holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add 'load' command; together with the 'reload' command, this allows users to operate shorewall/shorewall-lite without caring where the 'firewall' script is stored

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4132 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-17 17:17:45 +00:00
parent a44268bf87
commit 6fdd96fddb
7 changed files with 161 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall-lite/releasenotes.txt
View File

@ -69,17 +69,14 @@ e) On the administrative system, for each firewall system you:
2) (this may be done as a non-root user)
cd <configuration directory>
/sbin/shorewall compile -e . firewall
scp firewall root@<firewall system>:/var/lib/shorewall-lite/
/sbin/shorewall load . <firewall system>
Note : The 'firewall' script is in /var/lib/shorewall-lite in
packages from shorewall.net. The package maintainers for the
various distributions are free to choose the directory where the
script will be stored under their distribution. You can look in
your /usr/share/shorewall-lite/configpath file to see what your
distribution defines for the value of LITEDIR.
3) If you need to change the configuration, after you
have modified the configuration:
cd <configuration directory>
/sbin/shorewall reload . <firewall system>
3) On the firewall system, 'shorewall-lite start'.
It is possible to have both shorewall and Shorewall Lite
installed on the same system.

13
Shorewall/help
View File

@ -202,6 +202,19 @@ iprange)
equivalent list of network/host addresses."
;;
load)
echo "load: load [ <directory> ] <system>
If <directory> is omitted, then the current working directory is assumed.
Requires that Shorewall Lite be installed on the named <system>.
Causes the shorewall configuration in <directory> to be compiled into a
program called '<directory>/firewall'. If compilation is successful,
the '<directory>/firewall' script is copied via scp to the
${LITEDIR} directory on <system>. If the script is copied
successfully, Shorewall Lite on <system> is started via ssh."
;;
logdrop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged.

16
Shorewall/releasenotes.txt
View File

@ -47,14 +47,14 @@ Other changes in 3.2.0 RC 4
installed on your administrative system(s) and Shorewall Lite RC4
on the firewall system(s).
2) A "reload" command has been added. This command allows a non-root
user with ssh access to a remote system to compile a firewall
script on the local system and to install that script on the remote
system.
2) "load" and "reload" commands have been added. These commands allow
a non-root user with ssh access to a remote system to compile a
firewall script on the local system and to install that script on
the remote system.
Syntax is:
shorewall reload [ <directory> ] <system>
shorewall [re]load [ <directory> ] <system>
If <directory> is omitted, the current working directory is
assumed.
@ -63,13 +63,15 @@ Other changes in 3.2.0 RC 4
/sbin/shorewall compile -e . firewall &&\
scp firewall root@<system>:/var/lib/shorewall-lite/ &&\
ssh root@<system> '/sbin/shorewall-lite restart' # Note 1
ssh root@<system> '/sbin/shorewall-lite [re]start' # Note 1
In other words, the configuration in the specified (or defaulted)
directory is compiled to a file called firewall in that
directory. If compilation succeeds, then 'firewall' is copied to the
(usually remote) <system> using scp. If the copy succeeds,
Shorewall Lite on <system> is restarted via ssh.
Shorewall Lite on <system> is started or restarted via ssh (
load causes Shorewall Lite to be started and 'reload' causes
Shorewall Lite to be re-started)
Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved
from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in

