forked from extern/shorewall_code
Document Shorewall-init; delete old auto-stop code
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
5b2affbd01
commit
0c9a0150d2
@ -1345,11 +1345,6 @@ sub compile_updown() {
|
||||
' detect_configuration',
|
||||
' define_firewall',
|
||||
' ;;',
|
||||
' cleared|unknown)',
|
||||
' COMMAND=stop',
|
||||
' detect_configuration',
|
||||
' stop_firewall',
|
||||
' ;;',
|
||||
' esac',
|
||||
);
|
||||
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
----------------------------------------------------------------------------
|
||||
S H O R E W A L L 4 . 4 . 9
|
||||
S H O R E W A L L 4 . 4 . 10
|
||||
B E T A 1
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
I. RELEASE 4.4 HIGHLIGHTS
|
||||
@ -218,6 +219,131 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Startup Errors (those that are detected before the state of the
|
||||
system has been altered), were previously not sent to the
|
||||
STARTUP_LOG.
|
||||
|
||||
2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a
|
||||
Perl extension script could end with a call to add_rule(). Such a
|
||||
script would fail in Shorewall 4.4.9 unless the 'trace' option was
|
||||
specified on the run line.
|
||||
|
||||
While this issue has been corrected, users are advised to always
|
||||
end their Perl extension scripts with the following line to insure
|
||||
that the script returns a 'true' value:
|
||||
|
||||
1;
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
|
||||
package provides two related features:
|
||||
|
||||
a) It allows the firewall to be closed prior to bringing up
|
||||
network devices. This insures that unwanted connections are not
|
||||
allowed between the time that the network comes up and when the
|
||||
firewall is started.
|
||||
|
||||
b) It integrates with NetworkManager and distribution ifup/ifdown
|
||||
systems to allow for 'event-driven' startup and shutdown.
|
||||
|
||||
The two facilities can be enabled separately.
|
||||
|
||||
When Shorewall-init is first installed, it does nothing until you
|
||||
configure it.
|
||||
|
||||
The configuration file is /etc/default/shorewall-init on
|
||||
Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
|
||||
|
||||
There are two settings in the file:
|
||||
|
||||
PRODUCTS - lists the Shorewall packages that you want to
|
||||
integrate with Shorewall-init. Example:
|
||||
|
||||
PRODUCTS="shorewall shorewall6"
|
||||
|
||||
IFUPDOWN When set to 1, enables integration with
|
||||
NetworkManager and the ifup/ifdown scripts.
|
||||
|
||||
To close your firewall before networking starts:
|
||||
|
||||
a) in the Shorewall-init configuration file, set PRODUCTS to the
|
||||
firewall products installed on your system.
|
||||
|
||||
b) be sure that your current firewall script(s) (normally in
|
||||
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10
|
||||
compiler.
|
||||
|
||||
Shorewall and Shorewall6 users can execute these commands:
|
||||
|
||||
shorewall compile
|
||||
shorewall6 compile
|
||||
|
||||
Shorewall-lite and Shorewall6-lite users can execute these
|
||||
commands on the administrative system.
|
||||
|
||||
shorewall export <firewall-name-or-ip-address>
|
||||
shorewall6 export <firewall-name-or-ip-address>
|
||||
|
||||
That's all that is required.
|
||||
|
||||
To integrate with NetworkManager and ifup/ifdown, additional steps
|
||||
are required.
|
||||
|
||||
a) In the Shorewall-init configuration file, set IFUPDOWN=1.
|
||||
|
||||
b) In your Shorewall interfaces file(s), set the 'required' option
|
||||
on any interfaces that must be up in order for the firewall to
|
||||
start. At least one interface must have the 'required' option
|
||||
if you perform the next optional step.
|
||||
|
||||
c) (Optional) -- If you have specified at least one 'required'
|
||||
interface, you can then disable automatic firewall startup at
|
||||
boot time.
|
||||
|
||||
On Debian-based systems, set start=0 in /etc/default/<product>.
|
||||
|
||||
On other systems, use your service startup configuration tool
|
||||
(chkconfig, insserv, ...) to disable startup.
|
||||
|
||||
The following actions occur when an interface comes up:
|
||||
|
||||
FIREWALL INTERFACE ACTION
|
||||
STATE
|
||||
----------------------------------
|
||||
Any required start
|
||||
started optional restart
|
||||
started - restart
|
||||
|
||||
The following actions occur when an interface goes down:
|
||||
|
||||
In the INTERFACE column, '-' indicates neither required nor
|
||||
optional
|
||||
|
||||
FIREWALL INTERFACE ACTION
|
||||
STATE
|
||||
----------------------------------
|
||||
Any required stop
|
||||
started optional restart
|
||||
started - restart
|
||||
|
||||
For optional interfaces, the /var/lib/<product>/<interface>.state
|
||||
files are maintained to reflect the state of the interface.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
|
||||
----------------------------------------------------------------------------
|
||||
1) Logical interface names in the EXTERNAL column of
|
||||
/etc/shorewall/proxyarp were previously not mapped to their
|
||||
corresponding physical interface names. This could cause 'start' or
|
||||
@ -294,13 +420,7 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
iptables-restore input.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
N E W F E A T U R E S I N 4 . 4 . 9
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) The compiler now auto-detects bridges for the purpose of setting
|
||||
@ -401,10 +521,7 @@ None.
|
||||
administrative system. Simply install using the tarball installer.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 8
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) A CONTINUE rule specifying a log level would cause the compiler to
|
||||
|
||||
Loading…
Reference in New Issue
Block a user