must be installed to use this option\&.
.RE
.PP
\fBstop\fR
.RS 4
Stops the firewall\&. All existing connections, except those listed in
\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[4]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in
\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[4]\d\s+2(5) or by ADMINISABSENTMINDED\&.
.sp
If
\fB\-f\fR
is given, the command will be processed by the compiled script that executed the last successful
\fBstart\fR,
\fBrestart\fR
or
\fBrefresh\fR
command if that script exists\&.
.RE
.PP
\fBstatus\fR
.RS 4
Produces a short report about the state of the Shorewall\-configured firewall\&.
.sp
The
\fB\-i \fRoption was added in Shorewall 4\&.6\&.2 and causes the status of each optional or provider interface to be displayed\&.
.RE
.PP
\fBversion\fR
.RS 4
Displays Shorewall\*(Aqs version\&. The
\fB\-a\fR
option is included for compatibility with earlier Shorewall releases and is ignored\&.
.RE
.SH "EXIT STATUS"
.PP
In general, when a command succeeds, status 0 is returned; when the command fails, a non\-zero status is returned\&.
.PP
The
\fBstatus\fR
command returns exit status as follows:
.PP
0 \- Firewall is started\&.
.PP
3 \- Firewall is stopped or cleared
.PP
4 \- Unknown state; usually means that the firewall has never been started\&.
.SH "FILES"
.PP
/etc/shorewall\-lite/
.SH "SEE ALSO"
.PP
\m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm\fR\m[]
.PP
shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "NOTES"
.IP " 1." 4
shorewall.conf
.RS 4
\%http://www.shorewall.netshorewall.conf.html
.RE
.IP " 2." 4
shorewall-interfaces
.RS 4
\%http://www.shorewall.netshorewall-interfaces.html
.RE
.IP " 3." 4
shorewall-accounting
.RS 4
\%http://www.shorewall.netmanpages/shorewall-accounting.html
.RE
.IP " 4." 4
shorewall-routestopped
.RS 4
\%http://www.shorewall.netshorewall-routestopped.html
.RE