43
Shorewall/shorewall
View File

@ -49,6 +49,9 @@
# compensate for a change of
# broadcast address on any "detect"
# interface.
# shorewall [re]load [ <directory> ] <system>
# Compile a script and install it on a
# remote Shorewall Lite system.
# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
# shorewall show actions Displays the available actions
# shorewall show log Print the last 20 log messages
@ -200,14 +203,14 @@ get_config() {
# from /usr/share/shorewall/configpath.
#
export CONFIG_PATH
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if [ ! -f $LOGFILE ]; then
echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2
fi
if [ -n "$IPTABLES" ]; then
if [ ! -e "$IPTABLES" ]; then
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@ -220,9 +223,9 @@ get_config() {
exit 2
fi
fi
export IPTABLES
#
# See if we have a real version of "tail" -- use separate redirection so
# that ash (aka /bin/sh on LRP) doesn't crap
@ -240,7 +243,7 @@ get_config() {
validate_restorefile RESTOREFILE
export RESTOREFILE
case $STARTUP_ENABLED in
No|no|NO)
echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2
@ -255,7 +258,7 @@ get_config() {
fi
;;
esac
case ${TC_ENABLED:=Internal} in
No|NO|no)
TC_ENABLED=
@ -263,7 +266,7 @@ get_config() {
esac
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
export LOGFORMAT
@ -1299,18 +1302,25 @@ restore_command() {
fi
}
#
# Reload command executor
# [Re]load command executor
#
reload_command()
reload_command()
{
local verbose=$(make_verbose)
shorewall $debugging $verbose compile -e $1 $1/firewall && \
if shorewall $debugging $verbose compile -e $1 $1/firewall && \
echo "Copying ${1}/firewall to ${2}:${LITEDIR}..." && \
scp $1/firewall root@${2}:${LITEDIR}/ && \
echo "Copy complete" && \
ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $2 reloaded"
scp $1/firewall root@${2}:${LITEDIR}
then
echo "Copy complete"
if [ $COMMAND = reload ]; then
ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $2 reloaded"
else
ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \
progress_message3 "System $2 reloaded"
fi
fi
}
#
# Help information
@ -1342,6 +1352,7 @@ usage() # $1 = exit status
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
echo " load [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
@ -1653,7 +1664,7 @@ case "$COMMAND" in
shift
show_command $@
;;
reload)
load|reload)
shift
case $# in
1)
@ -1668,7 +1679,7 @@ case "$COMMAND" in
usage 1
;;
esac
reload_command $directory $system
;;
status)

119
docs/CompiledPrograms.xml
View File

@ -214,6 +214,51 @@
<programlisting><command>/usr/share/shorewall-lite/shorecap &gt; capabilities</command>
<command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
<para>If you are running Debian or one of its derivatives like Ubuntu
then edit /etc/default/shorewall-lite and set startup=1.</para>
<para>Shorewall Lite includes a very limited version of
<filename>shorewall.conf
</filename>(<filename>/etc/shorewall-lite/shorewall.conf</filename>).
It includes the following options which have the same meaning as in a
full Shorewall installation except as noted below:</para>
<blockquote>
<simplelist>
<member>VERBOSITY</member>
<member>LOGFILE</member>
<member>LOGFORMAT — used by <filename>/sbin/shorewall</filename>
for finding 'Shorewall' log messages. If LOGFORMAT was specified
in the shorewall.conf file used at compile time on the
administrative system, then the format of the messages themselves
is defined by that value. If LOGFORMAT was not specified at
compile time then the firewall script will use the value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system.</member>
<member>IPTABLES — determines the iptables binary to be used by
<filename>/sbin/shorewall</filename>. The compiled firewall script
will use the IPTABLES specified in
<filename>shorewall.conf</filename> at compile time on the
administrative system, if any; if IPTABLES was not specified at
compile time then the IPTABLES value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system will be used by the firewall script.</member>
<member>PATH</member>
<member>SHOREWALL_SHELL</member>
<member>SUBSYSLOCK</member>
<member>RESTOREFILE</member>
</simplelist>
</blockquote>
<para>Edit the shorewall.conf file as required.</para>
</listitem>
<listitem>
@ -239,81 +284,17 @@
<listitem>
<programlisting><command>cd &lt;configuration directory&gt;</command>
<command>/sbin/shorewall compile -e . firewall</command>
<command>scp firewall root@&lt;firewall system&gt;:/var/lib/shorewall-lite/</command></programlisting>
<command>/sbin/shorewall load . firewall</command></programlisting>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
<para>The load command compiles a firewall script from the
configuration files in the current working directory, copies that
file to the remote system via scp and starts Shorewall Lite on the
remote system via ssh.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>On each firewall system:</para>
<para>Modify <filename>/etc/shorewall-lite/shorewall.conf</filename>
as needed.</para>
<para>If you are running Debian or one of its derivatives like Ubuntu
then edit /etc/default/shorewall-lite and set startup=1.</para>
<programlisting><command>shorewall-lite start</command></programlisting>
</listitem>
</orderedlist>
<para>Shorewall Lite includes a very limited version of
<filename>shorewall.conf
</filename>(<filename>/etc/shorewall-lite/shorewall.conf</filename>). It
includes the following options which have the same meaning as in a full
Shorewall installation except as noted below:</para>
<blockquote>
<simplelist>
<member>VERBOSITY</member>
<member>LOGFILE</member>
<member>LOGFORMAT — used by <filename>/sbin/shorewall</filename> for
finding 'Shorewall' log messages. If LOGFORMAT was specified in the
shorewall.conf file used at compile time on the administrative system,
then the format of the messages themselves is defined by that value.
If LOGFORMAT was not specified at compile time then the firewall
script will use the value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system.</member>
<member>IPTABLES — determines the iptables binary to be used by
<filename>/sbin/shorewall</filename>. The compiled firewall script
will use the IPTABLES specified in <filename>shorewall.conf</filename>
at compile time on the administrative system, if any; if IPTABLES was
not specified at compile time then the IPTABLES value from
<filename>/etc/shorewall-lite/shorewall.conf</filename> on the
firewall system will be used by the firewall script.</member>
<member>PATH</member>
<member>SHOREWALL_SHELL</member>
<member>SUBSYSLOCK</member>
<member>RESTOREFILE</member>
</simplelist>
</blockquote>
<para>The <filename>/sbin/shorewall-lite</filename> program included with
Shorewall Lite supports the same set of commands as the
<filename>/sbin/shorewall</filename> program in a full Shorewall

