2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-07-07 22:42:54 +02:00
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2004-02-14 19:06:39 +01:00
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
2006-06-12 18:10:34 +02:00
|
|
|
<title>Operating Shorewall and Shorewall Lite</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<copyright>
|
2004-08-07 04:13:32 +02:00
|
|
|
<year>2004</year>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-04-07 18:35:59 +02:00
|
|
|
<year>2005</year>
|
|
|
|
|
2006-02-27 18:45:29 +01:00
|
|
|
<year>2006</year>
|
|
|
|
|
2007-02-16 00:55:20 +01:00
|
|
|
<year>2007</year>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
2004-08-21 17:42:31 +02:00
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
2005-08-31 00:46:02 +02:00
|
|
|
<caution>
|
2009-02-28 04:45:43 +01:00
|
|
|
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
2005-09-17 08:26:55 +02:00
|
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
2009-02-28 04:45:43 +01:00
|
|
|
4.3.5 then please see the documentation for that
|
2005-09-17 08:26:55 +02:00
|
|
|
release</emphasis>.</para>
|
2005-08-31 00:46:02 +02:00
|
|
|
</caution>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="CLI">
|
2007-06-24 01:33:17 +02:00
|
|
|
<title>/sbin/shorewall and /sbin/shorewall-lite</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para><filename>/sbin/shorewall</filename> is the program that you use to
|
|
|
|
interact with Shorewall. Normally the root user's PATH includes
|
|
|
|
<filename>/sbin</filename> and the program can be run from a shell prompt
|
|
|
|
by simply typing <command>shorewall</command> followed by a
|
|
|
|
command.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<warning>
|
|
|
|
<para>In some releases of KDE, the default configuration of the
|
|
|
|
<emphasis role="bold">konsole</emphasis> program is brain dead with
|
|
|
|
respect to the "Root Console". It executes the command "su" where it
|
|
|
|
should execute "su -"; the latter will cause a login shell to be created
|
|
|
|
which will in turn set PATH properly. You can correct this problem as
|
|
|
|
follows:</para>
|
2005-05-18 23:12:46 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Click on "Settings" on the toolbar and select "Configure
|
|
|
|
Konsole"</para>
|
|
|
|
</listitem>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<listitem>
|
|
|
|
<para>Select the "Session" tab.</para>
|
|
|
|
</listitem>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<listitem>
|
|
|
|
<para>Click on "Root Console"</para>
|
|
|
|
</listitem>
|
2004-05-09 00:31:54 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<listitem>
|
|
|
|
<para>Change the Execute command from "su" to "su -"</para>
|
|
|
|
</listitem>
|
2006-02-27 18:45:29 +01:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<listitem>
|
|
|
|
<para>Click on "Save Session"</para>
|
|
|
|
</listitem>
|
2004-05-09 00:31:54 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<listitem>
|
|
|
|
<para>Click on "Ok"</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</warning>
|
2006-06-12 18:10:34 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>To see a list of supported commands, use the <command>help</command>
|
|
|
|
command:</para>
|
2006-06-12 18:10:34 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<programlisting><command>shorewall help</command></programlisting>
|
2006-06-12 18:10:34 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>To get further information about a particular command, use the
|
|
|
|
<command>man</command> command:</para>
|
2006-06-12 18:10:34 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<programlisting><command>man shorewall</command>
|
|
|
|
</programlisting>
|
2006-06-12 18:10:34 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>The program <emphasis role="bold">/sbin/shorewall-lite</emphasis>
|
|
|
|
performs a similar role with Shorewall-lite.</para>
|
2007-06-25 19:02:46 +02:00
|
|
|
|
|
|
|
<para>For a more complete description of the files and directories
|
|
|
|
involved in Shorewall and Shorewall-lite, see the <ulink
|
|
|
|
url="Anatomy.html">Shorewall Anatomy article</ulink>.</para>
|
2004-08-07 04:13:32 +02:00
|
|
|
</section>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="Starting">
|
2004-08-07 04:13:32 +02:00
|
|
|
<title>Starting, Stopping and Clearing</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>As explained in the <ulink
|
|
|
|
url="Introduction.html">Introduction</ulink>, Shorewall is not something
|
|
|
|
that runs all of the time in your system. Nevertheless, for integrating
|
|
|
|
Shorewall into your initialization scripts it is useful to speak of
|
|
|
|
<firstterm>starting</firstterm> Shorewall and
|
2004-08-07 04:13:32 +02:00
|
|
|
<emphasis>stopping</emphasis> Shorewall.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>Shorewall is started using the <command>shorewall
|
|
|
|
start</command> command. Once the start command completes
|
|
|
|
successfully, Netfilter is configured as described in your Shorewall
|
|
|
|
configuration files. If there is an error during <command>shorewall
|
|
|
|
start</command>, then if you have a <firstterm>saved
|
|
|
|
configuration</firstterm> then that configuration is restored.
