extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-15 23:08:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shuffle the Compiled Program article

Browse Source
This commit is contained in:
Tom Eastep 2010-12-12 19:00:15 -08:00
parent ff402dcf09
commit e8b26236e2
1 changed files with 540 additions and 532 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

378
docs/CompiledPrograms.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Compiled Firewall Programs and Shorewall Lite</title> <title>Shorewall Lite and Compiled Firewall Programs</title>
<authorgroup> <authorgroup>
<author> <author>
@ -50,122 +50,6 @@
Lite</emphasis> installed and can serve as the firewall creation script Lite</emphasis> installed and can serve as the firewall creation script
for that system.</para> for that system.</para>
<section id="Restrictions">
<title>Restrictions</title>
<para>While compiled Shorewall programs are useful in many cases, there
are some important restrictions that you should be aware of before
attempting to use them.</para>
<orderedlist>
<listitem>
<para>All extension scripts used are copied into the program (with
the exception of <ulink url="shorewall_extension_scripts.htm">those
executed at compile-time by the compiler</ulink>). The ramifications
of this are:</para>
<itemizedlist>
<listitem>
<para>If you update an extension script, the compiled program
will not use the updated script.</para>
</listitem>
<listitem>
<para>The <filename>params</filename> file is only processed at
compile time if you set EXPORTPARAMS=No in
<filename>shorewall.conf</filename>. For run-time setting of
shell variables, use the <filename>init</filename> extension
script. Although the default setting is EXPORTPARAMS=Yes for
compatibility, the recommended setting is
EXPORTPARAMS=No.</para>
<para>If the <filename>params</filename> file needs to set shell
variables based on the configuration of the firewall system, you
can use this trick:</para>
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
<para>The <command>shorewall-lite call</command> command allows
you to to call interactively any Shorewall function that you can
call in an extension script.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>You must install Shorewall Lite on the system where you want
to run the script. You then install the compiled program in
/usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite
program included with Shorewall Lite to control the firewall just as
if the full Shorewall distribution was installed.</para>
</listitem>
</orderedlist>
</section>
</section>
<section id="Compile">
<title>The "shorewall compile" command</title>
<para>A compiled script is produced using the <command>compile</command>
command:</para>
<blockquote>
<para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ] [
&lt;path name&gt; ]</command></para>
</blockquote>
<para>where</para>
<blockquote>
<variablelist>
<varlistentry>
<term>-e</term>
<listitem>
<para>Indicates that the program is to be "exported" to another
system. When this flag is set, neither the "detectnets" interface
option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The
created program may be run on a system that has only Shorewall
Lite installed</para>
<para>When this flag is given, Shorewall does not probe the
current system to determine the kernel/iptables features that it
supports. It rather reads those capabilities from
<filename>/etc/shorewall/capabilities</filename>. See below for
details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&lt;directory name&gt;</term>
<listitem>
<para>specifies a directory to be searched for configuration files
before those directories listed in the CONFIG_PATH variable in
<filename>shorewall.conf</filename>.</para>
<para>When -e &lt;directory-name&gt; is included, only the
SHOREWALL_SHELL and VERBOSITY settings from
<filename>/etc/shorewall/shorewall.conf</filename> are used and
these apply only to the compiler itself. The settings used by the
compiled firewall script are determined by the contents of
<filename>&lt;directory name&gt;/shorewall.conf</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&lt;path name&gt;</term>
<listitem>
<para>specifies the name of the script to be created. If not
given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is
<filename>/var/lib/shorewall/</filename>)</para>
</listitem>
</varlistentry>
</variablelist>
</blockquote>
</section>
<section id="Lite"> <section id="Lite">
<title>Shorewall Lite</title> <title>Shorewall Lite</title>
@ -175,10 +59,11 @@
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>You install the full Shorewall release on one system within your <para>You install the full Shorewall release on one system within
network. You need not configure Shorewall there and you may totally your network. You need not configure Shorewall there and you may
disable startup of Shorewall in your init scripts. For ease of totally disable startup of Shorewall in your init scripts. For ease
reference, we call this system the 'administrative system'.</para> of reference, we call this system the 'administrative
system'.</para>
<para>The administrative system may be a GNU/Linux system, a Windows <para>The administrative system may be a GNU/Linux system, a Windows
system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
@ -208,21 +93,24 @@
each export directory.</para> each export directory.</para>
