forked from extern/shorewall_code
fixed quotes, add CVS Id
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ce8e0a9771
commit
220f2c405b
@ -2,7 +2,7 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article>
|
<article>
|
||||||
<!---->
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Starting/Stopping and Monitoring the Firewall</title>
|
<title>Starting/Stopping and Monitoring the Firewall</title>
|
||||||
@ -38,12 +38,12 @@
|
|||||||
|
|
||||||
<para>If you have a permanent internet connection such as DSL or Cable, I
|
<para>If you have a permanent internet connection such as DSL or Cable, I
|
||||||
recommend that you start the firewall automatically at boot. Once you have
|
recommend that you start the firewall automatically at boot. Once you have
|
||||||
installed "firewall" in your init.d directory, simply type
|
installed <quote>firewall</quote> in your init.d directory, simply type
|
||||||
"chkconfig --add firewall". This will start the firewall in run
|
<quote>chkconfig --add firewall</quote>. This will start the firewall in
|
||||||
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
|
run levels 2-5 and stop it in run levels 1 and 6. If you want to configure
|
||||||
your firewall differently from this default, you can use the
|
your firewall differently from this default, you can use the
|
||||||
"--level" option in chkconfig (see "man chkconfig") or
|
<quote>--level</quote> option in chkconfig (see <quote>man chkconfig</quote>)
|
||||||
using your favorite graphical run-level editor.</para>
|
or using your favorite graphical run-level editor.</para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -51,25 +51,24 @@
|
|||||||
<para>Shorewall startup is disabled by default. Once you have
|
<para>Shorewall startup is disabled by default. Once you have
|
||||||
configured your firewall, you can enable startup by removing the
|
configured your firewall, you can enable startup by removing the
|
||||||
file /etc/shorewall/startup_disabled. Note: Users of the .deb
|
file /etc/shorewall/startup_disabled. Note: Users of the .deb
|
||||||
package must edit /etc/default/shorewall and set
|
package must edit /etc/default/shorewall and set <quote>startup=1</quote>.</para>
|
||||||
'startup=1'.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If you use dialup, you may want to start the firewall in your
|
<para>If you use dialup, you may want to start the firewall in your
|
||||||
/etc/ppp/ip-up.local script. I recommend just placing "shorewall
|
/etc/ppp/ip-up.local script. I recommend just placing
|
||||||
restart" in that script. </para>
|
<quote>shorewall restart</quote> in that script.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<para>You can manually start and stop Shoreline Firewall using the
|
<para>You can manually start and stop Shoreline Firewall using the
|
||||||
"shorewall" shell program. Please refer to the Shorewall State
|
<quote>shorewall</quote> shell program. Please refer to the Shorewall
|
||||||
Diagram as shown at the bottom of this page.</para>
|
State Diagram as shown at the bottom of this page.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall start - starts the firewall </para>
|
<para>shorewall start - starts the firewall</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -78,28 +77,28 @@
|
|||||||
/etc/shorewall/routestopped (Beginning with version 1.4.7, if
|
/etc/shorewall/routestopped (Beginning with version 1.4.7, if
|
||||||
ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in
|
ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in
|
||||||
addition, all existing connections are permitted and any new
|
addition, all existing connections are permitted and any new
|
||||||
connections originating from the firewall itself are allowed). </para>
|
connections originating from the firewall itself are allowed).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall restart - stops the firewall (if it's running) and
|
<para>shorewall restart - stops the firewall (if it's running) and
|
||||||
then starts it again </para>
|
then starts it again</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall reset - reset the packet and byte counters in the
|
<para>shorewall reset - reset the packet and byte counters in the
|
||||||
firewall </para>
|
firewall</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall clear - remove all rules and chains installed by
|
<para>shorewall clear - remove all rules and chains installed by
|
||||||
Shoreline Firewall. The firewall is "wide open" </para>
|
Shoreline Firewall. The firewall is <quote>wide open</quote></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall refresh - refresh the rules involving the broadcast
|
<para>shorewall refresh - refresh the rules involving the broadcast
|
||||||
addresses of firewall interfaces, the black list, traffic control
|
addresses of firewall interfaces, the black list, traffic control
|
||||||
rules and ECN control rules. </para>
|
rules and ECN control rules.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -107,17 +106,17 @@
|
|||||||
trace of the command is produced as in:</para>
|
trace of the command is produced as in:</para>
|
||||||
|
|
||||||
<para><programlisting> shorewall debug start 2> /tmp/trace</programlisting>The
|
<para><programlisting> shorewall debug start 2> /tmp/trace</programlisting>The
|
||||||
above command would trace the 'start' command and place the trace
|
above command would trace the <quote>start</quote> command and place the
|
||||||
information in the file /tmp/trace</para>
|
trace information in the file /tmp/trace</para>
|
||||||
|
|
||||||
<para>Beginning with version 1.4.7, shorewall can give detailed help about
|
<para>Beginning with version 1.4.7, shorewall can give detailed help about
|
||||||
