shorewall - cmd




shorewall version


shorewall show config

Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
Default VARDIR is /var/lib/shorewall
LIBEXEC is /usr/share


shorewall status

Shorewall- Status at ubuntu - Wed Jun  6 11:02:27 HKT 2012

Shorewall is running
State:Started (Wed Jun  6 10:59:33 HKT 2012) from /etc/shorewall/





Show Command:


  • shorewall show policies
Shorewall Policies at ubuntu - Wed Jun  6 15:54:37 HKT 2012

fw      =>      wan     ACCEPT
fw      =>      vps     ACCEPT
wan     =>      fw      REJECT using chain wan2fw
wan     =>      vps     ACCEPT
vps     =>      fw      REJECT using chain vps2fw
vps     =>      wan     ACCEPT


  • show zones
  • show dynamic <zone>
fw (firewall)
wan (ipv4)
vps (ipv4)



  • shorewall show connection
icmp     1 29 src= dst= type=8 code=0 id=1 src= dst= type=0 code=0 id=1 mark=0 use=2


  • show tc



支援的 action

  • show actions
  • show macros
  • shorewall show  capabilities


有關的 Chain 及 table

  • show [ -x ] mangle|nat|raw|rawpost|routing
  • show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]


show ipa     <------ iptaccount


shorewall show log








shorewall stop

The shorewall stop command does not remove all Netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/routestopped file



shorewall clear

If you want to remove all Netfilter rules and open your firewall for all traffic to pass, use the shorewall clear command.


running /etc/init.d/shorewall stop will actually execute the command /sbin/shorewall clear



shorewall trace start 2> /tmp/trace

To trace the execution of shorewall start and write the trace to the file /tmp/trace

shorewall debug restart

/var/lib/shorewall/<filename>  <--- For Example: /var/lib/shorewall/restore

shorewall save [filename]
shorewall restore [filename]
shorewall forget [filename]



dynamic zone


shorewall add
shorewall delete





shorewall allow

shorewall delete




shorewall disable

shorewall enable








shorewall refresh [chains]       <--- Reloads rules dealing (Default: blacklisting) <--( Defalut all chains in filter table)
                                         (All steps performed by restart are performed by refresh)


shorewall refresh net2fw nat:net_dnat


shorewall reset           <--- Resets traffic counters


shorewall reload [DIR]


/sbin/shorewall compile -e directory directory/firewall &&\
scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
ssh root@system '/sbin/shorewall-lite restart'




shorewall logwatch
shorewall show log
shorewall dump







shorewall show filters
Shorewall Classifiers at lxc - Thu Oct 31 09:48:00 HKT 2013

Device eth0:

Device vethgWuKzY:

Device vethwPXz66:

Device veth5UsOEE:

Device vethAIKLQb:

Device vethBnePej:

shorewall restart

不會解除 DROP 的 IP.

           Re-enables receipt of packets from hosts previously blacklisted by a drop, logdrop(BLACKLIST_LOGLEVEL), reject, or
           logreject command.

# 查看
shorewall show dynamic

two different types of blackliisting

* static
* dynamic

BLACKLISTNEWONLY=No -- All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections.

BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections.

# drop [to|from] <ip address list>

shorewall[-lite] drop

ERROR: BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes

# no:
* slow down your firewall noticably if you have large blacklists

# Yes
ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains.
( not include rules in the ESTABLISHED or RELATED sections)

當 BLACKLISTNEWONLY=Yes 時, 那 Drop 是不會即刻生效






man shorewall