|
|
|
|
Otherwise, an implicit <command>shorewall stop</command> is
|
|
|
|
executed.</para>
|
2006-02-27 18:45:29 +01:00
|
|
|
|
|
|
|
<important>
|
2009-02-28 04:45:43 +01:00
|
|
|
<para><command>shorewall start</command> is implemented as a
|
|
|
|
<firstterm>compile and go</firstterm>; that is, the configuration is
|
|
|
|
compiled and if there are no compilation errors then the resulting
|
|
|
|
compiled script is executed. If there are compilation errors, the
|
|
|
|
command is aborted and the state of the firewall is not
|
|
|
|
altered.</para>
|
2006-02-27 18:45:29 +01:00
|
|
|
</important>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>Shorewall is stopped using the <command>shorewall stop</command>
|
|
|
|
command.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<important>
|
|
|
|
<para>The <command>shorewall stop</command> command does not remove
|
2008-08-15 07:03:24 +02:00
|
|
|
all Netfilter rules and open your firewall for all traffic to pass.
|
2004-08-07 04:13:32 +02:00
|
|
|
It rather places your firewall in a safe state defined by the
|
2004-08-21 17:42:31 +02:00
|
|
|
contents of your <ulink
|
2007-07-04 02:23:43 +02:00
|
|
|
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
|
2004-08-07 04:13:32 +02:00
|
|
|
file and the setting of ADMINISABSENTMINDED in <ulink
|
2007-07-04 02:23:43 +02:00
|
|
|
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
|
2004-08-07 04:13:32 +02:00
|
|
|
</important>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>If you want to remove all Netfilter rules and open your firewall
|
|
|
|
for all traffic to pass, use the <command>shorewall clear</command>
|
|
|
|
command.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>If you change your configuration and want to install the
|
|
|
|
changes, use the <command>shorewall restart </command>command.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
</itemizedlist>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>For additional information, see the<link linkend="State"> Shorewall
|
|
|
|
State Diagram</link> section.</para>
|
|
|
|
</section>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-10-06 18:29:37 +02:00
|
|
|
<section id="Init">
|
|
|
|
<title>/etc/init.d/shorewall and /etc/init.d/shorewall-lite</title>
|
|
|
|
|
|
|
|
<para>Because of the different requirements of distribution packaging
|
|
|
|
systems, the behavior of <filename>/etc/init.d/shorewall</filename> and
|
|
|
|
<filename>/etc/init.d/shorewall-lite</filename> is not consistent between
|
2008-08-15 07:03:24 +02:00
|
|
|
distributions. As an example, when using the distribution Shorewall
|
2007-10-06 18:29:37 +02:00
|
|
|
packages on <trademark>Debian</trademark> and
|
|
|
|
<trademark>Ubuntu</trademark> systems, running
|
|
|
|
<command>/etc/init.d/shorewall stop</command> will actually execute the
|
|
|
|
command <command>/sbin/shorewall clear</command> rather than
|
|
|
|
<command>/sbin/shorewall stop</command>! So don't expect the meaning of
|
|
|
|
<emphasis>start</emphasis>, <emphasis>stop</emphasis>,
|
|
|
|
<emphasis>restart</emphasis>, etc. to be consistent between
|
|
|
|
<filename>/sbin/shorewall</filename> (or
|
|
|
|
<filename>/sbin/shorewall-lite</filename>) and your init scripts unless
|
|
|
|
you got your Shorewall package from shorewall.net.</para>
|
2010-05-27 22:55:07 +02:00
|
|
|
|
|
|
|
<para><emphasis role="bold">Update:</emphasis><blockquote>
|
|
|
|
<para>In Shorewall 4.4.0 and later, the tarballs from shorewall.net
|
|
|
|
follow the Debian convention when installed on a Debian or Ubuntu
|
|
|
|
system. Beginning with Shorewall 4.4.10, you can revert to the prior
|
|
|
|
behavior by setting SAFESTOP=1 in
|
|
|
|
<filename>/etc/default/shorewall</filename>,
|
|
|
|
<filename>/etc/default/shorewall6</filename>, etc.</para>
|
|
|
|
</blockquote></para>
|
2007-10-06 18:29:37 +02:00
|
|
|
</section>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="Trace">
|
2007-10-06 18:36:31 +02:00
|
|
|
<title>Tracing Command Execution and other Debugging Aids</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>If you include the word <emphasis role="bold">trace</emphasis> as
|
2004-08-21 17:42:31 +02:00
|
|
|
