2004-02-14 19:06:39 +01:00
<?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article >
<!-- $Id$ -->
<articleinfo >
<title > Starting/Stopping and Monitoring the Firewall</title>
<authorgroup >
<author >
<firstname > Tom</firstname>
<surname > Eastep</surname>
</author>
</authorgroup>
2004-05-19 19:55:45 +02:00
<pubdate > 2004-05-14</pubdate>
2004-02-14 19:06:39 +01:00
<copyright >
<year > 2001-2004</year>
<holder > Thomas M. Eastep</holder>
</copyright>
<legalnotice >
<para > Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
2004-05-19 19:55:45 +02:00
<quote > <ulink url= "GnuCopyright.htm" > GNU Free Documentation License</ulink> </quote> .</para>
2004-02-14 19:06:39 +01:00
</legalnotice>
</articleinfo>
<section >
<title > Operating Shorewall</title>
<para > If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. The <ulink
url="Install.htm">installation procedure</ulink> attempts to set up the
init scripts to start the firewall in run levels 2-5 and stop it in run
levels 1 and 6. If you want to configure your firewall differently from
2004-05-19 19:55:45 +02:00
this default, you can use your distribution' s run-level editor.</para>
2004-02-14 19:06:39 +01:00
<caution >
<itemizedlist >
<listitem >
<para > Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file <filename > /etc/shorewall/startup_disabled</filename> . Note:
2004-05-19 19:55:45 +02:00
Users of the .deb package must edit <filename > /etc/default/shorewall</filename>
and set <quote > startup=1</quote> .</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > If you use dialup or some flavor of PPP where your IP address
can change arbitrarily, you may want to start the firewall in your
<command > /etc/ppp/ip-up.local</command> script. I recommend just
placing <quote > <command > /sbin/shorewall restart</command> </quote> in
that script.</para>
</listitem>
</itemizedlist>
</caution>
<para > You can manually start and stop Shoreline Firewall using the
<quote > <command > /sbin/shorewall</command> </quote> shell program.</para>
<itemizedlist >
<listitem >
2004-05-09 00:31:54 +02:00
<para > <command > shorewall [ -q ] [ -f ] start </command> - starts the
firewall. It important to understand that when the firewall is in the
2004-05-19 19:55:45 +02:00
<emphasis role= "bold" > Started</emphasis> state there is
<emphasis > no Shorewall Program</emphasis> <emphasis > running</emphasis> .
It rather means that Netfilter has been configured to handle traffic
as described in your Shorewall configuration files. Please refer to
the <link linkend= "State" > Shorewall State Diagram</link> as shown at
the bottom of this page for more information. The -q option was added
in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced.
Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may
be specified; if this option is given and the file
2004-05-09 00:31:54 +02:00
<filename > /var/lib/shorewall/restore</filename> is present (see
<command > shorewall save</command> below), then that script is run to
restore the state of the firewall to the state when
<filename > /var/lib/shorewall/restore</filename> was created. This is
generally must faster than starting the firewall without the -f
option.</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall stop</command> - stops the firewall; the only
traffic permitted through the firewall is from systems listed in
<filename > /etc/shorewall/routestopped</filename> (Beginning with
2004-05-19 19:55:45 +02:00
version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename > /etc/shorewall/shorewall.conf</filename>
then in addition, all existing connections are permitted and any new
connections originating from the firewall itself are allowed).</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
2004-05-09 00:31:54 +02:00
<para > <command > shorewall [ -q ] restart </command> - stops the firewall
(if it is in the <emphasis role= "bold" > Started</emphasis> state) and
then starts it again. The -q option was added in Shorewall 2.0.2 Beta
1 and reduces the amout of output produced.</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall reset</command> - reset the packet and byte
counters in the firewall</para>
</listitem>
<listitem >
<para > <command > shorewall clear</command> - remove all rules and chains
2004-05-19 19:55:45 +02:00
installed by Shoreline Firewall. The firewall is <quote > wide open</quote> </para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall refresh</command> - refresh the rules
involving the broadcast addresses of firewall interfaces, the black
list, traffic control rules and ECN control rules.</para>
</listitem>
2004-05-09 00:31:54 +02:00
<listitem >
<para > <command > shorewall save</command> - Beginning with Shorewall
2004-05-19 19:55:45 +02:00
2.0.2 Beta1, this command creates a script <filename > /var/lib/shorewall/restore</filename>
which when run will restore the state of the firewall to its current
state.</para>
2004-05-09 00:31:54 +02:00
</listitem>
<listitem >
<para > <command > shorewall restore</command> - Runs the
<filename > /var/lib/shorewall/restore </filename> created by the
<command > shorewall save</command> command.</para>
</listitem>
<listitem >
<para > shorewall forget - Added in Shorewall 2.0.2 Beta 1. Removes the
<filename > /var/lib/shorewall restore</filename> script created by the
<command > shorewall save </command> command.</para>
</listitem>
2004-02-14 19:06:39 +01:00
</itemizedlist>
<para > If you include the keyword debug as the first argument, then a shell
trace of the command is produced as in:</para>
2004-05-19 19:55:45 +02:00
<para > <programlisting > <command > shorewall debug start 2> /tmp/trace</command> </programlisting> The
2004-02-14 19:06:39 +01:00
above command would trace the <quote > start</quote> command and place the
trace information in the file /tmp/trace</para>
<para > Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands: <programlisting > <command > shorewall help [ command | host | address ]</command> </programlisting> The
2004-05-19 19:55:45 +02:00
<quote > shorewall</quote> program may also be used to monitor the firewall.</para>
2004-02-14 19:06:39 +01:00
<itemizedlist >
<listitem >
<para > <command > shorewall status</command> - produce a verbose report
about the firewall (iptables -L -n -v)</para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall show < chain1> [ < chain2> ...