each of its commands: <programlisting> shorewall help [ command | host | address ]</programlisting>The
|
each of its commands: <programlisting> shorewall help [ command | host | address ]</programlisting>The
|
||||||
"shorewall" program may also be used to monitor the firewall.</para>
|
<quote>shorewall</quote> program may also be used to monitor the firewall.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall status - produce a verbose report about the firewall
|
<para>shorewall status - produce a verbose report about the firewall
|
||||||
(iptables -L -n -v) </para>
|
(iptables -L -n -v)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -130,53 +129,51 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall show nat - produce a verbose report about the nat
|
<para>shorewall show nat - produce a verbose report about the nat
|
||||||
table (iptables -t nat -L -n -v) </para>
|
table (iptables -t nat -L -n -v)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall show tos - produce a verbose report about the mangle
|
<para>shorewall show tos - produce a verbose report about the mangle
|
||||||
table (iptables -t mangle -L -n -v) </para>
|
table (iptables -t mangle -L -n -v)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall show log - display the last 20 packet log entries.
|
<para>shorewall show log - display the last 20 packet log entries.</para>
|
||||||
</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall show connections - displays the IP connections
|
<para>shorewall show connections - displays the IP connections
|
||||||
currently being tracked by the firewall. </para>
|
currently being tracked by the firewall.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall show tc - displays information about the traffic
|
<para>shorewall show tc - displays information about the traffic
|
||||||
control/shaping configuration. </para>
|
control/shaping configuration.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall monitor [ delay ] - Continuously display the firewall
|
<para>shorewall monitor [ delay ] - Continuously display the firewall
|
||||||
status, last 20 log entries and nat. When the log entry display
|
status, last 20 log entries and nat. When the log entry display
|
||||||
changes, an audible alarm is sounded. </para>
|
changes, an audible alarm is sounded.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall hits - Produces several reports about the Shorewall
|
<para>shorewall hits - Produces several reports about the Shorewall
|
||||||
packet log messages in the current /var/log/messages file. </para>
|
packet log messages in the current /var/log/messages file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall version - Displays the installed version number.
|
<para>shorewall version - Displays the installed version number.</para>
|
||||||
</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall check - Performs a cursory validation of the zones,
|
<para>shorewall check - Performs a cursory validation of the zones,
|
||||||
interfaces, hosts, rules and policy files.<caution><para>The
|
interfaces, hosts, rules and policy files.<caution><para>The
|
||||||
"check" command is totally unsuppored and does not parse and
|
<quote>check</quote> command is totally unsuppored and does not parse
|
||||||
validate the generated iptables commands. Even though the
|
and validate the generated iptables commands. Even though the
|
||||||
"check" command completes successfully, the configuration may
|
<quote>check</quote> command completes successfully, the configuration
|
||||||
fail to start. Problem reports that complain about errors that the
|
may fail to start. Problem reports that complain about errors that the
|
||||||
'check' command does not detect will not be accepted.</para><para>See
|
<quote>check</quote> command does not detect will not be accepted.</para><para>See
|
||||||
the recommended way to make configuration changes described below.</para></caution></para>
|
the recommended way to make configuration changes described below.</para></caution></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -185,7 +182,7 @@
|
|||||||
shorewall using the specified configuration and if an error occurs or
|
shorewall using the specified configuration and if an error occurs or
|
||||||
if the timeout option is given and the new configuration has been up
|
if the timeout option is given and the new configuration has been up
|
||||||
for that many seconds then shorewall is restarted using the standard
|
for that many seconds then shorewall is restarted using the standard
|
||||||
configuration. </para>
|
configuration.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -202,13 +199,13 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall ipcalc [ address mask | address/vlsm ] - displays the
|
<para>shorewall ipcalc [ address mask | address/vlsm ] - displays the
|
||||||
network address, broadcast address, network in CIDR notation and
|
network address, broadcast address, network in CIDR notation and
|
||||||
netmask corresponding to the input[s]. </para>
|
netmask corresponding to the input[s].</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall iprange address1-address2 - Decomposes the specified
|
<para>shorewall iprange address1-address2 - Decomposes the specified
|
||||||
range of IP addresses into the equivalent list of network/host
|
range of IP addresses into the equivalent list of network/host
|
||||||
addresses. </para>
|
addresses.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -218,25 +215,24 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall drop <ip address list> - causes packets from
|
<para>shorewall drop <ip address list> - causes packets from
|
||||||
the listed IP addresses to be silently dropped by the firewall.
