diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init
index 89ecdeee9..91ed6d99d 100644
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -24,6 +24,20 @@
# along with this program; if not, see .
#
###############################################################################
+#
+# Check to see if any of the products are running. If so, issue a warning
+# and exits with value 1
+firewall_stopped() {
+ for PRODUCT in $PRODUCTS; do
+ if $PRODUCT status > /dev/null 2>&1; then
+ echo " WARNING: $PRODUCT is running -- ignoring $1 command" >&2
+ return 1
+ fi
+ done
+
+ return 0
+}
+
# set the STATEDIR variable
setstatedir() {
local statedir
@@ -42,23 +56,6 @@ setstatedir() {
fi
}
-#
-# This is modified by the installer when ${SHAREDIR} <> /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-# check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]; then
- . $SYSCONFDIR/shorewall-init
- if [ -z "$PRODUCTS" ]; then
- echo "ERROR: No products configured" >&2
- exit 1
- fi
-else
- echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
- exit 1
-fi
-
# Initialize the firewall
shorewall_start () {
local PRODUCT
@@ -116,12 +113,29 @@ shorewall_stop () {
return 0
}
+#
+# This is modified by the installer when ${SHAREDIR} <> /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+# check if shorewall-init is configured or not
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+ . $SYSCONFDIR/shorewall-init
+ if [ -z "$PRODUCTS" ]; then
+ echo "ERROR: No products configured" >&2
+ exit 6
+ fi
+else
+ echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
+ exit 1
+fi
+
case "$1" in
start)
- shorewall_start
+ firewall_stopped 'start' && shorewall_start
;;
stop)
- shorewall_stop
+ firewall_stopped 'stop' && shorewall_stop
;;
*)
echo "Usage: $0 {start|stop}"
diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index 4d0027868..6b75a01eb 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -192,11 +192,19 @@ ACCEPT net:+sshok $FW tcp 22
ipv4 ipsets are saved. Both features require ipset version 5 or
later.
+
+ After setting SAVE_IPSETS, it is important to recompile the
+ firewall script (e.g., 'shorewall compile', 'shorewall reload' or
+ 'shorewall restart') before rebooting
+
+
Although Shorewall can save the definition of your ipsets and
restore them when Shorewall starts, in most cases you must use the ipset
utility to initially create and load your ipsets. The exception is that
Shorewall will automatically create an empty iphash ipset to back each
- dynamic zone.
+ dynamic zone. It will also create the ipset required by the
+ DYNAMIC_BLACKLIST=ipset:.. setting in shorewall[6].conf(5),
@@ -220,6 +228,32 @@ ACCEPT net:+sshok $FW tcp 22
the ipsets will be save to and restored from. Shorewall-init will create
any necessary directories during the first 'save' operation.
+
+ If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
+ (/etc/default/shorewall-init on Debian and derivatives) when
+ shorewall-init has not been started by systemd, then when the system is
+ going down during reboot, the ipset contents will not be saved. You can
+ work around that as follows:
+
+
+
+ Suppose that you have set
+ SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.
+
+
+
+ Before rebooting, execute this command:
+
+ ipset save > /var/lib/shorewall/init-save-ipsets
+
+
+
+ Be sure to enable shoewall-init (e.g., systemctl enable shorewall-init).
+
+
+
+
If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.