extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-01 18:39:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add CONFIG_PATH modification step to Shorewall->Lite migration instructions

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4143 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-19 15:19:55 +00:00
parent a547820ae9
commit 75550b44c4
1 changed files with 44 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
docs/CompiledPrograms.xml
View File

@ -286,10 +286,12 @@
<programlisting><command>cd &lt;configuration directory&gt;</command> <programlisting><command>cd &lt;configuration directory&gt;</command>
<command>/sbin/shorewall load . firewall</command></programlisting> <command>/sbin/shorewall load . firewall</command></programlisting>
<para>The load command compiles a firewall script from the <para>The <ulink
configuration files in the current working directory, copies that url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
file to the remote system via scp and starts Shorewall Lite on the command compiles a firewall script from the configuration files in
remote system via ssh.</para> the current working directory, copies that file to the remote
system via scp and starts Shorewall Lite on the remote system via
ssh.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
@ -367,6 +369,13 @@
<listitem> <listitem>
<para>Install Shorewall Lite on the firewall system.</para> <para>Install Shorewall Lite on the firewall system.</para>
<para>Modify <filename>/etc/shorewall-lite/shorewall.conf</filename>
as needed.</para>
<para>If you are running Debian or one of its derivatives like
Ubuntu then edit /etc/default/shorewall-lite and set
startup=1.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -383,76 +392,43 @@
administrative system in the firewall system's administrative system in the firewall system's
<filename>routestopped</filename> file.</para> <filename>routestopped</filename> file.</para>
<programlisting><command>cd &lt;configuration directory&gt;</command> <para>Also, edit the shorewall.conf file in the firewall's
<command>/sbin/shorewall compile -e . firewall</command> configuration directory and change the CONFIG_PATH setting to remove
<command>scp firewall root@&lt;firewall system&gt;:/var/lib/shorewall-lite/</command></programlisting> <filename>/etc/shorewall</filename>. You can replace it with
<filename>/usr/share/shorewall/configfiles</filename> if you
<note> like.</para>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para> <para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
</listitem>
<listitem>
<para>On the firewall system:</para>
<para>Modify <filename>/etc/shorewall-lite/shorewall.conf</filename>
as needed.</para>
<para>If you are running Debian or one of its derivatives like
Ubuntu then edit /etc/default/shorewall-lite and set
startup=1.</para>
<programlisting><command>shorewall-lite start</command></programlisting>
</listitem>
</orderedlist>
</section>
<section>
<title>/sbin/shorewall reload command (Added in 3.2.0 RC4)</title>
<para>The <ulink
url="starting_and_stopping_shorewall.htm#Reload"><command>reload</command>
command</ulink> allows for easy updating of remote firewall systems by a
non-root user. At shorewall.net, I keep my firewall configurations in
sub-directories under ~/Configs. The name of the directory corresponds
to the DNS name of the system.</para>
<para>To recompile the firewall script for the system named gateway and
to install that script on gateway, I issue the following
commands:</para>
<blockquote> <blockquote>
<programlisting>teastep@wookie:~$ <command>cd Configs/gateway</command> <para>Before editing:</para>
teastep@wookie:~/Configs/gateway$ <command>/sbin/shorewall reload gateway</command>
Compiling... <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
Shorewall configuration compiled to ./firewall
Copying ./firewall to gateway:/var/lib/shorewall-lite... <para>After editing:</para>
firewall 100% 67KB 66.7KB/s 00:00
Copy complete <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
Restarting Shorewall Lite....
done.
System gateway reloaded
teastep@wookie:~/Configs/gateway$</programlisting>
</blockquote> </blockquote>
<para>The user running the <command>reload</command> command must have <para>After having made the above changes to the firewall's
ssh access to the remote system. I use RSA keys and ssh-agent so I don't configuration directory, execute the following commands:</para>
need to enter a password each time the command runs scp or ssh; I only
need to supply the password once when I log onto my desktop <programlisting><command>cd &lt;configuration directory&gt;</command>
system.</para> <command>/sbin/shorewall load &lt;firewall system&gt;</command>
</programlisting>
<para>Example:</para>
<para><command>/sbin/shorewall load gateway</command></para>
<para>The <ulink
url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
command compiles a firewall script from the configuration files in
the current working directory, copies that file to the remote system
via scp and starts Shorewall Lite on the remote system via
ssh.</para>
</listitem>
</orderedlist>
</section> </section>
</section> </section>