mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Update Compiled Program doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8513 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9fd69523a8
commit
119eb3fc76
@ -34,6 +34,13 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 4.0 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
4.0.0-Beta4 or you are not running Shorewall-perl then please see <ulink
|
||||
url="3.0/NewBridge.html">this article</ulink>.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section id="Overview">
|
||||
<title>Overview</title>
|
||||
|
||||
@ -73,36 +80,6 @@
|
||||
will not use the updated script.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>With Shorewall 3.2.0 through 3.2.8, the
|
||||
<filename>params</filename> extension script is executed at
|
||||
compile time as well as at run time.</para>
|
||||
|
||||
<para>Running the script at compile time allows variable
|
||||
expansion (expanding $variable to its defined value) of
|
||||
variables used in Shorewall configuration files to occur at
|
||||
compile time. Running it at run-time allows your extension
|
||||
scripts to use the variables that it creates. BUT -- for any
|
||||
given variable, the value at compile time may be different from
|
||||
the value at run-time unless you only assign constant
|
||||
values.</para>
|
||||
|
||||
<para>For example, if you have:</para>
|
||||
|
||||
<programlisting>EXT_IP=$(find_first_interface_address eth0)</programlisting>
|
||||
|
||||
<para>in <filename>/etc/shorewall/params</filename> then all
|
||||
occurrences of $EXT_IP in Shorewall configuration files will be
|
||||
replaced with eth0's IP address when the program is being
|
||||
compiled. On the other hand, if you use $EXT_IP in your start
|
||||
script, the value will be the IP address of eth0 when the
|
||||
program is run.</para>
|
||||
|
||||
<para>Bottom line: You probably want to use only constant values
|
||||
for variables set in
|
||||
<filename>/etc/shorewall/params</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the
|
||||
<filename>params</filename> file is only processed at compile
|
||||
@ -211,13 +188,6 @@
|
||||
<section id="Lite">
|
||||
<title>Shorewall Lite (Added in version 3.2.0 RC 1)</title>
|
||||
|
||||
<important>
|
||||
<para>The following information applies to <emphasis
|
||||
role="bold">Shorewall 3.2.2 and later</emphasis>. Users running versions
|
||||
of Shorewall and Shorewall Lite earlier than 3.2.2 are urged to
|
||||
upgrade.</para>
|
||||
</important>
|
||||
|
||||
<para>Shorewall Lite is a companion product to Shorewall and is designed
|
||||
to allow you to maintain all Shorewall configuration information on a
|
||||
single system within your network.</para>
|
||||
@ -237,7 +207,7 @@
|
||||
by all users on the administrative system. Not all packages secure
|
||||
the files that way and you may have to change the file permissions
|
||||
yourself. /sbin/shorewall uses the SHOREWALL_COMPILER setting to
|
||||
determine which compiler to lanuch. If the compiler is
|
||||
determine which compiler to launch. If the compiler is
|
||||
shorewall-shell, then the SHOREWALL_SHELL setting from
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> determines the
|
||||
shell to use. /sbin/shorewall also uses the VERBOSITY setting for
|
||||
@ -326,45 +296,22 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are running Shorewall 3.2.5 or earlier then:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall load firewall</command></programlisting>
|
||||
|
||||
<para>The <ulink
|
||||
url="manpages/shorewall.html"><command>load</command></ulink>
|
||||
command compiles a firewall script from the configuration files
|
||||
in the current working directory (using <command>shorewall
|
||||
compile -e</command>), copies that file to the remote system via
|
||||
scp and starts Shorewall Lite on the remote system via
|
||||
ssh.</para>
|
||||
|
||||
<para>Example (firewall's DNS name is 'gateway'):</para>
|
||||
|
||||
<para><command>/sbin/shorewall load gateway</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>If you are running Shorewall 3.2.6 or later then:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall load -c firewall</command></programlisting>
|
||||
|
||||
<para>The <ulink
|
||||
url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
|
||||
command compiles a firewall script from the configuration files
|
||||
in the current working directory (using <command>shorewall
|
||||
compile -e</command>), copies that file to the remote system via
|
||||
scp and starts Shorewall Lite on the remote system via ssh. The
|
||||
-c option causes the capabilities of the remote system to be
|
||||
generated and copied to a file named capabilities in the export
|
||||
directory. See <link linkend="Shorecap">below</link>.</para>
|
||||
command compiles a firewall script from the configuration files in
|
||||
the current working directory (using <command>shorewall compile
|
||||
-e</command>), copies that file to the remote system via scp and
|
||||
starts Shorewall Lite on the remote system via ssh. The -c option
|
||||
causes the capabilities of the remote system to be generated and
|
||||
copied to a file named capabilities in the export directory. See
|
||||
<link linkend="Shorecap">below</link>.</para>
|
