extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-26 20:51:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

Browse Source
This commit is contained in:
Tom Eastep 2020-04-18 09:36:20 -07:00
commit 5101a6be4a
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 68 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Shorewall-init/shorewall-init
View File

@ -24,6 +24,20 @@
# along with this program; if not, see <http://www.gnu.org/licenses/>. # along with this program; if not, see <http://www.gnu.org/licenses/>.
# #
############################################################################### ###############################################################################
#
# Check to see if any of the products are running. If so, issue a warning
# and exits with value 1
firewall_stopped() {
for PRODUCT in $PRODUCTS; do
if $PRODUCT status > /dev/null 2>&1; then
echo " WARNING: $PRODUCT is running -- ignoring $1 command" >&2
return 1
fi
done
return 0
}
# set the STATEDIR variable # set the STATEDIR variable
setstatedir() { setstatedir() {
local statedir local statedir
@ -42,23 +56,6 @@ setstatedir() {
fi fi
} }
#
# This is modified by the installer when ${SHAREDIR} <> /usr/share
#
. /usr/share/shorewall/shorewallrc
# check if shorewall-init is configured or not
if [ -f "$SYSCONFDIR/shorewall-init" ]; then
. $SYSCONFDIR/shorewall-init
if [ -z "$PRODUCTS" ]; then
echo "ERROR: No products configured" >&2
exit 1
fi
else
echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
exit 1
fi
# Initialize the firewall # Initialize the firewall
shorewall_start () { shorewall_start () {
local PRODUCT local PRODUCT
@ -116,12 +113,29 @@ shorewall_stop () {
return 0 return 0
} }
#
# This is modified by the installer when ${SHAREDIR} <> /usr/share
#
. /usr/share/shorewall/shorewallrc
# check if shorewall-init is configured or not
if [ -f "$SYSCONFDIR/shorewall-init" ]; then
. $SYSCONFDIR/shorewall-init
if [ -z "$PRODUCTS" ]; then
echo "ERROR: No products configured" >&2
exit 6
fi
else
echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
exit 1
fi
case "$1" in case "$1" in
start) start)
shorewall_start firewall_stopped 'start' && shorewall_start
;; ;;
stop) stop)
shorewall_stop firewall_stopped 'stop' && shorewall_stop
;; ;;
*) *)
echo "Usage: $0 {start|stop}" echo "Usage: $0 {start|stop}"

36
docs/ipsets.xml
View File

@ -192,11 +192,19 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
ipv4 ipsets are saved. Both features require ipset version 5 or ipv4 ipsets are saved. Both features require ipset version 5 or
later.</para> later.</para>
<caution>
<para>After setting SAVE_IPSETS, it is important to recompile the
firewall script (e.g., 'shorewall compile', 'shorewall reload' or
'shorewall restart') before rebooting</para>
</caution>
<para>Although Shorewall can save the definition of your ipsets and <para>Although Shorewall can save the definition of your ipsets and
restore them when Shorewall starts, in most cases you must use the ipset restore them when Shorewall starts, in most cases you must use the ipset
utility to initially create and load your ipsets. The exception is that utility to initially create and load your ipsets. The exception is that
Shorewall will automatically create an empty iphash ipset to back each Shorewall will automatically create an empty iphash ipset to back each
dynamic zone.</para> dynamic zone. It will also create the ipset required by the
DYNAMIC_BLACKLIST=ipset:.. setting in <ulink
url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para>
</section> </section>
<section> <section>
@ -220,6 +228,32 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
the ipsets will be save to and restored from. Shorewall-init will create the ipsets will be save to and restored from. Shorewall-init will create
any necessary directories during the first 'save' operation.</para> any necessary directories during the first 'save' operation.</para>
<caution>
<para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
(/etc/default/shorewall-init on Debian and derivatives) when
shorewall-init has not been started by systemd, then when the system is
going down during reboot, the ipset contents will not be saved. You can
work around that as follows:</para>
<itemizedlist>
<listitem>
<para>Suppose that you have set
SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para>
</listitem>
<listitem>
<para>Before rebooting, execute this command:</para>
<programlisting>ipset save &gt; /var/lib/shorewall/init-save-ipsets</programlisting>
</listitem>
<listitem>
<para>Be sure to enable shoewall-init (e.g., <emphasis
role="bold">systemctl enable shorewall-init</emphasis>).</para>
</listitem>
</itemizedlist>
</caution>
<para>If you configure Shorewall-init to save/restore ipsets, be sure to <para>If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para> set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>