the first parameter to an <filename>/sbin/shorewall</filename> command
|
|
|
|
that transfers control to
|
|
|
|
<filename>/usr/share/shorewall/firewall</filename>, execution of the
|
|
|
|
latter program will be traced to STDERR.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<example id="trace">
|
2004-08-07 04:13:32 +02:00
|
|
|
<title>Tracing <command>shorewall start</command></title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>To trace the execution of <command>shorewall start</command> and
|
|
|
|
write the trace to the file <filename>/tmp/trace</filename>, you would
|
2007-06-25 22:11:24 +02:00
|
|
|
enter:<programlisting><command>shorewall trace start 2> /tmp/trace</command></programlisting><note>
|
2009-02-28 04:45:43 +01:00
|
|
|
<para>The <emphasis role="bold">trace</emphasis> keyword does not
|
|
|
|
result in a trace of the execution of the Shorewall rules compiler.
|
|
|
|
It rather causes additional diagnostic information to be included in
|
|
|
|
warning and error messages generated by the compiler.</para>
|
2007-06-25 22:11:24 +02:00
|
|
|
</note></para>
|
2007-10-06 18:29:37 +02:00
|
|
|
|
2009-02-28 04:45:43 +01:00
|
|
|
<para>You may also include the word <emphasis
|
|
|
|
role="bold">debug</emphasis> as the first argument to the
|
2007-10-06 18:29:37 +02:00
|
|
|
<filename>/sbin/shorewall</filename> and
|
|
|
|
<filename>/sbin/shorewall-lite</filename> commands.<programlisting><command>shorewall debug restart</command></programlisting>In
|
|
|
|
most cases, <emphasis role="bold">debug</emphasis> is a synonym for
|
|
|
|
<emphasis role="bold">trace</emphasis>. The exceptions are:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">debug</emphasis> is ignored by the
|
|
|
|
Shorewall-perl compiler.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">debug</emphasis> causes altered behavior
|
|
|
|
of scripts generated by the Shorewall-perl compiler. These scripts
|
|
|
|
normally use<command> iptables-restore</command> to install the
|
|
|
|
Netfilter ruleset but with <emphasis role="bold">debug</emphasis>,
|
|
|
|
the commands normally passed to <command>iptables-restore</command>
|
|
|
|
in its input file are passed individually to
|
|
|
|
<command>iptables</command>. This is a diagnostic aid which allows
|
|
|
|
identifying the individual command that is causing
|
|
|
|
<command>iptables-restore</command> to fail; it should be used when
|
|
|
|
iptables-restore fails when executing a <command>COMMIT</command>
|
|
|
|
command.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para><warning>
|
|
|
|
<para>The <emphasis role="bold">debug</emphasis> feature is strictly
|
|
|
|
for problem analysis. When <emphasis role="bold">debug</emphasis> is
|
|
|
|
used:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>The firewall is made 'wide open' before the rules are
|
|
|
|
applied.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The <filename>routestopped</filename> file is not
|
|
|
|
consulted.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The rules are applied in the canonical
|
|
|
|
<command>iptables-restore</command> order. So if you need
|
|
|
|
critical hosts to be always available during start/restart, you
|
|
|
|
may not be able to use <emphasis
|
|
|
|
role="bold">debug</emphasis>.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</warning></para>
|
2004-08-07 04:13:32 +02:00
|
|
|
</example>
|
|
|
|
</section>
|
2004-05-19 19:55:45 +02:00
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="Boot">
|
2004-08-07 04:13:32 +02:00
|
|
|
<title>Having Shorewall Start Automatically at Boot Time</title>
|
|
|
|
|
|
|
|
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
|
|
|
|
that Shorewall will start automatically at boot time. If you are using the
|
|
|
|
<command>install.sh </command>script from the .tgz and it cannot determine
|
|
|
|
how to configure automatic startup, a message to that effect will be
|
2004-08-21 17:42:31 +02:00
|
|
|
displayed. You will need to consult your distribution's documentation to
|
|
|
|
see how to integrate the <filename>/etc/init.d/shorewall</filename> script
|
|
|
|
into the distribution's startup mechanism.<caution>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Shorewall startup is disabled by default. Once you have
