<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                    
  <meta http-equiv="Content-Language" content="en-us">
                    
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                    
  <meta name="ProgId" content="FrontPage.Editor.Document">
                    
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Starting and Stopping Shorewall</title>
</head>
  <body>
            
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
                            <tbody>
                     <tr>
                              <td width="100%">                         
           
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
        the Firewall</font></h1>
                              </td>
                            </tr>
                     
  </tbody>     
</table>
             
<p>   If you have a permanent internet connection such as DSL     or Cable, 
        I  recommend that you start the firewall     automatically at boot. 
  Once     you  have installed      "firewall" in your init.d directory, simply
  type         "chkconfig --add firewall". This will start the     firewall
  in run   levels   2-5 and stop it in run levels 1 and 6.     If you want
 to configure   your  firewall differently from this     default, you can
use the "--level"   option  in     chkconfig (see "man chkconfig") or using
your     favorite   graphical  run-level editor.</p>
                 
<p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
                 </p>
          
<ol>
                   <li>Shorewall startup is disabled by default. Once you 
have   configured      your firewall, you can enable startup by removing the
file   /etc/shorewall/startup_disabled.      Note: Users of the .deb package
must   edit /etc/default/shorewall and set    'startup=1'.<br>
                   </li>
                   <li>If you use dialup, you may want to start the firewall 
    in  your   /etc/ppp/ip-up.local   script. I recommend just placing  "shorewall
     restart"   in that script.</li>
          
</ol>
          
<p>            </p>
             
<p>   You can manually start and stop Shoreline Firewall using     the "shorewall" 
         shell program. Please refer to the <a
 href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
 State Diagram</a> is shown at the     bottom of this page. </p>
           
<ul>
                     <li>shorewall start - starts the firewall</li>
                     <li>shorewall stop - stops the firewall; the only traffic
 permitted through the firewall is from systems listed in /etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new connections
originating from the firewall itself are allowed).</li>
                     <li>shorewall restart - stops the firewall (if it's
       running)   and  then starts it again</li>
                     <li>shorewall reset - reset the packet and byte counters 
              in the  firewall</li>
                     <li>shorewall clear - remove all rules and chains  
   installed    by Shoreline  Firewall. The firewall is "wide open"</li>
                     <li>shorewall refresh - refresh the rules involving
the   broadcast             addresses  of firewall interfaces, <a
 href="blacklisting_support.htm">the black list</a>, <a
 href="traffic_shaping.htm">traffic control rules</a> and <a
 href="ECN.html">ECN control rules</a>.</li>
          
</ul>
             If you include the keyword <i>debug</i> as the first argument, 
 then   a  shell  trace of the command is produced as in:<br>
          
<pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
             
<p>The above command would trace the 'start' command and place the trace information
in the file /tmp/trace<br>
 </p>
 
<p>Beginning with version 1.4.7, shorewall can give detailed help about each 
of its commands:<br>
 </p>
 
<ul>
   <li>shorewall help [ <i>command</i> | host | address ]<br>
   </li>
 
</ul>
                  
<p>The "shorewall" program may also be used to monitor the     firewall.</p>
           
<ul>
                     <li>shorewall status - produce a verbose report about
 the  firewall               (iptables -L -n -v)</li>
                     <li>shorewall show <i>chain</i> - produce a verbose
report    about        <i>chain             </i>(iptables -L <i>chain</i>
-n -v)</li>
                     <li>shorewall show nat - produce a verbose report about
  the  nat   table             (iptables -t nat -L -n -v)</li>
                     <li>shorewall show tos - produce a verbose report about
  the  mangle    table          (iptables -t mangle -L -n -v)</li>
                     <li>shorewall show log - display the last 20 packet
log   entries.</li>
                     <li>shorewall show connections - displays the IP connections 
    currently     being     tracked by the firewall.</li>
                     <li>shorewall                                      
   show                                                           tc    
-  displays   information      about the traffic control/shaping configuration.</li>
                     <li>shorewall monitor [ delay ] - Continuously display 
 the   firewall               status, last 20 log entries and nat. When the 
 log  entry display                changes, an audible alarm is sounded.</li>
                     <li>shorewall hits - Produces several reports about
the   Shorewall     packet  log          messages in the current /var/log/messages
  file.</li>
                     <li>shorewall version -  Displays the installed    
version    number.</li>
        <li>shorewall check -  Performs a <u>cursory</u> validation     of
  the   zones, interfaces, hosts, rules and policy files.<br>
          <br>
          <font size="4" color="#ff6666"><b>The "check" command is totally
 unsuppored  and does not parse and     validate   the   generated iptables
 commands.  Even though the "check" command     completes   successfully,
the configuration  may fail to start. Problem reports that complain about
errors that the 'check'  command does not detect will not be accepted.<br>
          <br>
      See the     recommended   way to make configuration changes described 
 below.</b></font><br>
         <br>
        </li>
                     <li>shorewall try<i> configuration-directory</i> [<i>
 timeout</i>      ]  -  Restart shorewall using the     specified configuration
 and if  an   error   occurs or if the<i> timeout </i>    option is given
and the new configuration     has been up for that many seconds     then
shorewall is restarted using   the  standard configuration.</li>
                     <li>shorewall deny, shorewall reject, shorewall accept 
 and   shorewall      save     implement <a
 href="blacklisting_support.htm">dynamic   blacklisting</a>.</li>
                     <li>shorewall logwatch (added in version 1.3.2) - Monitors 
   the          <a href="#Conf">LOGFILE </a>and produces an audible alarm 
when   new   Shorewall       messages are logged.</li>
          
</ul>
    Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands   for dealing with IP addresses and IP address ranges:<br>
       
