SecurePlatform Shell
This section includes a complete listing of the SecurePlatform shell commands. These commands are required for configuration, administration and diagnostics of various system aspects.
|
Note - All commands are case sensitive.
|
Command Shell
Command Set
To display a list of available commands, enter ? or help at the command prompt. Many commands provide short usage instructions by running the command with the parameter '--help', or with no parameters.
Command Line Editing
SecurePlatform Command Shell uses command line editing conventions. You can scroll through previously entered commands with the up or down arrow keys. When you reach a command you wish to use, you can edit it or click the Enter key to start it. The audit command is used to display history of commands entered at the command prompt (see audit):
Key
|
Command
|
Right Arrow/^f
|
Move cursor right
|
Left Arrow/^b
|
Move cursor left
|
Home/^a
|
Move cursor to beginning of line
|
End/^e
|
Move cursor to end of line
|
Backspace/^h
|
Delete last char
|
^d
|
Delete char on cursor
|
^u
|
Delete line
|
^w
|
Delete word to the left
|
^k
|
Delete from cursor to end of line
|
Up arrow/^p
|
View previous command
|
Down arrow/^n
|
View next command
|
Command Output
Some command output may be displayed on more than one screen. By default, the Command Shell will display one screen, and prompt: -More-. Click any key to continue to display the rest of the command output.
The More functionality can be turned on or off, using the scroll command.
Management Commands
exit
Exit the current Mode:
- In Standard Mode, exit the shell (logout of the SecurePlatform system)
- In Expert Mode, exit to Standard Mode
Syntax
Expert Mode
Switch from Standard Mode to Expert Mode.
Syntax
Description
After entering the expert, command supply the expert password. After password verification, you will be transferred into expert mode.
passwd
Changing the password can be performed in both modes. Changing the password in Standard Mode changes the login password. Changing the password in Expert Mode changes the Expert Mode and Boot Loader password. During the first transfer to Expert Mode, you will be required to enter your Standard Mode password, i.e. you need to enter the first replacement password that you used when logging in as the admin user. Any sequential admin password change will not update the expert password that you must enter at the first-time expert user password change. Change the Expert Mode password. After the Expert Mode password is changed, the new password must be used to obtain Expert Mode access.
Syntax
Documentation Commands
help
List the available commands and their respective descriptions.
Syntax
Date and Time Commands
date
Show or set the system date. Changing the date or time affects the hardware clock.
Syntax
Parameters
Date Parameters
Parameter
|
Description
|
MM-DD-YYYY
|
The date to be set, first two digits (MM) are the month [01..12], next two digits (DD) are the day of month [01..31], and last four digits (YYYY) are the year
|
time
Show or set the system time. Changing the date or time affects the hardware clock.
Syntax
Parameters
Time Parameters
Parameter
|
Description
|
HH:MM
|
The time to be set, first two digits (HH) are the hour [00..23], last two digits (MM) are the minute [00..59]
|
timezone
Set the system time zone.
Syntax
timezone [-show | --help]
|
Parameters
Time Zone Parameters
Parameter
|
Description
|
|
if no parameters are entered, an interactive mode of time zone selection is displayed
|
-show
|
show currently selected time zone
|
--help
|
show usage message
|
ntp
Configure and start the Network Time Protocol polling client.
Syntax
ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]
ntp -n <interval> <server1> [<server2>[<server3>]]
|
Parameters
ntp Parameters
Parameter
|
Description
|
MD5_secret
|
pre-shared secret used to authenticate against the NTP server; use "-n " when authentication is not required.
|
interval
|
polling interval, in seconds
|
server[1,2,3]
|
IP address or resolvable name of NTP server
|
ntpstop
Stop polling the NTP server.
Syntax
ntpstart
Start polling the NTP server.
Syntax
System Commands
audit
Display or edit commands, entered in the shell for a specific session. The audit is not kept between sessions.
Syntax
audit setlines <number_of_lines>
audit show <number_of_lines>
audit clear <number_of_lines>
|
Parameters
Audit Parameters
Parameter
|
Description
|
lines<number_of_lines>
|
restrict the length of the command history that can be shown to <number_of_lines>
|
show <number_of_lines>
|
show <number_of_lines> recent commands entered
|
clear
|
clear command history
|
backup
Backup the system configuration. You can also copy backup files to a number of scp and tftp servers for improved robustness of backup. The backup command, run by itself, without any additional flags, will use default backup settings and will perform a local backup.