55
docs/starting_and_stopping_shorewall.xml
View File

@ -889,6 +889,61 @@ gateway:~ #</programlisting>
</listitem>
</varlistentry>
<varlistentry id="Reload">
<term>load (Added in Shorewall 3.2.0 RC4 -- not supported by Shorewall
Lite)</term>
<listitem>
<para><command>load [ &lt;directory&gt; ]
&lt;system&gt;</command></para>
<para>If &lt;directory&gt; is omitted, the current working directory
is assumed.</para>
<para>Allows a non-root user to compile a shorewall script and
install it on a system (provided that the user has root access to
the system via ssh). The command is equivalent to:</para>
<simplelist>
<member><command>/sbin/shorewall compile -e &lt;directory&gt;
&lt;directory&gt;/firewall &amp;&amp;\</command></member>
<member><command>scp &lt;directory&gt;/firewall
root@&lt;system&gt;:/var/lib/shorewall-lite/
&amp;&amp;\</command></member>
<member><command>ssh root@&lt;system&gt; '/sbin/shorewall-lite
start'</command></member>
</simplelist>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called
<filename>firewall</filename> in that directory. If compilation
succeeds, then <filename>firewall</filename> is copied to
&lt;system&gt; using scp. If the copy succeeds, Shorewall Lite on
&lt;system&gt; is started via ssh.</para>
<note>
<para>The 'firewall' script is in <filename
class="directory">/var/lib/shorewall-lite</filename> in packages
from shorewall.net. The package maintainers for the various
distributions are free to choose the directory where the script
will be stored under their distribution. See the output of
<command>shorewall[-lite] show config</command> for the value of
LITEDIR on your distribution.</para>
<para>Example:</para>
<programlisting>gateway:~ # <command>shorewall-lite show config</command>
Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite
LITEDIR is /var/lib/shorewall-lite
gateway:~ #</programlisting>
</note>
<para>Example: <command>shorewall reload gateway</command></para>
</listitem>
</varlistentry>
<varlistentry>
<term>logdrop</term>

2
tools/build/makeshorewall
View File

@ -59,7 +59,7 @@ DIR=$PWD
#
# location and options for GnuPG
#
GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'"
################################################################################
# V A R I A B L E S
################################################################################