|
the listed IP addresses to be silently dropped by the firewall.</para>
|
||||||
</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall reject <ip address list> - causes packets from
|
<para>shorewall reject <ip address list> - causes packets from
|
||||||
the listed IP addresses to be rejected by the firewall. </para>
|
the listed IP addresses to be rejected by the firewall.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall allow <ip address list> - re-enables receipt
|
<para>shorewall allow <ip address list> - re-enables receipt
|
||||||
of packets from hosts previously blacklisted by a drop or reject
|
of packets from hosts previously blacklisted by a drop or reject
|
||||||
command. </para>
|
command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall save - save the dynamic blacklisting configuration so
|
<para>shorewall save - save the dynamic blacklisting configuration so
|
||||||
that it will be automatically restored the next time that the firewall
|
that it will be automatically restored the next time that the firewall
|
||||||
is restarted. </para>
|
is restarted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -244,13 +240,13 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>Finally, the "shorewall" program may be used to dynamically
|
<para>Finally, the <quote>shorewall</quote> program may be used to
|
||||||
alter the contents of a zone.</para>
|
dynamically alter the contents of a zone.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall add interface[:host] zone - Adds the specified
|
<para>shorewall add interface[:host] zone - Adds the specified
|
||||||
interface (and host if included) to the specified zone. </para>
|
interface (and host if included) to the specified zone.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -264,7 +260,7 @@
|
|||||||
|
|
||||||
<para>The shorewall start, shorewall restart, shorewall check, and
|
<para>The shorewall start, shorewall restart, shorewall check, and
|
||||||
shorewall try commands allow you to specify which Shorewall configuration
|
shorewall try commands allow you to specify which Shorewall configuration
|
||||||
to use: </para>
|
to use:</para>
|
||||||
|
|
||||||
<programlisting> shorewall [ -c configuration-directory ] {start|restart|check}
|
<programlisting> shorewall [ -c configuration-directory ] {start|restart|check}
|
||||||
shorewall try configuration-directory</programlisting>
|
shorewall try configuration-directory</programlisting>
|
||||||
@ -279,36 +275,35 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>mkdir /etc/test </para>
|
<para>mkdir /etc/test</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>cd /etc/test </para>
|
<para>cd /etc/test</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><copy any files that you need to change from /etc/shorewall
|
<para><copy any files that you need to change from /etc/shorewall
|
||||||
to . and change them here> </para>
|
to . and change them here></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>shorewall -c . check </para>
|
<para>shorewall -c . check</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><correct any errors found by check and check again>
|
<para><correct any errors found by check and check again></para>
|
||||||
</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>/sbin/shorewall try . </para>
|
<para>/sbin/shorewall try .</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>If the configuration starts but doesn't work, just
|
<para>If the configuration starts but doesn't work, just
|
||||||
"shorewall restart" to restore the old configuration. If the new
|
<quote>shorewall restart</quote> to restore the old configuration. If the
|
||||||
configuration fails to start, the "try" command will automatically
|
new configuration fails to start, the <quote>try</quote> command will
|
||||||
start the old one for you.</para>
|
automatically start the old one for you.</para>
|
||||||
|
|
||||||
<para>When the new configuration works then just:</para>
|