Syntax
backup -hbackup [-h] [-d] [-l] [--purge DAYS] [--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off]
[--tftp <ServerIP> [-path <Path>] [<Filename>]]
[--scp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]]
[--file [-path <Path>] [<Filename>]]
|
Backup Parameters
|
|
|
|
Parameter
|
Description
|
-h
|
Obtain usage
|
-d
|
Debug flag
|
-l
|
Flag enables backup of the Check Point Security Gateway log (By default, logs are not backed up.)
|
-p or --purge
|
Delete old backups from previous backup attempts
|
[--sched [on hh:mm <-m DayOfMonth> | <-w DaysOfWeek>] | off]
|
schedule interval at which backup is to take place
- On - specify time and day of week, or day of month
- Off - disable schedule
|
--tftp <ServerIP> [-path <Path>][<Filename>]
|
List of IP addresses of TFTP servers, to which the configuration will be backed up, and optionally the filename.
|
--scp <ServerIP> <Username> <Password>[-path <Path>] [<Filename>]
|
List of IP addresses of SCP servers, to which the configuration will be backed up, the username and password used to access the SCP Server, and optionally the filename.
|
--ftp <ServerIP> <Username> <Password> [-path <Path>] [<Filename>]
|
List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.
|
--file [-path <Path>]<Filename>
|
When the backup is performed locally, specify an optional filename
|
|
Note - If a Filename is not specified, a default name will be provided with the following format: backup_hostname.domain-name_day of month_month_year_hour_minutes.tgz
For example: \backup_gateway1.mydomain.com_13_11_2003_12_47.tgz
|
Examples
backup –file –path /tmp filename
|
Puts the backup file in (local) /tmp and names it filename
backup
–tftp <ip1> -path tmp
–tftp <ip2> -path var file1
–scp <ip3> username1 password1 –path /bin file2
–file file3
--scp <ip4> username2 password2 file4
--scp <ip5> username3 password3 –path mybackup
|
The backup file is saved on:
- tftp server with ip1, the backup file is saved in the
tmp directory (under the tftp server default directory – usually /tftproot ) with the default file name – backup_SystemName_TimaStamp.tgz
- tftp server with ip2 , the backup file is saved on
var (under the tftp server default directory – usually /tftproot ) as file1 - scp server with ip3 , the backup file is saved on
/bin as file2 - locally on the default directory (
/var/CPbackup/backups ) as file3 - scp server with ip4 on the username2 home directory as file4
- scp server with ip5 on
~username3/mybackup/ with the default backup file name
reboot
Restart the system.
Syntax
patch
Apply an upgrade or hotfix file.
|
Note - See the Release Notes for information about when to replace the patch utility with a more recent version.
|
Syntax
patch add scp <ip_address> <patch_name> [password (in expert mode)]
patch add tftp <ip_address> <patch_name>
patch add cd <patch_name>
patch add <full_patch_path>
patch log
|
Parameters
Parameter
|
Description
|
add
|
install a new patch
|
log
|
list all patches installed
|
scp
|
install from SCP
|
cd
|
install from DVD
|
tftp
|
install from TFTP server
|
ip
|
IP address of the tftp server containing the patch
|
patch_name
|
the name of the patch to be installed
|
password
|
password, in expert mode
|
full_patch_path
|
the full path for the patch file (for example, /var/tmp/mypatch.tgz )
|
restore
Restore the system configuration.
Syntax
restore [-h] [-d][[--tftp <ServerIP> <Filename>] | [--scp <ServerIP> <Username> <Password> <Filename>] | [--file <Filename>]]
|
Parameters
Parameter
|
Description
|
-h
|
obtain usage
|
-d
|
debug flag
|
--tftp <ServerIP> [<Filename>]
|
IP address of TFTP server, from which the configuration is restored, and the filename.
|
--scp <ServerIP> <Username> <Password> [<Filename>]
|
IP address of SCP server, from which the configuration is restored, the username and password used to access the SCP Server, and the filename.
|
--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]
|
List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.
|
--file <Filename>
|
Specify a filename for restore operation, performed locally.
|
When the restore command is executed by itself, without any additional flags, a menu of options is displayed. The options in the menu provide the same functionality, as the command line flags, for the restore command
Choose one of the following:
-----------------------------------------------------------
[L] Restore local backup package
[T] Restore backup package from TFTP server
[S] Restore backup package from SCP server
[V] Restore backup package from FTP server
[R] Remove local backup package
[Q] Quit
-----------------------------------------------------------
|
Select the operation of your choice.
shutdown
Shut down the system.