]</command> - produce a verbose report about the listed chains (<command > iptables
-L chain -n -v</command> ) Note: You may only list one chain in the
show command when running Shorewall version 1.4.6 and earlier. Version
1.4.7 and later allow you to list multiple chains in one command.</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall show nat</command> - produce a verbose report
2004-05-19 19:55:45 +02:00
about the nat table (<command > iptables -t nat -L -n -v</command> )</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall show tos</command> - produce a verbose report
2004-05-19 19:55:45 +02:00
about the mangle table (<command > iptables -t mangle -L -n -v</command> )</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall show log</command> - display the last 20
packet log entries.</para>
</listitem>
<listitem >
<para > <command > shorewall show connections</command> - displays the IP
connections currently being tracked by the firewall.</para>
</listitem>
<listitem >
<para > <command > shorewall show tc</command> - displays information
about the traffic control/shaping configuration.</para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall monitor [ < delay> ]</command> -
2004-02-14 19:06:39 +01:00
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded. The
2004-05-19 19:55:45 +02:00
<emphasis > < delay> </emphasis> indicates the number of seconds
2004-02-14 19:06:39 +01:00
between updates with the default being 10 seconds.</para>
</listitem>
<listitem >
<para > <command > shorewall hits</command> - Produces several reports
about the Shorewall packet log messages in the current log file named
2004-05-19 19:55:45 +02:00
in the LOGFILE variable in <filename > /etc/shorewall/shorewall.conf</filename> .</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall version</command> - Displays the installed
version number.</para>
</listitem>
<listitem >
<para > <command > shorewall check</command> - Performs a cursory
2004-05-19 19:55:45 +02:00
validation of the zones, interfaces, hosts, rules and policy files.<caution > <para > The
<quote > <command > check</command> </quote> command is totally unsuppored
and does not parse and validate the generated iptables commands. Even
though the <quote > check</quote> command completes successfully, the
configuration may fail to start. Problem reports that complain about
errors that the <quote > check</quote> command does not detect will not
be accepted.</para> <para > See the recommended way to make configuration
changes described below.</para> </caution> </para>
</listitem>
<listitem >
<para > <command > shorewall try < <errortype > configuration-directory</errortype> >
[ < timeout> ]</command> - Restart shorewall using the
specified configuration and if an error occurs or if the
<emphasis > < timeout> </emphasis> option is given and the new
2004-02-14 19:06:39 +01:00
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</para>
</listitem>
<listitem >
<para > <command > shorewall logwatch</command> (added in version 1.3.2) -
Monitors the LOGFILE and produces an audible alarm when new Shorewall
messages are logged.</para>
</listitem>
</itemizedlist>
<para > Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:</para>
<itemizedlist >
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall ipcalc [ < address> < mask> |
< address> /< vlsm> ] </command> - displays the network
2004-02-14 19:06:39 +01:00
address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall iprange < address1> -< address2> </command>
- Decomposes the specified range of IP addresses into the equivalent
list of network/host addresses</para>
2004-02-14 19:06:39 +01:00
</listitem>
</itemizedlist>
<para > There is a set of commands dealing with <ulink
url="blacklisting_support.htm">dynamic blacklisting</ulink> :</para>
<itemizedlist >
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall drop < ip address list> </command> -
2004-02-14 19:06:39 +01:00
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall reject < ip address list> </command> -
2004-02-14 19:06:39 +01:00
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall allow < ip address list> </command> -
2004-02-14 19:06:39 +01:00
re-enables receipt of packets from hosts previously blacklisted by a
drop or reject command.</para>
</listitem>
<listitem >
<para > <command > shorewall save</command> - save the dynamic
blacklisting configuration so that it will be automatically restored
2004-05-09 00:31:54 +02:00
the next time that the firewall is restarted. Beginning with Shorewall
2004-05-19 19:55:45 +02:00
version 2.0.2 Beta1, this command also creates the
2004-05-09 00:31:54 +02:00
<filename > /var/lib/shorewall/restore</filename> script as described
above.</para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > show dynamic</command> - displays the dynamic
blacklisting chain.</para>