<note> <note>
<para>Users of Debian and derivatives that install the package from <para>Users of Debian and derivatives that install the package
their distribution will be disappointed to find that <filename from their distribution will be disappointed to find that
<filename
class="directory">/usr/share/shorewall/configfiles</filename> does class="directory">/usr/share/shorewall/configfiles</filename> does
not exist on their systems. They will instead need to either:</para> not exist on their systems. They will instead need to
either:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Copy the files in /usr/share/doc/shorewall/default-config/ <para>Copy the files in
into each export directory.</para> /usr/share/doc/shorewall/default-config/ into each export
directory.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Copy /etc/shorewall/shorewall.conf into each export <para>Copy /etc/shorewall/shorewall.conf into each export
directory and remove /etc/shorewall from the CONFIG_PATH setting directory and remove /etc/shorewall from the CONFIG_PATH
in the copied files.</para> setting in the copied files.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -247,23 +135,23 @@
<para>The <filename>/etc/shorewall/shorewall.conf</filename> file is <para>The <filename>/etc/shorewall/shorewall.conf</filename> file is
used to determine the VERBOSITY setting which determines how much used to determine the VERBOSITY setting which determines how much
output the compiler generates. All other settings are taken from the output the compiler generates. All other settings are taken from the
<filename>shorewall.conf </filename>file in the remote systems export <filename>shorewall.conf </filename>file in the remote systems
directory.</para> export directory.</para>
<caution> <caution>
<para>If you want to be able to allow non-root users to manage <para>If you want to be able to allow non-root users to manage
remote firewall systems, then the files remote firewall systems, then the files
<filename>/etc/shorewall/params</filename> and <filename>/etc/shorewall/params</filename> and
<filename>/etc/shorewall/shorewall.conf</filename> must be readable <filename>/etc/shorewall/shorewall.conf</filename> must be
by all users on the administrative system. Not all packages secure readable by all users on the administrative system. Not all
the files that way and you may have to change the file permissions packages secure the files that way and you may have to change the
yourself.</para> file permissions yourself.</para>
</caution> </caution>
</listitem> </listitem>
<listitem id="Debian"> <listitem id="Debian">
<para>On each firewall system, If you are running Debian or one of its <para>On each firewall system, If you are running Debian or one of
derivatives like Ubuntu then edit its derivatives like Ubuntu then edit
<filename>/etc/default/shorewall-lite</filename> and set <filename>/etc/default/shorewall-lite</filename> and set
startup=1.</para> startup=1.</para>
</listitem> </listitem>
@ -283,24 +171,25 @@
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename> url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
file</ulink>.</para> file</ulink>.</para>
<para>It is important to understand that with Shorewall Lite, the <para>It is important to understand that with Shorewall Lite,
firewall's export directory on the administrative system acts as the firewall's export directory on the administrative system
<filename class="directory">/etc/shorewall</filename> for that acts as <filename class="directory">/etc/shorewall</filename>
firewall. So when the Shorewall documentation gives instructions for that firewall. So when the Shorewall documentation gives
for placing entries in files in the firewall's <filename instructions for placing entries in files in the firewall's
class="directory">/etc/shorewall</filename>, when using Shorewall <filename class="directory">/etc/shorewall</filename>, when
Lite you make those changes in the firewall's export directory on using Shorewall Lite you make those changes in the firewall's
the administrative system.</para> export directory on the administrative system.</para>
<para>The CONFIG_PATH variable is treated as follows:</para> <para>The CONFIG_PATH variable is treated as follows:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The value of CONFIG_PATH in <para>The value of CONFIG_PATH in
<filename>/etc/shorewall/shorewall.conf</filename> is ignored <filename>/etc/shorewall/shorewall.conf</filename> is
when compiling for export (the -e option in given) and when ignored when compiling for export (the -e option in given)
the <command>load</command> or <command>reload</command> and when the <command>load</command> or
command is being executed (see below).</para> <command>reload</command> command is being executed (see
below).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -311,8 +200,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para>The value of CONFIG_PATH used when the script is run on <para>The value of CONFIG_PATH used when the script is run
the firewall system is on the firewall system is
"/etc/shorewall-lite:/usr/share/shorewall-lite".</para> "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -324,10 +213,11 @@
<para>The <ulink <para>The <ulink
url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink> url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