Syntax
ver
Display the SecurePlatform system version.
Syntax
Snapshot Image Management
Commands to take a snapshot of the entire system and to restore the system, from the snapshot, are available. The system can be restored at any time, and at boot time the administrator is given the option of booting from any of the available snapshots. This feature greatly reduces the risks of configuration changes.
The snapshot and revert commands can use an TFTP server, a SCP Server or and FTP server to store snapshots. Alternatively, snapshots can be stored locally.
|
Note - The amount of time it takes to perform a snapshot or revert depends on the amount of data (for example, logs) that is stored or restored. For example, it may take between 90 to 120 minutes to perform a snapshot or revert for Security Management Server, Log Server, Multi-Domain Security Management, etc.
|
Revert
Reboot the system from a snapshot file. The revert command, run by itself, without any additional flags, will use default backup settings, and will reboot the system from a local snapshot.
revert [-h] [-d] [[--tftp <ServerIP> <Filename>]
[--scp <ServerIP> <Username> <Password> <Filename>
[--ftp <ServerIP> <Username> <Password> <Filename>
[--file <Filename>]]
|
Parameters
Revert Parameters
Parameter
|
Description
|
-h
|
obtain usage
|
-d
|
debug flag
|
--tftp <ServerIP> <Filename>
|
IP address of the TFTP server, from which the snapshot is rebooted, as well as the filename of the snapshot.
|
--scp <ServerIP> <Username> <Password> <Filename>
|
IP address of the SCP server, from which the snapshot is rebooted, the username and password used to access the SCP Server, and the filename of the snapshot.
|
--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]
|
List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.
|
--file <Filename>
|
When the snapshot is made locally, specify a filename
|
The revert command functionality can also be accessed from the Snapshot image management boot option.
Snapshot
This command creates a snapshot file. The snapshot command, run by itself, without any additional flags, will use default backup settings and will create a local snapshot.
Syntax
snapshot [-h] [-d] [[--tftp <ServerIP> <Filename>]
[--scp <ServerIP> <Username> <Password> <Filename>]
[--ftp <ServerIP> <Username> <Password> <Filename>
[--file <Filename>]]
|
Parameters
Snapshot Parameters
Parameter
|
Description
|
-h
|
obtain usage
|
-d
|
debug flag
|
--tftp <ServerIP> <Filename>
|
IP address of the TFTP server, from which the snapshot is made, as well as the filename of the snapshot.
|
--scp <ServerIP> <Username> <Password> <Filename>
|
IP address of the SCP server, from which the snapshot is made, the username and password used to access the SCP Server, and the filename of the snapshot.
|
--ftp <ServerIP> <Username> <Password> [-path <Pat>] [<Filename>]
|
List of IP addresses of FTP servers, to which the configuration will be backed up, the username and password used to access the FTP Server, and optionally, the filename.
|
--file <Filename>
|
When the snapshot is made locally, specify a filename
|
System Diagnostic Commands
diag
Display or send the system diagnostic information (diag files).
Syntax
diag <log_file_name> tftp <tftp_host_ip_address>
|
Parameters
Diag Parameters
Parameter
|
Description
|
log_file_name
|
name of the log file to be sent
|
tftp
|
use tftp to upload the diagnostic information (other upload methods can be added in the future)
|
tftp_host_ip_address
|
IP address of the host, that is to receive the diagnostic information
|
log
Shows the list of available log files, applies log rotation parameters, shows the index of the log file in the list, and selects the number of lines of the log to display.