||||
|
||||
<para>Example (firewall's DNS name is 'gateway'):</para>
|
||||
|
||||
<para><command>/sbin/shorewall load -c gateway</command></para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
@ -496,13 +443,6 @@ clean:
|
||||
use that file on the firewall system to override some of the settings from
|
||||
the shorewall.conf file in the export directory.</para>
|
||||
|
||||
<important>
|
||||
<para>In Shorewall 3.2.*, the name of the file was
|
||||
<filename>/etc/shorewall-lite/shorewall.conf</filename> -- it was
|
||||
changed to <filename>shorewall-lite.conf</filename> in version
|
||||
3.4.0.</para>
|
||||
</important>
|
||||
|
||||
<para>Settings that you can override are:</para>
|
||||
|
||||
<blockquote>
|
||||
@ -605,14 +545,6 @@ clean:
|
||||
startup=1.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are running Shorewall 3.2.5 or earlier, then on the
|
||||
firewall system:</para>
|
||||
|
||||
<programlisting><command>/usr/share/shorewall-lite/shorecap > capabilities</command>
|
||||
<command>scp capabilities <admin system>:<this system's config dir></command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>On the administrative system:</para>
|
||||
|
||||
@ -646,75 +578,25 @@ clean:
|
||||
<para>If you set variables in the params file, there are a couple of
|
||||
issues:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>With Shorewall 3.2.0 through 3.2.8, the
|
||||
<filename>params</filename> extension script is executed at
|
||||
compile time as well as at run time.</para>
|
||||
|
||||
<para>Running the script at compile time allows variable
|
||||
expansion (expanding $variable to its defined value) of
|
||||
variables used in Shorewall configuration files to occur at
|
||||
compile time. Running it at run-time allows your extension
|
||||
scripts to use the variables that it creates. BUT -- for any
|
||||
given variable, the value at compile time may be different from
|
||||
the value at run-time unless you only assign constant
|
||||
values.</para>
|
||||
|
||||
<para>For example, if you have:</para>
|
||||
|
||||
<programlisting>EXT_IP=$(find_first_interface_address eth0)</programlisting>
|
||||
|
||||
<para>in <filename>/etc/shorewall/params</filename> then all
|
||||
occurrences of $EXT_IP in Shorewall configuration files will be
|
||||
replaced with eth0's IP address when the program is being
|
||||
compiled. On the other hand, if you use $EXT_IP in your start
|
||||
script, the value will be the IP address of eth0 when the
|
||||
program is run.</para>
|
||||
|
||||
<para>Bottom line: You probably want to use only constant values
|
||||
for variables set in <filename>/etc/shorewall/params</filename>
|
||||
or upgrade to Shorewall 3.2.9 or later (3.4.0 RC2 or
|
||||
later).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 3.2.9 and 3.4.0 RC2, the
|
||||
<filename>params</filename> file is only processed at compile
|
||||
time if you set EXPORTPARAMS=No in
|
||||
<filename>shorewall.conf</filename>. For run-time setting of
|
||||
shell variables, use the <filename>init</filename> extension
|
||||
script.</para>
|
||||
<filename>params</filename> file is only processed at compile time
|
||||
if you set EXPORTPARAMS=No in <filename>shorewall.conf</filename>.
|
||||
For run-time setting of shell variables, use the
|
||||
<filename>init</filename> extension script.</para>
|
||||
|
||||
<para>If the <filename>params</filename> file needs to set shell
|
||||
variables based on the configuration of the firewall system, you
|
||||
can use this trick:</para>
|
||||
variables based on the configuration of the firewall system, you can
|
||||
use this trick:</para>
|
||||
|
||||
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
|
||||
|
||||
<para>The <command>shorewall-lite call</command> command allows
|
||||
you to to call interactively any Shorewall function that you can
|
||||
call in an extension script.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>The <command>shorewall-lite call</command> command allows you
|
||||
to to call interactively any Shorewall function that you can call in
|
||||
an extension script.</para>
|
||||
|
||||
<para>After having made the above changes to the firewall's export
|
||||
directory, execute the following commands.</para>
|
||||
|
||||
<para>For Shorewall version 3.2.5 and earlier:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall load <firewall system></command>
|
||||
</programlisting>
|
||||
|
||||
<para>Example (firewall's DNS name is 'gateway'):</para>
|
||||
|
||||
<para><command>/sbin/shorewall load gateway</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>For Shorewall versions 3.2.6 and later:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting><command>cd <export directory></command>
|
||||
<command>/sbin/shorewall load -c <firewall system></command>
|
||||
@ -877,9 +759,6 @@ CAPVERSION=30405</programlisting>
|
||||
</simplelist>
|
||||
</blockquote>
|
||||
|
||||
<para>The <command>refresh</command> command was added in Shorewall
|
||||
3.2.3.</para>
|
||||
|
||||
<para>The options have their same meaning is when they are passed to
|
||||
<filename>/sbin/shorewall</filename> itself. The default VERBOSITY level
|
||||
is the level specified in the shorewall.conf file used when then program
|
||||
|
Loading…
Reference in New Issue
Block a user