</listitem>
</itemizedlist>
<para > Finally, the <quote > <quote > shorewall</quote> </quote> program may be
used to dynamically alter the contents of a zone.</para>
<itemizedlist >
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall add < interface> [:< host> ]
< zone> </command> - Adds the specified interface (and host if
2004-02-14 19:06:39 +01:00
included) to the specified zone.</para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > <command > shorewall delete < interface> [:< host> ]
< zone> </command> - Deletes the specified interface (and host
if included) from the specified zone.</para>
2004-02-14 19:06:39 +01:00
<para > Examples:<programlisting > <command > shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
<command > shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting> </para>
</listitem>
</itemizedlist>
</section>
2004-05-09 00:31:54 +02:00
<section >
<title > Error Handling</title>
2004-05-19 19:55:45 +02:00
<para > When <command > shorewall start</command> , <command > shorewall restart</command>
or <command > shorewall refresh</command> encounter an error, the behavior
depends on which version of Shorewall you are running and whether there is
a <filename > /var/lib/shorewall/restore</filename> script available (see
<command > shorewall save</command> above).</para>
2004-05-09 00:31:54 +02:00
<itemizedlist >
<listitem >
<para > If you are running a version of Shorewall earlier than 2.0.2
Beta 1 then the effect is as if a <command > shorewall stop</command>
command had been run.</para>
</listitem>
<listitem >
<para > If you have executed a <command > shorewall save</command> command
without a subsequent <command > shorewall forget</command> , then the
2004-05-19 19:55:45 +02:00
firewall is restored to the state when <command > shorewall save</command>
was executed.</para>
2004-05-09 00:31:54 +02:00
</listitem>
</itemizedlist>
</section>
2004-02-14 19:06:39 +01:00
<section >
<title > Alternate Configurations</title>
2004-05-19 19:55:45 +02:00
<para > The <command > shorewall start</command> , <command > shorewall restart</command> ,
<command > shorewall check</command> , and <command > shorewall try </command> commands
allow you to specify which Shorewall configuration to use:</para>
2004-02-14 19:06:39 +01:00
2004-05-19 19:55:45 +02:00
<programlisting > <command > shorewall [ -c < configuration-directory> ] {start|restart|check}</command>
<command > shorewall try < configuration-directory> [ < timeout> ]</command> </programlisting>
2004-02-14 19:06:39 +01:00
2004-05-19 19:55:45 +02:00
<para > If a <emphasis > < configuration-directory</emphasis> > is
2004-02-14 19:06:39 +01:00
specified, each time that Shorewall is going to use a file in <filename
2004-05-19 19:55:45 +02:00
class="directory">/etc/shorewall</filename> it will first look in the<emphasis >
< configuration-directory> </emphasis> . If the file is present in
the <emphasis > < configuration-directory> ,</emphasis> that file will
be used; otherwise, the file in <filename class= "directory" > /etc/shorewall</filename>
will be used. When changing the configuration of a production firewall, I
recommend the following:</para>
2004-02-14 19:06:39 +01:00
<itemizedlist >
<listitem >
<para > <command > mkdir /etc/test</command> </para>
</listitem>
<listitem >
<para > <command > cd /etc/test</command> </para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > < copy any files that you need to change from /etc/shorewall
to . and change them here> </para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > shorewall -c ./ check</command> </para>
</listitem>
<listitem >
2004-05-19 19:55:45 +02:00
<para > < correct any errors found by check and check again> </para>
2004-02-14 19:06:39 +01:00
</listitem>
<listitem >
<para > <command > /sbin/shorewall try ./</command> </para>
</listitem>
</itemizedlist>
2004-05-19 19:55:45 +02:00
<para > If the configuration starts but doesn' t work, just
<quote > shorewall restart</quote> to restore the old configuration. If the
new configuration fails to start, the <quote > try</quote> command will
automatically start the old one for you.</para>
2004-02-14 19:06:39 +01:00
<para > When the new configuration works then just:</para>
<itemizedlist >
<listitem >
<para > <command > cp * /etc/shorewall</command> </para>
</listitem>
<listitem >
<para > <command > cd</command> </para>
</listitem>
<listitem >
<para > <command > rm -rf /etc/test</command> </para>
</listitem>
</itemizedlist>
</section>
<section id= "State" >
<title > Shorewall State Diagram</title>
<para > The Shorewall State Diargram is depicted below.</para>
<para > <graphic align= "center" fileref= "images/State_Diagram.png" /> </para>
<para > You will note that the commands that result in state transitions use
the word <quote > firewall</quote> rather than <quote > shorewall</quote> .