<para>When the new configuration works then just:</para>
|
||||||
|
|
||||||
@ -318,11 +313,11 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>cd </para>
|
<para>cd</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>rm -rf /etc/test </para>
|
<para>rm -rf /etc/test</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -330,9 +325,10 @@
|
|||||||
align="center" fileref="images/State_Diagram.png" /></para>
|
align="center" fileref="images/State_Diagram.png" /></para>
|
||||||
|
|
||||||
<para>You will note that the commands that result in state transitions use
|
<para>You will note that the commands that result in state transitions use
|
||||||
the word "firewall" rather than "shorewall". That is
|
the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
|
||||||
because the actual transitions are done by /usr/share/shorewall/firewall;
|
That is because the actual transitions are done by
|
||||||
/sbin/shorewall runs 'firewall" according to the following table:</para>
|
/usr/share/shorewall/firewall; /sbin/shorewall runs <quote>firewall</quote>
|
||||||
|
according to the following table:</para>
|
||||||
|
|
||||||
<informaltable>
|
<informaltable>
|
||||||
<tgroup cols="3">
|
<tgroup cols="3">
|
||||||
@ -354,7 +350,7 @@
|
|||||||
<entry>firewall start</entry>
|
<entry>firewall start</entry>
|
||||||
|
|
||||||
<entry>The system filters packets based on your current Shorewall
|
<entry>The system filters packets based on your current Shorewall
|
||||||
Configuration </entry>
|
Configuration</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
@ -367,7 +363,7 @@
|
|||||||
beginning with 1.4.7, if ADMINISABSENTMINDED=Yes in
|
beginning with 1.4.7, if ADMINISABSENTMINDED=Yes in
|
||||||
/etc/shorewall/shorewall.conf then in addition, all existing
|
/etc/shorewall/shorewall.conf then in addition, all existing
|
||||||
connections are retained and all connection requests from the
|
connections are retained and all connection requests from the
|
||||||
firewall are accepted. </entry>
|
firewall are accepted.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
@ -375,16 +371,15 @@
|
|||||||
|
|
||||||
<entry>firewall restart</entry>
|
<entry>firewall restart</entry>
|
||||||
|
|
||||||
<entry>Logically equivalent to "firewall stop;firewall
|
<entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
|
||||||
start"</entry>
|
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>shorewall add</entry>
|
<entry>shorewall add</entry>
|
||||||
|
|
||||||
<entry> firewall add</entry>
|
<entry>firewall add</entry>
|
||||||
|
|
||||||
<entry>Adds a host or subnet to a dynamic zone </entry>
|
<entry>Adds a host or subnet to a dynamic zone</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
@ -392,13 +387,13 @@
|
|||||||
|
|
||||||
<entry>firewall delete</entry>
|
<entry>firewall delete</entry>
|
||||||
|
|
||||||
<entry>Deletes a host or subnet from a dynamic zone </entry>
|
<entry>Deletes a host or subnet from a dynamic zone</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>shorewall refresh</entry>
|
<entry>shorewall refresh</entry>
|
||||||
|
|
||||||
<entry> firewall refresh</entry>
|
<entry>firewall refresh</entry>
|
||||||
|
|
||||||
<entry>Reloads rules dealing with static blacklisting, traffic
|
<entry>Reloads rules dealing with static blacklisting, traffic
|
||||||
control and ECN.</entry>
|
control and ECN.</entry>
|
||||||
@ -409,7 +404,7 @@
|
|||||||
|
|
||||||
<entry>firewall reset</entry>
|
<entry>firewall reset</entry>
|
||||||
|
|
||||||
<entry>Resets traffic counters </entry>
|
<entry>Resets traffic counters</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
@ -418,7 +413,7 @@
|
|||||||
<entry>firewall clear</entry>
|
<entry>firewall clear</entry>
|
||||||
|
|
||||||
<entry>Removes all Shorewall rules, chains, addresses, routes and
|
<entry>Removes all Shorewall rules, chains, addresses, routes and
|
||||||
ARP entries. </entry>
|
ARP entries.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
|
Loading…
Reference in New Issue
Block a user