|
2005-08-31 00:46:02 +02:00
|
|
|
configured your firewall, you can enable startup by editing
|
|
|
|
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
2005-10-02 17:34:20 +02:00
|
|
|
STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
|
2005-08-31 00:46:02 +02:00
|
|
|
edit <filename>/etc/default/shorewall</filename> and set
|
|
|
|
<quote>startup=1</quote>.</para>
|
2004-08-21 17:42:31 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If you use dialup or some flavor of PPP where your IP
|
|
|
|
address can change arbitrarily, you may want to start the firewall
|
|
|
|
in your <command>/etc/ppp/ip-up.local</command> script. I
|
|
|
|
recommend just placing <quote><command>/sbin/shorewall
|
|
|
|
restart</command></quote> in that script.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</caution></para>
|
2004-08-07 04:13:32 +02:00
|
|
|
</section>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-12-09 20:18:06 +01:00
|
|
|
<section id="Saved">
|
2004-08-21 17:42:31 +02:00
|
|
|
<title>Saving a Working Configuration for Error Recovery and Fast
|
|
|
|
Startup</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>Once you have Shorewall working the way that you want it to, you can
|
|
|
|
use <command>shorewall save</command> to <firstterm>save</firstterm> the
|
2004-08-21 17:42:31 +02:00
|
|
|
commands necessary to recreate that configuration in a <firstterm>restore
|
|
|
|
script</firstterm>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>In its simplest form, the save command is just:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<programlisting><command>shorewall save</command></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>That command creates the default restore script,
|
|
|
|
<filename>/var/lib/shorewall/restore</filename>. The default may be
|
|
|
|
changed using the RESTOREFILE option in <ulink
|
2007-07-08 18:11:28 +02:00
|
|
|
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.
|
|
|
|
A different file name may also be specified in the <command>save</command>
|
2004-08-11 02:18:47 +02:00
|
|
|
command:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<programlisting><command>shorewall save <filename></command></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>Where <<emphasis>filename</emphasis>> is a simple file name
|
2004-08-07 04:13:32 +02:00
|
|
|
(no slashes).</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>Once created, the default restore script serves several useful
|
|
|
|
purposes:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<itemizedlist>
|
2004-02-14 19:06:39 +01:00
|
|
|
<listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>If you change your configuration and there is an error when you
|
|
|
|
try to restart Shorewall, the restore script will be run to restore
|
|
|
|
your firewall to working order.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2007-07-08 18:11:28 +02:00
|
|
|
<para>Bootup is faster (although with Shorewall-perl, the difference
|
|
|
|
is minimal). The -f option of the start command (e.g.,
|
2004-08-07 04:13:32 +02:00
|
|
|
<command>shorewall -f start</command>) causes Shorewall to look for
|
2007-07-08 18:11:28 +02:00
|
|
|
the default restore script and if it exists, the script is run. When
|
|
|
|
using Shorewall-shell, this is much faster than starting Shorewall
|
|
|
|
using the normal mechanism of reading the configuration files and
|
|
|
|
running <command>iptables</command> dozens or even hundreds of
|
|
|
|
times.</para>
|
|
|
|
|
2009-02-28 04:45:43 +01:00
|
|
|
<para>The default is to not use -f. If you wish to change the default,
|
|
|
|
you must set the OPTIONS shell variable in either
|
2007-07-08 18:11:28 +02:00
|
|
|
<filename>/etc/default/shorewall</filename> or
|
|
|
|
<filename>/etc/sysconfig/shorewall</filename> (if your distribution
|
2009-04-18 01:05:03 +02:00
|
|
|
provides neither of these files, you must create one or the
|
|
|
|
other).</para>
|
2011-05-23 00:36:29 +02:00
|
|
|
|
|
|
|
<para><emphasis role="bold">Update</emphasis>: In Shorewall 4.4.20, a
|
|
|
|
new LEGACY_FASTSTART option was added to <ulink
|
|
|
|
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.