Syntax
log --help
log list
log limit <log-index><max-size><backlog-copies>
log unlimit <log-index>
log show <log-index> [<lines>]
|
Parameters
Log Parameters
Parameter
|
Description
|
list
|
show the list of available log files
|
limit
|
apply log rotation parameters
|
unlimit
|
remove log size limitations
|
log-index
|
show the index of the log file, in the list
|
max-size
|
show the size of the log file, in bytes
|
backlog-copies
|
list the number of backlog copies of the log file
|
lines
|
select the number of lines of the log to display
|
top
Display the top 15 processes on the system and periodically updates this information. Raw CPU percentage is used to rank the processes.
Syntax
Software Blade Commands
For information about Software Blade commands, see the R77 Command Line Interface Reference Guide.
Network Diagnostics Commands
ping
Send ICMP ECHO_REQUEST packets to network hosts.
Syntax
ping [-dfnqrvR] [-c count] [-i wait] [-l preload] [-p pattern]
[-s packetsize]
|
Parameters
ping Parameters
Parameter
|
Description
|
-c count
|
Stop after sending (and receiving) count ECHO_RESPONSE packets.
|
-d
|
Set the SO_DEBUG option for the socket being used.
|
-f
|
Flood ping. Outputs packets as fast as they come back, or one hundred times per second, whichever is greater. For every ECHO_REQUEST sent, a period ''.'' is printed, while for every ECHO_REPLY received, a backspace is printed. This provides a rapid display of how many packets are being dropped. Only the super-user may use this option. This can place a very heavy load on a network and should be used with caution.
|
-i wait
|
Wait: wait i seconds between sending each packet. The default is to wait for one second between each packet. This option is incompatible with the -f option.
|
-l
|
Preload: if preload is specified, ping sends that many packets as fast as possible before falling into its normal mode of behavior. Only the super-user may use this option.
|
-n
|
Numeric output only. No attempt will be made to lookup symbolic names for host addresses.
|
-p pattern
|
You may specify up to 16 ''pad'' bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, ''-p ff'' will direct the sent packet to be filled with a series of ones (''1'').
|
-q
|
Quiet output. Nothing is displayed except the summary lines at the time of startup and finish.
|
-R
|
Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option.
|
-r
|
Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.
|
-s packetsize
|
Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes, when combined with the 8 bytes of ICMP header data.
|
-v
|
Verbose (detailed) output. Lists ICMP packets (other than ECHO_RESPONSE ) that are received.
|
traceroute
Tracking the route a packet follows (or finding the miscreant Security Gateway that is discarding your packets) can be difficult. Traceroute utilizes the IP protocol 'time to live' field and attempts to elicit an ICMP TIME_EXCEEDED response from each Security Gateway along the path to a designated host.
Syntax
traceroute [ -dFInrvx ] [ -f first_ttl ] [ -g gateway ] [ -i iface ]
[ -m max_ttl ] [ -p port ] [ -q nqueries ] [ -s src_addr ] [ -t tos ]
[ -w waittime ] host [ packetlen ]
|
Parameters
traceroute Parameters
Parameter
|
Description
|
-f first_ttl
|
Set the initial time-to-live, used in the first outgoing probe packet.
|
-F
|
Set the "don't fragment" bit.
|
-d
|
Enable socket level debugging.
|
-g
|
Security Gateway: specify a loose source route Security Gateway (8 maximum).
|
-i
|
iface: specify a network interface, to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host. (See the -s flag for another way to do this.)
|
-I
|
Use ICMP ECHO instead of UDP datagrams.
|
-m max_ttl
|
Set the max time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops (the same default used for TCP connections).
|
-n
|
Print hop addresses numerically, rather than symbolically and numerically (saves a name server address-to-name lookup, for each Security Gateway found on the path).
|
-p port
|
Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.
|
-q nqueries
|
Number of queries to run.
|
-r
|
Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it.
|
-s src_addr
|
Use the following IP address (which usually is given as an IP number, not a hostname) as the source address in out-going probe packets. On multi-homed hosts (those with more than one IP address), this option can be used to force the source address to be something, other than the IP address of the interface that the probe packet is sent on. If the IP address is not one of this computer interface addresses, an error is returned and nothing is sent. (See the -i flag for another way to do this.)