2004-05-19 19:55:45 +02:00
That is because the actual transitions are done by <command > /usr/share/shorewall/firewall</command> ;
2004-02-14 19:06:39 +01:00
<command > /sbin/shorewall</command> runs <quote > firewall</quote> according
to the following table:</para>
<informaltable >
<tgroup cols= "3" >
<thead >
<row >
<entry align= "center" > /sbin/shorewall Command</entry>
<entry align= "center" > Resulting /usr/share/shorewall/firewall
Command</entry>
<entry align= "center" > Effect if the Command Succeeds</entry>
</row>
</thead>
<tbody >
<row >
<entry > shorewall start</entry>
<entry > firewall start</entry>
<entry > The system filters packets based on your current Shorewall
Configuration</entry>
</row>
<row >
<entry > shorewall stop</entry>
<entry > firewall stop</entry>
<entry > Only traffic to/from hosts listed in /etc/shorewall/hosts
is passed to/from/through the firewall. For Shorewall versions
beginning with 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the
firewall are accepted.</entry>
</row>
<row >
<entry > shorewall restart</entry>
<entry > firewall restart</entry>
2004-05-19 19:55:45 +02:00
<entry > Logically equivalent to <quote > firewall stop;firewall start</quote> </entry>
2004-02-14 19:06:39 +01:00
</row>
<row >
<entry > shorewall add</entry>
<entry > firewall add</entry>
<entry > Adds a host or subnet to a dynamic zone</entry>
</row>
<row >
<entry > shorewall delete</entry>
<entry > firewall delete</entry>
<entry > Deletes a host or subnet from a dynamic zone</entry>
</row>
<row >
<entry > shorewall refresh</entry>
<entry > firewall refresh</entry>
<entry > Reloads rules dealing with static blacklisting, traffic
control and ECN.</entry>
</row>
<row >
<entry > shorewall reset</entry>
<entry > firewall reset</entry>
<entry > Resets traffic counters</entry>
</row>
<row >
<entry > shorewall clear</entry>
<entry > firewall clear</entry>
<entry > Removes all Shorewall rules, chains, addresses, routes and
ARP entries.</entry>
</row>
<row >
<entry > shorewall try</entry>
2004-05-19 19:55:45 +02:00
<entry > firewall -c < new configuration> restart If
2004-02-14 19:06:39 +01:00
unsuccessful then firewall start (standard configuration) If
timeout then firewall restart (standard configuration)</entry>
<entry > </entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section>
<appendix >
<title > Revision History</title>
2004-05-19 19:55:45 +02:00
<para > <revhistory > <revision > <revnumber > 1.10</revnumber> <date > 2004-05-14</date> <authorinitials > TE</authorinitials> <revremark > Update
" try" syntax in the alternate configuration section to include [
< timeout> ]</revremark> </revision> <revision > <revnumber > 1.9</revnumber> <date > 2004-05-03</date> <authorinitials > TE</authorinitials> <revremark > Shorewall
2.0.2</revremark> </revision> <revision > <revnumber > 1.3-1.8</revnumber> <date > 2004-01-04</date> <authorinitials > TE</authorinitials> <revremark > Docbook
standards</revremark> </revision> <revision > <revnumber > 1.2</revnumber> <date > 2003-12-31</date> <authorinitials > TE</authorinitials> <revremark > Added
clarification about " Started State" </revremark> </revision> <revision > <revnumber > 1.1</revnumber> <date > 2003-12-29</date> <authorinitials > TE</authorinitials> <revremark > Initial
Docbook conversion</revremark> </revision> </revhistory> </para>
2004-02-14 19:06:39 +01:00
</appendix>
</article>