|
|
|
|
When LEGACY_FASTSTART=No, the compiled script that did the last
|
|
|
|
successful <command role="bold">start</command> or <command
|
|
|
|
role="bold">restart</command> will be used.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>The <command>shorewall restore</command> command can be used at
|
|
|
|
any time to quickly configure the firewall.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<programlisting><command>shorewall restore [ <filename> ]</command></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>If no <<emphasis>filename</emphasis>> is given, the
|
2004-08-07 04:13:32 +02:00
|
|
|
default restore script is used. Otherwise, the script
|
2004-08-21 17:42:31 +02:00
|
|
|
<filename>/var/lib/shorewall/<filename></filename> is
|
|
|
|
used.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2004-08-07 04:13:32 +02:00
|
|
|
<para>The ability to have multiple restore scripts means that you can save
|
|
|
|
different Shorewall firewall configurations and switch between them
|
|
|
|
quickly using the <command>restore</command> command.</para>
|
2004-05-09 00:31:54 +02:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>Restore scripts may be removed using the <command>shorewall
|
|
|
|
forget</command> command:</para>
|
2004-05-09 00:31:54 +02:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<programlisting><command>shorewall forget [ <filename> ]</command></programlisting>
|
2004-05-09 00:31:54 +02:00
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>If no <<emphasis>filename</emphasis>> is given, the default
|
|
|
|
restore script is removed. Otherwise,
|
|
|
|
<filename>/var/lib/shorewall/<filename></filename> is removed (of
|
|
|
|
course, you can also use the Linux <command>rm</command> command from the
|
|
|
|
shell prompt to remove these files).</para>
|
2004-05-09 00:31:54 +02:00
|
|
|
</section>
|
|
|
|
|
2005-05-18 23:12:46 +02:00
|
|
|
<section id="AddDirectories">
|
|
|
|
<title>Additional Configuration Directories</title>
|
|
|
|
|
|
|
|
<para>The CONFIG_PATH setting in
|
|
|
|
<filename>/etc/shorewall/shorewall.conf</filename> determines where
|
|
|
|
Shorewall looks for configuration files. The default setting is
|
|
|
|
CONFIG_PATH=<filename
|
|
|
|
class="directory">/etc/shorewall</filename>:<filename
|
|
|
|
class="directory">/usr/share/shorewall</filename> which means that
|
|
|
|
<filename class="directory">/etc/shorewall</filename> is searched first
|
|
|
|
and if the file is not found then <filename
|
|
|
|
class="directory">/usr/share/shorewall</filename> is searched. You can
|
|
|
|
change the value of CONFIG_PATH to cause additional directories to be
|
|
|
|
searched but CONFIG_PATH should <emphasis>always</emphasis> include both
|
|
|
|
<filename class="directory">/etc/shorewall</filename> and <filename
|
|
|
|
class="directory">/usr/share/shorewall</filename>.</para>
|
|
|
|
|
|
|
|
<para>When an alternate configuration directory is specified as described
|
|
|
|
in the <link linkend="AddDirectories">next section</link>, that directory
|
|
|
|
is searched <emphasis>before</emphasis> those directories listed in
|
|
|
|
CONFIG_PATH.</para>
|
|
|
|
|
|
|
|
<para>Example - Search <filename
|
|
|
|
class="directory">/etc/shorewall</filename>, <filename
|
|
|
|
class="directory">/etc/shorewall/actiondir</filename> and <filename
|
|
|
|
class="directory">/usr/share/shorewall</filename> in that order:</para>
|
|
|
|
|
|
|
|
<programlisting>CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall</programlisting>
|
|
|
|
|
2005-10-02 17:34:20 +02:00
|
|
|
<para>The above is the setting that I once used to allow me to place all
|
|
|
|
of my user-defined 'action.' files in <filename
|
2005-05-18 23:12:46 +02:00
|
|
|
