shorewall_code/STABLE/documentation/starting_and_stopping_shorewall.htm

327 lines
13 KiB
HTML
Raw Normal View History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
Monitoring the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
</ol>
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic permitted
through the firewall is from systems listed in
/etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new
connections
originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's running) and then
starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument, then a
shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the
trace information
in the file /tmp/trace<br>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands:<br>
</p>
<ul>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
</ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i>1 [ <span style="font-style: italic;">chain2
... </span>] - produce a verbose
report about the listed <i>chains </i>(iptables -L <i>chain</i>
-n -v) <span style="font-weight: bold;">Note: </span>You may only
list one chain in the <span style="font-weight: bold;">show</span>
command when running Shorewall version 1.4.6 and earlier.&nbsp; Version
1.4.7 and later allow you to list multiple chains in one command.<br>
</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall show tc - displays information about the traffic
control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain
about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -
Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new
Shorewall messages are logged.</li>
</ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR
notation and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the
specified range of IP addresses into the equivalent list of
network/host addresses. <br>
</li>
</ul>
There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets
from the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes
packets from the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables
receipt of packets from hosts previously blacklisted by a <i>drop</i>
or <i>reject</i> command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so
that it will be automatically restored the next time that the firewall
is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the
specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24
vpn1</b></font> -- adds the address 192.0.2.24 from interface ipsec0 to
the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall
check, </b>and <b>shorewall try </b>commands allow you to specify
which <a href="configuration_file_basics.htm#Configs"> Shorewall
configuration</a> to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ]
{start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that
Shorewall is going to use a file in /etc/shorewall it will first look
in the <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<p> When changing the configuration of a production firewall, I
recommend the following:</p>
<ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall to
. and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall
restart" to restore the old configuration. If the new configuration
fails to start, the "try" command will automatically start the old one
for you.</p>
<p> When the new configuration works then just </p>
<ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted
below.<br>
</p>
<div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> <br>
</div>
<p>&nbsp; <br>
</p>
You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall
Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in
/etc/shorewall/hosts is passed to/from/through the firewall. For
Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then
in addition, all existing connections are retained and all connection
requests
from the firewall are accepted.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
start"<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
<p><font size="2"> Updated 8/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>