|
-t tos
|
Set the type-of-service in probe packets to the following value (default zero). The value must be a decimal integer in the range 0 to 255. This option can be used to see if different types-of-service result in different paths. (If you are not running 4.4bsd, this may be irapplicable, since the normal network services like telnet and ftp don't let you control the TOS. Not all values of TOS are legal or meaningful, see the IP spec for definitions. Useful values are probably "-t 16" (low delay) and "-t 8" (high throughput).
|
-v
|
Verbose (detailed) output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs are listed.
|
-w waittime
|
Set the time (in seconds) to wait for a response to a probe (default is 5 seconds).
|
-x
|
Toggle checksums. Normally, this prevents traceroute from calculating checksums. In some cases, the operating system can overwrite parts of the outgoing packet, but not recalculate the checksum (In some cases, the default is not to calculate checksums. Using -x causes checksums to be calculated). Checksums are usually required for the last hop, when using ICMP ECHO probes (-I).
|
netstat
Show network statistics.
Syntax
netstat [-veenNcCF] [<Af>] -r
netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -i | [-cnNe] -M | -s }
|
Parameters
netstat Parameters
Parameter
|
Description
|
Extended Description
|
-r
|
route
|
display routing table
|
-i
|
interfaces
|
display interface table
|
-g
|
groups
|
display multicast group memberships
|
-s
|
statistics
|
display networking statistics (like SNMP)
|
-M
|
masquerade
|
display masqueraded connections
|
-v
|
verbose
|
be verbose (detailed)
|
-n
|
numeric
|
do not resolve names
|
-N
|
symbolic
|
resolve hardware names
|
-e
|
extend
|
display other/more information
|
-p
|
programs
|
display PID/Program name for sockets
|
-c
|
continuous
|
continuous listing
|
-l
|
listening
|
display listening server sockets
|
-a
|
all, listening
|
display all sockets (default: connected)
|
-o
|
timers
|
display timers
|
-F
|
fib
|
display Forwarding Information Base (default)
|
-C
|
cache
|
display routing cache, instead of FIB
|
<Socket>
|
|
Type of socket, may be one of the following: {-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
|
-A <AF>,
|
af <AF>
|
Address family, may be one of the following: inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
|
Network Configuration Commands
arp
arp manipulates the kernel ARP cache in various ways. The primary options are clearing an address mapping entry and manually setting one up. For debugging purposes, the ARP program also allows a complete dump of the ARP cache.
Syntax
arp [-vn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
|
addarp
addarp adds a persistent ARP entry (one that will survive re-boot).
Syntax
addarp <hostname> <hwaddr>
|
delarp
delarp removes ARP entries created by addarp .
Syntax
Parameters
arp Parameters
Parameter
|
Description
|
Extended Description
|
-v
|
verbose
|
Tell the user the details of what is going on.
|
-n
|
numeric
|
shows numerical addresses instead of trying to determine symbolic host, port or user names.
|
-H type,
|
hw-type type
|
When setting, or reading the ARP cache, this optional parameter tells arp which class of entries it should check for. The default value of this parameter is ether (i.e. hardware code 0x01 for IEEE 802.3 10Mbps Ethernet). Other values might include network technologies such as ARCnet (arcnet), PROnet (pronet), AX.25 (ax25) and NET/ROM (netrom).
|
-a [hostname]
|
display [hostname]
|
Shows the entries of the specified hosts. If the hostname parameter is not used, all entries will be displayed.
|
-d hostname
|
delete hostname
|
Remove any entry for the specified host. This can be used if the indicated host is brought down, for example.
|
-D
|
use-device
|
Use the interface ifa hardware address.
|
-i If
|
device If
|
Select an interface. When dumping the ARP cache, only entries matching the specified interface will be printed. When setting a permanent, or temp ARP, entry this interface will be associated with the entry. If this option is not used, the kernel will guess, based on the routing table. For public entries, the specified interface is the interface, on which ARP requests will be answered.
|
-f filename
|
file filename
|
Similar to the -s option, only this time the address info is taken from file filename set up. The name of the data file is very often /etc/ethers . If no filename is specified /etc/ethers is used as default.
|
hosts
Show, set or remove hostname to IP-address mappings.
