From 6d8b08339da8115d9dc61be1f458f3aed20f3004 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 19 Sep 2008 15:59:08 +0000 Subject: [PATCH] Improvements to compiled-program/shorewall-lite doc git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8719 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/CompiledPrograms.xml | 117 +++++++++++++++++++++++--------------- 1 file changed, 72 insertions(+), 45 deletions(-) diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 594d467ba..098e8121d 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -198,24 +198,6 @@ network. You need not configure Shorewall there and you may totally disable startup of Shorewall in your init scripts. For ease of reference, we call this system the 'administrative system'. - - - If you want to be able to allow non-root users to manage - remote firewall systems, then the files - /etc/shorewall/params and - /etc/shorewall/shorewall.conf must be readable - by all users on the administrative system. Not all packages secure - the files that way and you may have to change the file permissions - yourself. /sbin/shorewall uses the - SHOREWALL_COMPILER setting to determine which compiler to launch. If - the compiler is shorewall-shell, then the SHOREWALL_SHELL setting - from /etc/shorewall/shorewall.conf determines - the shell to use. /sbin/shorewall also uses the - VERBOSITY setting for determining how much output the compiler - generates. All other settings are taken from the - shorewall.conf file in the remote systems - export directory (see below). - @@ -234,13 +216,42 @@ On the administrative system you create a separate 'export directory' for each firewall system. You copy the contents of - /usr/share/shorewall/configfiles - into each export directory. + /usr/share/shorewall/configfiles into + each export directory. - If you are running Debian or one of its derivatives like Ubuntu - then edit /etc/default/shorewall-lite and set + The /etc/shorewall/shorewall.conf file is + used to determine several settings during the compilation process, + even though there is a shorewall.conf file in the export directory. + /sbin/shorewall uses the SHOREWALL_COMPILER + setting from /etc/shorewall/shorewall.conf to + determine which compiler to launch. If the compiler is + shorewall-shell, then the SHOREWALL_SHELL setting from + /etc/shorewall/shorewall.conf determines the + shell to use. /sbin/shorewall also uses the + VERBOSITY setting from + /etc/shorewall/shorewall.conf for determining how + much output the compiler generates. All other settings are taken from + the shorewall.conf file in the remote systems + export directory. + + + If you want to be able to allow non-root users to manage + remote firewall systems, then the files + /etc/shorewall/params and + /etc/shorewall/shorewall.conf must be readable + by all users on the administrative system. Not all packages secure + the files that way and you may have to change the file permissions + yourself. + + + + + On each firewall system, If you are running Debian or one of its + derivatives like Ubuntu then edit + /etc/default/shorewall-lite and set startup=1. @@ -307,7 +318,11 @@ Example (firewall's DNS name is 'gateway'): - /sbin/shorewall load -c gateway + /sbin/shorewall load -c gateway + Although scp and ssh are used by default, you can use + other utilities by setting RSH_COMMAND and RCP_COMMAND in + /etc/shorewall/shorewall.conf. + @@ -462,7 +477,9 @@ clean: You will normally not need to touch - /etc/shorewall-lite/shorewall-lite.conf. + /etc/shorewall-lite/shorewall-lite.conf unless you + run Debian or one of its derivatives (see above). The /sbin/shorewall-lite program included with Shorewall Lite supports the same set of commands as the @@ -525,7 +542,8 @@ clean: On the firewall system: Be sure that the IP address of the administrative system is - included in /etc/shorewall/routestopped. + included in the firewall's export directory + routestopped file. shorewall stop @@ -537,8 +555,8 @@ clean: Install Shorewall Lite on the firewall system. If you are running Debian or one of its derivatives like - Ubuntu then edit /etc/default/shorewall-lite and - set startup=1. + Ubuntu then edit /etc/default/shorewall-lite + and set startup=1. @@ -550,10 +568,10 @@ clean: Also, edit the shorewall.conf file in the firewall's export directory and change the CONFIG_PATH setting to - remove /etc/shorewall. You can - replace it with /usr/share/shorewall/configfiles if - you like. + remove /etc/shorewall. You + can replace it with /usr/share/shorewall/configfiles if you + like. Example: @@ -569,7 +587,9 @@ clean: Changing CONFIG_PATH will ensure that subsequent compilations using the export directory will not include any files from /etc/shorewall. + class="directory">/etc/shorewall other than + shorewall.conf and + params. If you set variables in the params file, there are a couple of issues: @@ -608,8 +628,8 @@ clean: command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via - scp and starts Shorewall Lite on the remote system - via ssh. + scp and starts Shorewall Lite on the remote + system via ssh. @@ -632,7 +652,8 @@ clean: If the kernel/iptables configuration on the firewall later changes and you need to create a new - capabilities file, do the following: + capabilities file, do the following on the + firewall system: /usr/share/shorewall-lite/shorecap > capabilities scp capabilities <admin system>:<this system's config dir> @@ -650,13 +671,13 @@ clean: program As mentioned above, the - /etc/shorewall/capabilities file specifies that + /etc/shorewall/capabilities file specifies that kernel/iptables capabilities of the target system. Here is a sample file:
# -# Shorewall detected the following iptables/netfilter capabilities - Fri Jul 27 14:22:31 PDT 2007 +# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008 # NAT_ENABLED=Yes MANGLE_ENABLED=Yes @@ -666,11 +687,12 @@ CONNTRACK_MATCH=Yes USEPKTTYPE=Yes POLICY_MATCH=Yes PHYSDEV_MATCH=Yes +PHYSDEV_BRIDGE=Yes LENGTH_MATCH=Yes IPRANGE_MATCH=Yes RECENT_MATCH=Yes OWNER_MATCH=Yes -IPSET_MATCH= +IPSET_MATCH=Yes CONNMARK=Yes XCONNMARK=Yes CONNMARK_MATCH=Yes @@ -685,7 +707,11 @@ XMARK=Yes MANGLE_FORWARD=Yes COMMENTS=Yes ADDRTYPE=Yes -CAPVERSION=30405 +TCPMSS_MATCH=Yes +HASHLIMIT_MATCH=Yes +NFQUEUE_TARGET=Yes +REALM_MATCH=Yes +CAPVERSION=40190
As you can see, the file contains a simple list of shell variable @@ -695,8 +721,8 @@ CAPVERSION=30405 To aid in creating this file, Shorewall Lite includes a shorecap program. The program is installed in the - /usr/share/shorewall-lite/ directory - and may be run as follows: + /usr/share/shorewall-lite/ + directory and may be run as follows:
[ IPTABLES=<iptables binary> ] [ @@ -721,7 +747,8 @@ CAPVERSION=30405 Note that unlike the shorecap program, the show capabilities command shows the kernel's current - capabilities; it does not attempt to load additional kernel modules. + capabilities; it does not attempt to load additional kernel + modules.
@@ -760,7 +787,7 @@ CAPVERSION=30405 The options have the same meanings as when they are passed to /sbin/shorewall itself. The default VERBOSITY level - is the level specified in the shorewall.conf file used - when the program was compiled. + is the level specified in the shorewall.conf file + used when the program was compiled.
- + \ No newline at end of file