#!/bin/sh
#
# Shorewall help subsystem - V3.2
#
#
#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
#     (c) 2003-2006 - Tom Eastep (teastep@shorewall.net)
#                     Steve Herber (herber@thing.com)
#
#	This file should be placed in /usr/share/shorewall-lite/help
#
#	Shorewall documentation is available at http://shorewall.sourceforge.net
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of Version 2 of the GNU General Public License
#	as published by the Free Software Foundation.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	You should have received a copy of the GNU General Public License
#	along with this program; if not, write to the Free Software
#	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################

case $1 in

address|host)
        echo "<$1>:
    May be either a host IP address such as 192.168.1.4 or a network address in
    CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
    match support then IP address ranges of the form <low address>-<high address>
    are also permitted. If your kernel and iptables contain ipset match support
    then you may specify the name of an ipset prefaced by "+". The name of the
    ipsec may be optionally followed by a number of levels of ipset bindings
    (1 - 6) that are to be followed"
	;;

allow)
	echo "allow: allow <address> ...
    Re-enables receipt of packets from hosts previously blacklisted
    by a drop or reject command.

    shorewall-lite allow, drop, rejct and save implement dynamic blacklisting.

    See also \"help address\""
	;;

clear)
	echo "clear: clear
    Clear will remove all rules and chains installed by Shoreline.
    The firewall is then wide open and unprotected.  Existing
    connections are untouched.  Clear is often used to see if the
    firewall is causing connection problems."
	;;

debug)
	echo "debug: debug
    If you include the keyword debug as the first argument to any
    of these commands:

	start|stop|restart|reset|clear|add|delete

    then a shell trace of the command is produced.  For example:

	shorewall-lite debug start 2> /tmp/trace

    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace.

    The word 'trace' is a synonym for 'debug'."
	;;

drop)
	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored

    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
	;;

dump)
	echo "dump: dump

    shorewall-lite [-x] dump

    Produce a verbose report about the firewall for problem analysis.

    (iptables -L -n -)

    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
	;;

forget)
	echo "forget: forget [ <file name> ]
    Deletes /var/lib/shorewall-lite/<file name>. If no <file name> is given then
    the file specified by RESTOREFILE in shorewall.conf is removed.

    See also \"help save\""
	;;

help)
	echo "help: help [<command> | host | address ]
    Display helpful information about the shorewall-lite commands."
	;;

hits)
    echo "hits: hits
    Produces several reports about the Shorewall packet log messages
    in the current /var/log/messages file."
	;;

ipcalc)
	echo "ipcalc: ipcalc { address mask | address/vlsm }
    Ipcalc displays the network address, broadcast address,
    network in CIDR notation and netmask corresponding to the input[s]."
	;;

ipdecimal)
	echo "ipdecimal: ipdecimal { <IP address> | <integer> }
    Converts an IP address into its 32-bit decimal equivalent and
    vice versa"
	;;

iprange)
	echo "iprange: iprange address1-address2
    Iprange decomposes the specified range of IP addresses into the
    equivalent list of network/host addresses."
	;;

logdrop)
	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored and loged.

    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
	;;

logwatch)
	echo "logwatch: logwatch [ -m ] [<refresh interval>]
    Monitors the LOGFILE, $LOGFILE,
    and produces an audible alarm when new Shorewall messages are logged.
    If \"-m\" is specified, then MAC addresses in the log entries (if any) are displayed."
	;;

logreject)
	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected and logged.

    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
	;;

reject)
	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected

    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help address\""
	;;

reset)
	echo "reset: reset
    All the packet and byte counters in the firewall are reset."
	;;

restart)
	echo "restart: restart [ -n ] [ <configuration-directory> ]
    Restart is the same as a shorewall-lite stop && shorewall-lite start.
    Existing connections are maintained.

    If \"-n\" is specified, no changes to routing will be made"
	;;

restore)
	echo "restore: restore [ -n ] [ <file name> ]
    Restore Shorewall to a state saved using the 'save' command
    Existing connections are maintained. The <file name> names a restore file in
    /var/lib/shorewall-lite created using \"shorewall-lite save\"; if no 
    <file name> is given then Shorewall Lite will be restored from the file
    specified by the RESTOREFILE option in shorewall.conf.

    If \"-n\" is specified, no changes to routing will be made.

    See also \"help save\", \"help compile\" and \"help forget\""
	;;

save)
	echo "save: save [ <file name> ]
    The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the
    firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall-lite restore'
    and 'shorewall-lite -f start' commands. If <file name> is not given then the state is saved
    in the file specified by the RESTOREFILE option in shorewall.conf.

    shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.

    See also \"help restore\" and \"help forget\""
	;;

show)
	echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]

    shorewall-lite [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)

    shorewall-lite [-x] show mangle - produce a verbose report about the mangle table.
    (iptables -t mangle -L -n -v)

    shorewall-lite [-x] show nat - produce a verbose report about the nat table.
    (iptables -t nat -L -n -v)

    shorewall-lite show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
	MAC addresses in the log entries (if any) are displayed.

    shorewall-lite show connections - displays the IP connections currently
	being tracked by the firewall.

    shorewall-lite show tc - displays information about the traffic
	control/shaping configuration.

    shorewall-lite show zones - displays the contents of all zones.

    shorewall-lite show - [ -f ] capabilities - displays your kernel/iptables capabilities.  When \"-f\" is
    specified, then the output is suitable for use as /etc/shorewall/capabilities on your administrative
    system.

    shorewall-lite show config - displays the default CONFIG_PATH and LITEDIR for your distribution

    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
	;;

start)
	echo "start: start [ -f ] [ -n ] [ <configuration-directory> ]
    Start Shorewall Lite.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies.

    If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
    in shorewall.conf will be restored if that saved configuration exists. In that
    case, a <configuration-directory> may not be specified.
    If \"-n\" is specified, no changes to routing will be made."
	;;

stop)
	echo "stop: stop
    Stops the firewall.  All existing connections, except those
    listed in routestopped, are taken down.
    The only new traffic permitted through the firewall
    is from systems listed in routestopped."
	;;

status)
	echo "status: status

    shorewall-lite status

    Displays the Shorewall Lite status (running/not-running).

    Also displays the Shorewall Lite state as shown in the state diagram at
    http://www.shorewall.net/starting_and_stopping_shorewall.  The time and
    date when that state was reached is also displayed."
	;;

trace)
	echo "trace: trace
    If you include the keyword trace as the first argument to any
    of these commands:

	start|stop|restart|reset|clear

    then a shell trace of the command is produced.  For example:

	shorewall-lite trace start 2> /tmp/trace

    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace.

    The word 'debug' is a synonym for 'trace'."
	;;

version)
	echo "version: version
    Show the current Shorewall Lite version which is: $version"
	;;

*)
	echo "$1: $1 is not recognized by the help command"
	;;

esac

exit 0	# always ok