class="directory">/etc/shorewall/actiondir</filename>.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="AltConfig">
|
|
|
|
<title>Alternate Configuration Directories</title>
|
|
|
|
|
|
|
|
<para>As explained <link linkend="AddDirectories">above</link>, Shorewall
|
|
|
|
normally looks for configuration files in the directories specified by the
|
|
|
|
CONFIG_PATH option in <filename
|
|
|
|
class="directory">/etc/shorewall/shorewall.conf</filename>. The
|
|
|
|
<command>shorewall start</command>, <command>shorewall restart</command>,
|
|
|
|
<command>shorewall check</command>, and <command>shorewall try
|
|
|
|
</command>commands allow you to specify an additional directory for
|
|
|
|
Shorewall to check before looking in the directories listed in
|
|
|
|
CONFIG_PATH.</para>
|
2004-10-24 23:10:47 +02:00
|
|
|
|
|
|
|
<programlisting> <command>shorewall {start|restart|check} <configuration-directory></command>
|
|
|
|
<command>shorewall try <configuration-directory> [ <timeout> ]</command></programlisting>
|
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>If a <emphasis><configuration-directory</emphasis>> is
|
2005-10-03 16:33:37 +02:00
|
|
|
specified, each time that Shorewall is going to read a file, it will first
|
|
|
|
look in the<emphasis> <configuration-directory></emphasis> . If the
|
|
|
|
file is present in the
|
|
|
|
<emphasis><configuration-directory>,</emphasis> that file will be
|
|
|
|
used; otherwise, the directories in the CONFIG_PATH will be searched. When
|
|
|
|
changing the configuration of a production firewall, I recommend the
|
2004-08-21 17:42:31 +02:00
|
|
|
following:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<itemizedlist>
|
2004-08-07 04:13:32 +02:00
|
|
|
<listitem>
|
2004-08-21 17:42:31 +02:00
|
|
|
<para>If you haven't saved the current working configuration, do so
|
|
|
|
using <command>shorewall save</command>.</para>
|
2004-08-07 04:13:32 +02:00
|
|
|
</listitem>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<listitem>
|
|
|
|
<para><command>mkdir /etc/test</command></para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><command>cd /etc/test</command></para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-08-21 17:42:31 +02:00
|
|
|
<para><copy any files that you need to change from /etc/shorewall
|
|
|
|
to . and change them here></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-10-24 23:10:47 +02:00
|
|
|
<para><command>shorewall check ./</command></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-08-21 17:42:31 +02:00
|
|
|
<para><correct any errors found by check and check again></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2006-03-24 22:17:27 +01:00
|
|
|
<para><command>shorewall restart ./</command></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2006-03-24 22:17:27 +01:00
|
|
|
<para>If the <command>restart</command> fails, your configuration will be
|
2007-03-30 09:24:32 +02:00
|
|
|
restored to its state at the last <command>shorewall
|
2006-03-24 22:17:27 +01:00
|
|
|
save</command>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>When the new configuration works then just:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
<para><command>cp -f * /etc/shorewall</command></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><command>cd</command></para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><command>rm -rf /etc/test</command></para>
|
|
|
|
</listitem>
|
2004-08-07 04:13:32 +02:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><command>shorewall save</command></para>
|
|
|
|
</listitem>
|
2004-02-14 19:06:39 +01:00
|
|
|
</itemizedlist>
|
2007-08-31 17:24:45 +02:00
|
|
|
|
|
|
|
<important>
|
|
|
|
<para>Shorewall requires that the file
|
|
|
|
<filename>/etc/shorewall/shorewall.conf</filename> to always exist.
