Section: Administrative Commands (8)
Updated: 04/11/2019
Page Index


shorewall - Administration tool for Shoreline Firewall (Shorewall)  


shorewall[6][-lite] [trace|debug [nolock]] [options] add { interface[:host-list]... zone | zone host-list }
shorewall[6][-lite] [trace|debug [nolock]] [options] allow address
shorewall[6][-lite] [trace|debug [nolock]] [options] blacklist address [option ...]
shorewall[6][-lite] [trace|debug [nolock]] [options] call function [parameter ...]
shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r] [-T] [-i] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] clear [-f]
shorewall[6][-lite] [trace|debug [nolock]] [options] close { open-number | sourcedest [protocol [ port ]]} 
shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d] [-p] [-T] [-i] [directory] [pathname]
shorewall[6][-lite] [trace|debug [nolock]] [options] delete { interface[:host-list]... zone | zone host-list }
shorewall[6][-lite] [trace|debug [nolock]] [options] disableinterface | provider }
shorewall[6][-lite] [trace|debug [nolock]] [options] drop address
shorewall[6][-lite] [trace|debug] [options] dump [-x] [-l] [-m] [-c]
shorewall[6][-lite] [trace|debug [nolock]] [options] enableinterface | provider }
shorewall[6] [trace|debug [nolock]] [options] export [directory1] [user@]system[:directory2]
shorewall[6][-lite] [trace|debug [nolock]] [options] forget [filename]
shorewall[6][-lite] [trace|debug] [options] help
shorewall[-lite] [trace|debug] [options] hits [-t]
shorewall[-lite] [trace|debug] [options] ipcalc {address mask | address/vlsm}
shorewall[-lite] [trace|debug] [options] iprange address1-address2
shorewall[6][-lite] [trace|debug] [options] iptrace iptables match expression
shorewall[6][-lite] [trace|debug [nolock]] [options] logdrop address
shorewall[6][-lite] [trace|debug] [options] logwatch [-m] [refresh-interval]
shorewall[6][-lite] [trace|debug [nolock]] [options] logreject address
shorewall[6][-lite] [trace|debug] [options] noiptrace iptables match expression
shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
shorewall[6][-lite] [trace|debug [nolock]] [options] reenableinterface | provider }
shorewall[6][-lite] [trace|debug [nolock]] [options] reject address
shorewall[6][-lite] [trace|debug [nolock]] [options] reload [-n] [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
shorewall[6] [trace|debug] [options] remote-getcaps [-s] [-R] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-getrc [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-start [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6][-lite] [trace|debug [nolock]] [options] reset [chain ...]
shorewall[6][-lite] [trace|debug [nolock]] [options] restart [-n] [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] restore [-n] [-p] [-C] [filename]
shorewall[6][-lite] [trace|debug [nolock]] [options] run command [parameter ...]
shorewall[6] [trace|debug [nolock]] [options] safe-restart [-d] [-p] [-t timeout] [directory]
shorewall[6] [trace|debug] [options] safe-start [-d] [-p] [-t timeout] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] save [-C] [filename]
shorewall[6][-lite] [trace|debug [nolock]] [options] savesets
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x] {bl|blacklists}
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [chain...]
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-f] capabilities
shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
shorewall[6] [trace|debug] [options] {show | list | ls } action action
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } event event
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-c] routing
shorewall[6] [trace|debug] [options] {show | list | ls } macro macro
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x] {mangle|nat|raw}
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } saves
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-m] log
shorewall[6][-lite] [trace|debug [nolock]] [options] start [-n] [-f] [-p] [-c] [-T [-i]] [-C] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] stop [-f]
shorewall[6][-lite] [trace|debug] [options] status [-i]
shorewall[6] [trace|debug [nolock]] [options] try directory [timeout]
shorewall[6] [trace|debug] [options] update [-b] [-d] [-r] [-T] [-a] [-i] [-A] [directory]
shorewall[6][-lite] [trace|debug] [options] version [-a]


Beginning with Shorewall 5.1.0, the shorewall utility is used to control the Shoreline Firewall (Shorewall), Shorewall Firewall 6 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under four different names:


Controls the Shorewall configuration when Shorewall is installed. If Shorewall is not installed, the shorewall command controls Shorewall-lite if it is installed. If neither Shorewall nor Shorewall-lite is installed, the shorewall command controls Shorewall6-lite if it is installed.


The shorewall6 command controls Shorewall6 when Shorewall6 is installed.


The shorewall-lite command controls Shorewall-lite when Shorewall-lite is installed.


The shorewall6-lite command controls Shorewall6-lite when Shorewall6-lite is installed.

Prior to Shorewall 5.1.0, these four commands were implemented as four separate program, each of which controlled only a single firewall package. This manpage serves to document both the Shorewall 5.1 and Shorewall 5.0 CLI.  


The trace and debug options are used for debugging. See m[blue][][1].

The nolock option prevents the command from attempting to acquire the Shorewall lockfile. It is useful if you need to include shorewall commands in /etc/shorewall/started.

Other options are:


Added in Shorewall 5.1.0. Causes the command to operate on the Shorewall configuration or the Shorewall-lite configuration. It is the default when either of those products is installed and when the command is shorewall or shorewall-lite.


Added in Shorewall 5.1.0. Causes the command to operate on the Shorewall6 or Shorewall6-lite configuration. It is the default when only Shorewall6-lite is installed and when the command is shorewall6 or