command compiles a firewall script from the configuration files in command compiles a firewall script from the configuration files
the current working directory (using <command>shorewall compile in the current working directory (using <command>shorewall
-e</command>), copies that file to the remote system via scp and compile -e</command>), copies that file to the remote system via
starts Shorewall Lite on the remote system via ssh.</para> scp and starts Shorewall Lite on the remote system via
ssh.</para>
<para>Example (firewall's DNS name is 'gateway'):</para> <para>Example (firewall's DNS name is 'gateway'):</para>
@ -348,16 +238,17 @@
</listitem> </listitem>
<listitem> <listitem>
<para>If you later need to change the firewall's configuration, change <para>If you later need to change the firewall's configuration,
the appropriate files in the firewall's export directory then:</para> change the appropriate files in the firewall's export directory
then:</para>
<programlisting><command>cd &lt;export directory&gt;</command> <programlisting><command>cd &lt;export directory&gt;</command>
<command>/sbin/shorewall reload firewall</command></programlisting> <command>/sbin/shorewall reload firewall</command></programlisting>
<para>The <ulink <para>The <ulink
url="manpages/shorewall.html"><command>reload</command></ulink> url="manpages/shorewall.html"><command>reload</command></ulink>
command compiles a firewall script from the configuration files in the command compiles a firewall script from the configuration files in
current working directory (using <command>shorewall compile the current working directory (using <command>shorewall compile
-e</command>), copies that file to the remote system via scp and -e</command>), copies that file to the remote system via scp and
restarts Shorewall Lite on the remote system via ssh. The <emphasis restarts Shorewall Lite on the remote system via ssh. The <emphasis
role="bold">reload</emphasis> command also supports the '-c' role="bold">reload</emphasis> command also supports the '-c'
@ -471,8 +362,8 @@ clean:
<para>There is a <filename>shorewall-lite.conf</filename> file installed <para>There is a <filename>shorewall-lite.conf</filename> file installed
as part of Shorewall Lite as part of Shorewall Lite
(<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can (<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can
use that file on the firewall system to override some of the settings from use that file on the firewall system to override some of the settings
the shorewall.conf file in the export directory.</para> from the shorewall.conf file in the export directory.</para>
<para>Settings that you can override are:</para> <para>Settings that you can override are:</para>
@ -501,8 +392,8 @@ clean:
run Debian or one of its derivatives (see <link run Debian or one of its derivatives (see <link
linkend="Debian">above</link>).</para> linkend="Debian">above</link>).</para>
<para>The <filename>/sbin/shorewall-lite</filename> program included with <para>The <filename>/sbin/shorewall-lite</filename> program included
Shorewall Lite supports the same set of commands as the with Shorewall Lite supports the same set of commands as the
<filename>/sbin/shorewall</filename> program in a full Shorewall <filename>/sbin/shorewall</filename> program in a full Shorewall
installation with the following exceptions:</para> installation with the following exceptions:</para>
@ -530,11 +421,11 @@ clean:
</simplelist> </simplelist>
</blockquote> </blockquote>
<para>On systems with only Shorewall Lite installed, I recommend that you <para>On systems with only Shorewall Lite installed, I recommend that
create a symbolic link <filename>/sbin/shorewall</filename> and point it you create a symbolic link <filename>/sbin/shorewall</filename> and
at <filename>/sbin/shorewall-lite</filename>. That way, you can use point it at <filename>/sbin/shorewall-lite</filename>. That way, you can
<command>shorewall</command> as the command regardless of which product is use <command>shorewall</command> as the command regardless of which
installed.</para> product is installed.</para>
<blockquote> <blockquote>
<programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting> <programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
@ -555,7 +446,8 @@ clean:
<listitem> <listitem>
<para>Copy the contents of <filename <para>Copy the contents of <filename
class="directory">/etc/shorewall/</filename> from the firewall class="directory">/etc/shorewall/</filename> from the firewall
system to the export directory on the administrative system.</para> system to the export directory on the administrative
system.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -587,12 +479,12 @@ clean:
url="manpages/shorewall-routestopped.html"><filename>routestopped</filename> url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
file</ulink>.</para> file</ulink>.</para>
<para>Also, edit the <filename>shorewall.conf</filename> file in the <para>Also, edit the <filename>shorewall.conf</filename> file in
firewall's export directory and change the CONFIG_PATH setting to the firewall's export directory and change the CONFIG_PATH setting
remove <filename class="directory">/etc/shorewall</filename>. You to remove <filename class="directory">/etc/shorewall</filename>.