|
|
|
|
Certain global settings are always obtained from that file. If you
|
|
|
|
create alternative configuration directories, do not remove
|
|
|
|
/etc/shorewall/shorewall.conf.</para>
|
|
|
|
</important>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
2007-06-29 00:06:10 +02:00
|
|
|
<section id="Commands">
|
2007-06-24 01:33:17 +02:00
|
|
|
<title>Commands</title>
|
2004-06-12 18:28:30 +02:00
|
|
|
|
2009-02-28 04:45:43 +01:00
|
|
|
<para>The general form of a command is:</para>
|
2006-02-27 18:45:29 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<para><command>shorewall [ <options> ] <command> [
|
2007-06-24 01:33:17 +02:00
|
|
|
<command options> ] [ <argument> ... ]</command></para>
|
2006-02-27 18:45:29 +01:00
|
|
|
|
|
|
|
<para>Available options are:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>-c <directory></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Specifies an <link linkend="AltConfig">alternate
|
2007-08-31 17:24:45 +02:00
|
|
|
configuration directory</link>. Use of this option is
|
|
|
|
deprecated.</para>
|
2006-02-27 18:45:29 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-f</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Specifies fast restart. See the <command>start</command>
|
|
|
|
command below.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-n</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Prevents the command from changing the firewall system's
|
|
|
|
routing configuration.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-q</term>
|
|
|
|
|
|
|
|
<listitem>
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>Reduces the verbosity level (see VERBOSITY setting in <ulink
|
2007-07-08 18:11:28 +02:00
|
|
|
url="manpages/shorewall.conf.htmlig">shorewall.conf</ulink>). May
|
|
|
|
be repeated (e.g., "-qq") with each instance reducing the
|
|
|
|
verbosity level by one.</para>
|
2006-02-27 18:45:29 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-v</term>
|
|
|
|
|
|
|
|
<listitem>
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>Increases the verbosity level (see VERBOSITY setting in
|
2007-07-08 18:11:28 +02:00
|
|
|
<ulink
|
|
|
|
url="manpages/shorewall.conf.htmlig">shorewall.conf</ulink>). May
|
2009-04-18 01:05:03 +02:00
|
|
|
be repeated (e.g., "-vv") with each instance increasing the
|
2007-06-24 01:33:17 +02:00
|
|
|
verbosity level by one.</para>
|
2006-02-27 18:45:29 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-x</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Causes all iptables -L commands to display actual packet and
|
|
|
|
byte counts.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>-t</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>All progress messages are timestamped with the date and
|
|
|
|
time.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<para>In addition, the <command>-q</command> and <command>-v</command>
|
|
|
|
options may be repeated to make the output less or more verbose
|
|
|
|
respectively. The default level of verbosity is determined by the
|
|
|
|
setting of the VERBOSITY option in
|
|
|
|
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
2006-06-13 02:07:00 +02:00
|
|
|
|
|
|
|
<para>For Shorewall Lite, the general command form is:</para>
|
|
|
|
|
|
|
|
<para><command>shorewall-lite [ <options> ] <command> [
|
|
|
|
<command options> ] [ <argument> ... ]</command></para>
|
|
|
|
|
|
|
|
<para>where the options are the same as with Shorewall.</para>
|
2004-10-24 23:10:47 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>The complete documentation for each command may be found in the
|
|
|
|
<ulink url="manpages/shorewall.html">shorewall</ulink> and <ulink
|
|
|
|
url="manpages/shorewall-lite.html">shorewall-lite</ulink> man
|
|
|
|
pages.</para>
|
|
|
|
</blockquote>
|
2004-06-12 18:28:30 +02:00
|
|
|
</section>
|
|
|
|
|
2004-02-14 19:06:39 +01:00
|
|
|
<section id="State">
|
2006-05-07 17:58:26 +02:00
|
|
|
<title>Shorewall State Diagram</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2008-08-15 07:03:24 +02:00
|
|
|
<para>The Shorewall State Diagram is depicted below.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
|
|
|
|
|
|
|
<informaltable>
|
|
|
|
<tgroup cols="3">
|
|
|
|
<thead>
|
|
|
|
<row>
|
|
|
|