Syntax
hosts add <IP-ADDRESS> <host1> [<host2> ...]
hosts remove <IP_ADDRESS> <host1> [<host2> ...]
hosts
|
Parameters
hosts Parameters
|
|
|
hosts
|
Parameter
|
Description
|
|
Running hosts, with no parameters, displays the current host names to IP mappings.
|
add
|
IP-ADDRESS
|
IP address, to which hosts will be added.
|
host1, host2...
|
Hosts to be added.
|
remove
|
IP-ADDRESS
|
IP address, to which hosts will be removed.
|
host1, host2...
|
The name of the hosts to be removed.
|
ifconfig
Show, configure or store network interfaces settings.
Syntax
ifconfig [-a] [-i] [-v] [-s] <interface> [[<AF>] <address>]
[add <address>[/<prefixlen>]]
[del <address>[/<prefixlen>]]
[[-]broadcast [<address>]] [[-]pointopoint [<address>]]
[netmask <address>] [dstaddr <address>] [tunnel <address>]
[outfill <NN>] [keepalive <NN>]
[hw <HW> <address>] [metric <NN>] [mtu <NN>]
[[-]trailers] [[-]arp] [[-]allmulti]
[multicast] [[-]promisc]
[mem_start <NN>] [io_addr <NN>] [irq <NN>] [media <type>]
[txqueuelen <NN>]
[[-]dynamic]
[up|down]
[--save]
|
ifConfig Parameters
Parameter
|
Description
|
interface
|
The name of the interface. This is usually a driver name, followed by a unit number, for example eth0 for the first Ethernet interface.
|
up
|
Causes the interface to be activated. It is implicitly specified if an address is assigned to the interface.
|
down
|
Causes the driver for this interface, to be shut down.
|
[-]arp
|
Enable or disable the use of the ARP protocol, on this interface.
|
[-]promisc
|
Enable or disable the promiscuous mode of the interface. If selected, all packets on the network will be received by the interface.
|
[-]allmulti
|
Enable or disable all-multicast mode. If selected, all multicast packets on the network will be received by the interface.
|
metric N
|
Sets the interface metric.
|
mtu N
|
Sets the Maximum Transfer Unit (MTU) of an interface.
|
dstaddr addr
|
Set the remote IP address for a point-to-point link (such as PPP). This keyword is now obsolete; use the point-to-point keyword instead.
|
netmask addr
|
Set the IP network mask, for this interface. This value defaults to the usual class A, B or C network mask (as derived from the interface IP address), but it can be set to any value.
|
irq addr
|
Set the interrupt line used by this device. Not all devices can dynamically change their IRQ setting.
|
io_addr addr
|
Set the start address in I/O space for this device.
|
mem_start addr
|
Set the start address for shared memory used by this device. Only a few devices need this parameter set.
|
media type
|
Set the physical port, or medium type, to be used by the device. Not all devices can change this setting, and those that can vary in what values they support. Typical values for type are 10base2 (thin Ethernet), 10baseT (twisted-pair 10Mbps Ethernet), AUI (external transceiver) and so on. The special, medium type of auto can be used to tell the driver to auto-sense the media. Not all drivers support this feature.
|
[-]broadcast [addr]
|
If the address argument is given, set the protocol broadcast address for this interface. Otherwise, set (or clear) the IFF_BROADCAST flag for the interface.
|
[-]pointopoint [addr]
|
This keyword enables the point-to-point mode of an interface, meaning that it is a direct link between two computers, with nobody else listening on it. If the address argument is also given, set the protocol address of the other side of the link, just like the obsolete dstaddr keyword does. Otherwise, set or clear the IFF_POINTOPOINT flag for the interface.
|
hw class address
|
Set the hardware address of this interface, if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include: ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).
|
multicast
|
Set the multicast flag on the interface. This should not normally be needed, as the drivers set the flag correctly themselves.
|
Address
|
The IP address to be assigned to this interface.
|
txqueuelen length
|
Set the length of the transmit queue of the device. It is useful to set this to small values, for slower devices with a high latency (modem links, ISDN), to prevent fast bulk transfers from disturbing interactive traffic, like telnet, too much.
|
--save
|
Saves the interface IP configuration. Not available when UTM-1 is installed.
|
vconfig
Configure virtual LAN interfaces.