<ul>
      <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
-  displays  the network address, broadcast address, network in CIDR notation
 and netmask  corresponding to the input[s].</li>
      <li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
  range of IP addresses into the equivalent list of network/host addresses.
      <br>
      </li>
       
</ul>
 There is a set of commands dealing with <a
 href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
 
<ul>
   <li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from 
the listed   IP    addresses to be silently dropped by the firewall.</li>
   <li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from 
the  listed  IP    addresses to be rejected by the firewall.</li>
   <li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt 
of packets   from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i> 
command.</li>
   <li>shorewall save - save the dynamic blacklisting configuration so that 
it will   be    automatically restored the next time that the firewall is 
restarted.</li>
   <li>show dynamic - displays the dynamic blacklisting chain.<br>
   </li>
 
</ul>
     Finally, the "shorewall" program may be used to dynamically alter  the
   contents  of a zone.<br>
          
<ul>
                 <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone 
    </i>-    Adds   the  specified interface (and host if included) to the 
specified  zone.</li>
                 <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
      </i>-   Deletes   the specified interface (and host if included) from
  the specified   zone.</li>
          
</ul>
          
<blockquote>Examples:<br>
                    
  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> 
      -- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
                 <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 
  vpn1</b></font>    -- deletes the address 192.0.2.24  from interface ipsec0 
  from zone vpn1<br>
                 </blockquote>
               </blockquote>
           
<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and 
        <b>shorewall try </b>commands allow you to specify which <a
 href="configuration_file_basics.htm#Configs">   Shorewall configuration</a> 
         to use:</p>
           
<blockquote>                 
  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
                   shorewall try <i>configuration-directory</i></p>
                   </blockquote>
           
<p>  If a <i>configuration-directory</i> is specified, each time that Shorewall 
         is going to use a file in /etc/shorewall it will first look in the 
  <i>configuration-directory</i>        . If the file is present in the <i>configuration-directory</i>, 
  that   file    will be used; otherwise, the file in /etc/shorewall will 
be  used.</p>
             
<p>  When changing the configuration of a production firewall, I recommend 
        the   following:</p>
             
<ul>
                              <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
                              <li><font color="#009900"><b>cd /etc/test</b></font></li>
                              <li>&lt;copy any files that you need to change
  from  /etc/shorewall     to . and change them here&gt;</li>
        <li><font color="#009900"><b>shorewall -c . check</b></font></li>
        <li>&lt;correct any errors found by check and check again&gt;</li>
                                                     <li><font
 color="#009900"><b>/sbin/shorewall  try .</b></font></li>
          
</ul>
           
<p>  If the configuration starts but doesn't work, just "shorewall restart" 
        to   restore the old configuration. If the new configuration fails 
 to   start,    the   "try" command will automatically start the old one for
 you.</p>
             
<p>  When the new configuration works then just </p>
             
<ul>
                              <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
                              <li><font color="#009900"><b>cd</b></font></li>
                              <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
          
</ul>
             
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
          </p>
          
<div align="center"><img src="images/State_Diagram.png"
 alt="(State Diagram)" width="747" height="714" align="middle">
          <br>
          </div>
          
<p>�   <br>
             </p>
              You will note that the commands that result in state transitions 
  use   the  word "firewall" rather than "shorewall". That is because the 
actual   transitions  are done by /usr/share/shorewall/firewall; /sbin/shorewall
 runs 'firewall" according to the following  table:<br>
            <br>
          
<table cellpadding="2" cellspacing="2" border="1">
               <tbody>
                 <tr>
        <td valign="top"><u><b>/sbin/shorewall Command</b><br>
        </u></td>
        <td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
        </u></td>
        <td valign="top"><u><b>Effect if the Command Succeeds</b><br>
        </u></td>
      </tr>
      <tr>
                   <td valign="top">shorewall start<br>
                   </td>
                   <td valign="top">firewall start<br>
                   </td>
        <td valign="top">The system filters packets based on your current 
Shorewall Configuration<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall stop<br>
                   </td>
                   <td valign="top">firewall stop<br>
                   </td>
        <td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
 is passed to/from/through the firewall. For Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
in addition, all existing connections are retained and all connection requests
from the firewall are accepted.<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall restart<br>
                   </td>
                   <td valign="top">firewall restart<br>
                   </td>
        <td valign="top">Logically equivalent to "firewall stop;firewall
start"<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall add<br>
                   </td>
                   <td valign="top">firewall add<br>
                   </td>
        <td valign="top">Adds a host or subnet to a dynamic zone<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall delete<br>
                   </td>
                   <td valign="top">firewall delete<br>
                   </td>
        <td valign="top">Deletes a host or subnet from a dynamic zone<br>
        </td>
                 </tr>
                 <tr>
                   <td valign="top">shorewall refresh<br>
                   </td>
                   <td valign="top">firewall refresh<br>
                   </td>
        <td valign="top">Reloads rules dealing with static blacklisting,
traffic  control and ECN.<br>
        </td>
                 </tr>
                 <tr>
        <td valign="top">shorewall clear<br>
        </td>
        <td valign="top">firewall clear<br>
        </td>
        <td valign="top">Removes all Shorewall rules, chains, addresses,
routes  and ARP entries.<br>
        </td>
      </tr>
      <tr>
                   <td valign="top">shorewall try<br>
                   </td>
                   <td valign="top">firewall -c &lt;new configuration&gt; 
restart<br>
             If unsuccessful then firewall start (standard configuration)<br>
             If timeout then firewall restart (standard configuration)<br>
                   </td>
        <td valign="top"><br>
        </td>
                 </tr>
                    
  </tbody>     
</table>
            <br>
          
<p><font size="2">   Updated 7/31/2003 - <a href="support.htm">Tom  Eastep</a> 
           </font></p>
            
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
           � <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
 </p>
 <br>
</body>
</html>