<entry align="center">/sbin/shorewall Command</entry>
|
|
|
|
|
|
|
|
<entry align="center">Resulting /usr/share/shorewall/firewall
|
|
|
|
Command</entry>
|
|
|
|
|
|
|
|
<entry align="center">Effect if the Command Succeeds</entry>
|
|
|
|
</row>
|
|
|
|
</thead>
|
|
|
|
|
|
|
|
<tbody>
|
|
|
|
<row>
|
|
|
|
<entry>shorewall start</entry>
|
|
|
|
|
|
|
|
<entry>firewall start</entry>
|
|
|
|
|
|
|
|
<entry>The system filters packets based on your current Shorewall
|
|
|
|
Configuration</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall stop</entry>
|
|
|
|
|
|
|
|
<entry>firewall stop</entry>
|
|
|
|
|
2011-05-08 14:37:49 +02:00
|
|
|
<entry>Only traffic to/from hosts listed in
|
|
|
|
/etc/shorewall/routestopped is passed to/from/through the
|
|
|
|
firewall. If ADMINISABSENTMINDED=Yes in
|
|
|
|
/etc/shorewall/shorewall.conf then in addition, all existing
|
2004-02-14 19:06:39 +01:00
|
|
|
connections are retained and all connection requests from the
|
|
|
|
firewall are accepted.</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall restart</entry>
|
|
|
|
|
|
|
|
<entry>firewall restart</entry>
|
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<entry>Logically equivalent to <quote>firewall stop;firewall
|
|
|
|
start</quote></entry>
|
2004-02-14 19:06:39 +01:00
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall add</entry>
|
|
|
|
|
|
|
|
<entry>firewall add</entry>
|
|
|
|
|
|
|
|
<entry>Adds a host or subnet to a dynamic zone</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall delete</entry>
|
|
|
|
|
|
|
|
<entry>firewall delete</entry>
|
|
|
|
|
|
|
|
<entry>Deletes a host or subnet from a dynamic zone</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall refresh</entry>
|
|
|
|
|
|
|
|
<entry>firewall refresh</entry>
|
|
|
|
|
|
|
|
<entry>Reloads rules dealing with static blacklisting, traffic
|
|
|
|
control and ECN.</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall reset</entry>
|
|
|
|
|
|
|
|
<entry>firewall reset</entry>
|
|
|
|
|
|
|
|
<entry>Resets traffic counters</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall clear</entry>
|
|
|
|
|
|
|
|
<entry>firewall clear</entry>
|
|
|
|
|
|
|
|
<entry>Removes all Shorewall rules, chains, addresses, routes and
|
|
|
|
ARP entries.</entry>
|
|
|
|
</row>
|
|
|
|
|
|
|
|
<row>
|
|
|
|
<entry>shorewall try</entry>
|
|
|
|
|
2004-08-21 17:42:31 +02:00
|
|
|
<entry>firewall -c <new configuration> restart If
|
2004-02-14 19:06:39 +01:00
|
|
|
unsuccessful then firewall start (standard configuration) If
|
|
|
|
timeout then firewall restart (standard configuration)</entry>
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
</row>
|
|
|
|
</tbody>
|
|
|
|
</tgroup>
|
|
|
|
</informaltable>
|
2006-05-07 17:58:26 +02:00
|
|
|
|
|
|
|
<para>The only time that a program other than
|
2006-06-13 02:07:00 +02:00
|
|
|
<command>/usr/share/shorewall[-lite[/firewall</command> performs a state
|
2006-08-14 16:53:53 +02:00
|
|
|
transition itself is when the <command>shorewall[-lite] restore</command>
|
|
|
|
command is executed. In that case, the
|
2006-06-13 02:07:00 +02:00
|
|
|
<command>/var/lib/shorewall[-lite]/restore</command> program sets the
|
|
|
|
state to "Started".</para>
|
2006-05-07 17:58:26 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>With any command that involves compilation, there is no state
|
|
|
|
transition while the compiler is running. If compilation fails, the state
|
|
|
|
remains unchanged.</para>
|
2006-05-07 17:58:26 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>Also, <command>shorewall start</command> and <command>shorewall
|
|
|
|
restart</command> involve compilation followed by execution of the
|
|
|
|
compiled script. So it is the compiled script that performs the state
|
|
|
|
transition in these commands rather than
|
|
|
|
<command>/usr/share/shorewall/firewall</command>.</para>
|
2006-05-07 17:58:26 +02:00
|
|
|
|
2007-06-24 01:33:17 +02:00
|
|
|
<para>The compiled script is placed in <filename
|
|
|
|
class="directory">/var/lib/shorewall</filename> and is named either
|
|
|
|
<filename>.start</filename> or <filename>.restart</filename> depending on
|
|
|
|
the command.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
2008-07-07 22:42:54 +02:00
|
|
|
</article>
|