can replace it with <filename You can replace it with <filename
class="directory">/usr/share/shorewall/configfiles</filename> if you class="directory">/usr/share/shorewall/configfiles</filename> if
like.</para> you like.</para>
<para>Example:</para> <para>Example:</para>
@ -606,14 +498,14 @@ clean:
<programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting> <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
</blockquote> </blockquote>
<para>Changing CONFIG_PATH will ensure that subsequent compilations <para>Changing CONFIG_PATH will ensure that subsequent
using the export directory will not include any files from <filename compilations using the export directory will not include any files
class="directory">/etc/shorewall</filename> other than from <filename class="directory">/etc/shorewall</filename> other
<filename>shorewall.conf</filename> and than <filename>shorewall.conf</filename> and
<filename>params</filename>.</para> <filename>params</filename>.</para>
<para>If you set variables in the params file, there are a couple of <para>If you set variables in the params file, there are a couple
issues:</para> of issues:</para>
<para>The <filename>params</filename> file is not processed at run <para>The <filename>params</filename> file is not processed at run
time if you set EXPORTPARAMS=No in time if you set EXPORTPARAMS=No in
@ -622,14 +514,14 @@ clean:
script.</para> script.</para>
<para>If the <filename>params</filename> file needs to set shell <para>If the <filename>params</filename> file needs to set shell
variables based on the configuration of the firewall system, you can variables based on the configuration of the firewall system, you
use this trick:</para> can use this trick:</para>
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting> <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
<para>The <command>shorewall-lite call</command> command allows you <para>The <command>shorewall-lite call</command> command allows
to to call interactively any Shorewall function that you can call in you to to call interactively any Shorewall function that you can
an extension script.</para> call in an extension script.</para>
<para>After having made the above changes to the firewall's export <para>After having made the above changes to the firewall's export
directory, execute the following commands.</para> directory, execute the following commands.</para>
@ -694,6 +586,122 @@ clean:
</section> </section>
</section> </section>
<section id="Restrictions">
<title>Restrictions</title>
<para>While compiled Shorewall programs (as are used in Shorewall Lite)
are useful in many cases, there are some important restrictions that you
should be aware of before attempting to use them.</para>
<orderedlist>
<listitem>
<para>All extension scripts used are copied into the program (with
the exception of <ulink url="shorewall_extension_scripts.htm">those
executed at compile-time by the compiler</ulink>). The ramifications
of this are:</para>
<itemizedlist>
<listitem>
<para>If you update an extension script, the compiled program
will not use the updated script.</para>
</listitem>
<listitem>
<para>The <filename>params</filename> file is only processed at
compile time if you set EXPORTPARAMS=No in
<filename>shorewall.conf</filename>. For run-time setting of
shell variables, use the <filename>init</filename> extension
script. Although the default setting is EXPORTPARAMS=Yes for
compatibility, the recommended setting is
EXPORTPARAMS=No.</para>
<para>If the <filename>params</filename> file needs to set shell
variables based on the configuration of the firewall system, you
can use this trick:</para>
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
<para>The <command>shorewall-lite call</command> command allows
you to to call interactively any Shorewall function that you can
call in an extension script.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>You must install Shorewall Lite on the system where you want
to run the script. You then install the compiled program in
/usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite
program included with Shorewall Lite to control the firewall just as
if the full Shorewall distribution was installed.</para>
</listitem>
</orderedlist>
</section>
</section>
<section id="Compile">
<title>The "shorewall compile" command</title>
<para>A compiled script is produced using the <command>compile</command>
command:</para>
<blockquote>
<para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ] [
&lt;path name&gt; ]</command></para>
</blockquote>
<para>where</para>
<blockquote>
<variablelist>
<varlistentry>
<term>-e</term>
<listitem>
<para>Indicates that the program is to be "exported" to another
system. When this flag is set, neither the "detectnets" interface
option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The
created program may be run on a system that has only Shorewall
Lite installed</para>
<para>When this flag is given, Shorewall does not probe the
current system to determine the kernel/iptables features that it
supports. It rather reads those capabilities from
<filename>/etc/shorewall/capabilities</filename>. See below for
details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&lt;directory name&gt;</term>
<listitem>
<para>specifies a directory to be searched for configuration files
before those directories listed in the CONFIG_PATH variable in
<filename>shorewall.conf</filename>.</para>
<para>When -e &lt;directory-name&gt; is included, only the
SHOREWALL_SHELL and VERBOSITY settings from
<filename>/etc/shorewall/shorewall.conf</filename> are used and
these apply only to the compiler itself. The settings used by the
compiled firewall script are determined by the contents of
<filename>&lt;directory name&gt;/shorewall.conf</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&lt;path name&gt;</term>
<listitem>
<para>specifies the name of the script to be created. If not
given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is
<filename>/var/lib/shorewall/</filename>)</para>
</listitem>
</varlistentry>
</variablelist>
</blockquote>
</section>
<section id="Shorecap"> <section id="Shorecap">
<title>The /etc/shorewall/capabilities file and the shorecap <title>The /etc/shorewall/capabilities file and the shorecap
program</title> program</title>