holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Document Shorewall-init; delete old auto-stop code

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-05-18 14:42:39 -07:00
parent 5b2affbd01
commit 0c9a0150d2
2 changed files with 129 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -1345,11 +1345,6 @@ sub compile_updown() {
' detect_configuration', ' detect_configuration',
' define_firewall', ' define_firewall',
' ;;', ' ;;',
' cleared|unknown)',
' COMMAND=stop',
' detect_configuration',
' stop_firewall',
' ;;',
' esac', ' esac',
); );

141
Shorewall/releasenotes.txt
View File

@ -1,5 +1,6 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 9 S H O R E W A L L 4 . 4 . 10
B E T A 1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS I. RELEASE 4.4 HIGHLIGHTS
@ -218,6 +219,131 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Startup Errors (those that are detected before the state of the
system has been altered), were previously not sent to the
STARTUP_LOG.
2) A regression of sorts occurred in Shorewall 4.4.9. Previously, a
Perl extension script could end with a call to add_rule(). Such a
script would fail in Shorewall 4.4.9 unless the 'trace' option was
specified on the run line.
While this issue has been corrected, users are advised to always
end their Perl extension scripts with the following line to insure
that the script returns a 'true' value:
1;
----------------------------------------------------------------------------
I V. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
V. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
package provides two related features:
a) It allows the firewall to be closed prior to bringing up
network devices. This insures that unwanted connections are not
allowed between the time that the network comes up and when the
firewall is started.
b) It integrates with NetworkManager and distribution ifup/ifdown
systems to allow for 'event-driven' startup and shutdown.
The two facilities can be enabled separately.
When Shorewall-init is first installed, it does nothing until you
configure it.
The configuration file is /etc/default/shorewall-init on
Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
There are two settings in the file:
PRODUCTS - lists the Shorewall packages that you want to
integrate with Shorewall-init. Example:
PRODUCTS="shorewall shorewall6"
IFUPDOWN When set to 1, enables integration with
NetworkManager and the ifup/ifdown scripts.
To close your firewall before networking starts:
a) in the Shorewall-init configuration file, set PRODUCTS to the
firewall products installed on your system.
b) be sure that your current firewall script(s) (normally in
/var/lib/<product>/firewall) is(are) compiled with the 4.4.10
compiler.
Shorewall and Shorewall6 users can execute these commands:
shorewall compile
shorewall6 compile
Shorewall-lite and Shorewall6-lite users can execute these
commands on the administrative system.
shorewall export <firewall-name-or-ip-address>
shorewall6 export <firewall-name-or-ip-address>
That's all that is required.
To integrate with NetworkManager and ifup/ifdown, additional steps
are required.
a) In the Shorewall-init configuration file, set IFUPDOWN=1.
b) In your Shorewall interfaces file(s), set the 'required' option
on any interfaces that must be up in order for the firewall to
start. At least one interface must have the 'required' option
if you perform the next optional step.
c) (Optional) -- If you have specified at least one 'required'
interface, you can then disable automatic firewall startup at
boot time.
On Debian-based systems, set start=0 in /etc/default/<product>.
On other systems, use your service startup configuration tool
(chkconfig, insserv, ...) to disable startup.
The following actions occur when an interface comes up:
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any required start
started optional restart
started - restart
The following actions occur when an interface goes down:
In the INTERFACE column, '-' indicates neither required nor
optional
FIREWALL INTERFACE ACTION
STATE
----------------------------------
Any required stop
started optional restart
started - restart
For optional interfaces, the /var/lib/<product>/<interface>.state
files are maintained to reflect the state of the interface.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
----------------------------------------------------------------------------
1) Logical interface names in the EXTERNAL column of 1) Logical interface names in the EXTERNAL column of
/etc/shorewall/proxyarp were previously not mapped to their /etc/shorewall/proxyarp were previously not mapped to their
corresponding physical interface names. This could cause 'start' or corresponding physical interface names. This could cause 'start' or
@ -294,13 +420,7 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
iptables-restore input. iptables-restore input.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. K N O W N P R O B L E M S R E M A I N I N G N E W F E A T U R E S I N 4 . 4 . 9
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
V. N E W F E A T U R E S I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) The compiler now auto-detects bridges for the purpose of setting 1) The compiler now auto-detects bridges for the purpose of setting
@ -401,10 +521,7 @@ None.
administrative system. Simply install using the tarball installer. administrative system. Simply install using the tarball installer.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S P R O B L E M S C O R R E C T E D I N 4 . 4 . 9
I N P R I O R R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 8
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) A CONTINUE rule specifying a log level would cause the compiler to 1) A CONTINUE rule specifying a log level would cause the compiler to