Syntax
vconfig add [interface-name] [vlan_id]
vconfig rem [vlan-name]
|
Parameters
vconfig Parameters
Parameter
|
Description
|
interface-name
|
The name of the Ethernet card that hosts the VLAN.
|
vlan_id
|
The identifier (0-4095) of the VLAN.
|
skb_priority
|
The priority in the socket buffer (sk_buff).
|
vlan_qos
|
The 3 bit priority field in the VLAN header.
|
name-type
|
One of:
- VLAN_PLUS_VID (e.g. vlan0005),
- VLAN_PLUS_VID_NO_PAD (e.g. vlan5),
- DEV_PLUS_VID (e.g. eth0.0005),
- DEV_PLUS_VID_NO_PAD (e.g. eth0.5)
|
bind-type
|
One of:
- PER_DEVICE # Allows vlan 5 on eth0 and eth1 to be unique
- PER_KERNEL # Forces vlan 5 to be unique across all devices
|
flag-num
|
Either 0 or 1 (REORDER_HDR). If set, the VLAN device will move the Ethernet header around to make it look exactly like a real Ethernet device.
|
route
Show, configure or save the routing entries.
Syntax
route [-nNvee] [-FC] [<AF>] List kernel routing tables
route [-v] [-FC] {add|del|flush} ... Modify routing table for AF.
route {-h|--help} [<AF>] Detailed usage syntax for specified AF.
route {-V|--version} Display version/author and exit.
route --save
|
Parameters
route Parameters
|
|
|
Parameter
|
Description
|
Extended Description
|
-v
|
verbose
|
be verbose (detailed)
|
-n
|
numeric
|
do not resolve names
|
-N
|
symbolic
|
resolve hardware names
|
-e
|
extend
|
display other or more information
|
-F
|
fib
|
display Forwarding Information Base (default)
|
-C
|
cache
|
display routing cache, instead of FIB
|
-A <AF>
|
af <AF>
|
Address family, may be one of the following: inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
|
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
|
|
save
|
|
Save the routing configuration
|
hostname
Show or set the system host name.
Syntax
hostname [--help]
hostname <host>
hostname <host> <external_ip_address>
|
Parameters
hostname Parameters
Parameter
|
Description
|
|
show host name
|
host
|
new host name
|
external_ip_address
|
IP address of the interface to be assigned
|
help
|
show usage message
|
domainname
Show or set the system domain name.
Syntax
Parameters
domainname Parameters
Parameter
|
Description
|
|
Show domainname
|
domain
|
Set domainname to domain
|
dns
Add, remove, or show the Domain Name resolving servers.
Syntax
dns [add|del <ip_of_nameserver>]
|
Parameters
dns Parameters
Parameter
|
Description
|
|
show DNS servers configured
|
add
|
add new nameserver
|
del
|
delete existing nameserver
|
<ip_of_nameserver>
|
IP address of the nameserver
|
sysconfig
Interactive script to configure networking and security for the system.
Syntax
webui
webui configures the port the SecurePlatform HTTPS web server uses for the management interface.
Syntax
webui enable [https_port]
webui disable
|
Parameters
webui parameters
Parameter
|
Description
|
enable [https_port]
|
enable the Web GUI on port https_port
|
disable
|
disable the Web GUI
|
User and Administrator Commands
adduser
adduser adds a SecurePlatform administrator. (SecurePlatform supports RADIUS authentication for SecurePlatform administrators.)
Syntax
adduser [-x EXTERNAL_AUTH] <user name>
|
deluser
deluser deletes a SecurePlatform administrator.
Syntax
showusers
showusers displays all SecurePlatform administrators.
Syntax
lockout
Lock out a SecurePlatform administrator.
Syntax
lockout enable <attempts> <lock_period>
lockout disable
lockout show
|
Parameters
lockout Parameters
Parameter
|
Description
|
enable attempts lock_period
|
Activate lockout after a specified number of unsuccessful attempts to login, and lock the account for lock_period minutes.
|
disable
|
Disable the lockout feature.
|
show
|
Display the current settings of the lockout feature.
|
unlockuser
Unlock a locked administrator. (See lockout for more information about a locked administrator.)
Syntax
checkuserlock
Display the lockout status of a SecurePlatform administrator (whether or not the administrator is locked out).
Syntax
|
|