diff --git a/Shorewall-lite/releasenotes.txt b/Shorewall-lite/releasenotes.txt index f0160b934..ff6c51924 100644 --- a/Shorewall-lite/releasenotes.txt +++ b/Shorewall-lite/releasenotes.txt @@ -69,17 +69,14 @@ e) On the administrative system, for each firewall system you: 2) (this may be done as a non-root user) cd - /sbin/shorewall compile -e . firewall - scp firewall root@:/var/lib/shorewall-lite/ + /sbin/shorewall load . - Note : The 'firewall' script is in /var/lib/shorewall-lite in - packages from shorewall.net. The package maintainers for the - various distributions are free to choose the directory where the - script will be stored under their distribution. You can look in - your /usr/share/shorewall-lite/configpath file to see what your - distribution defines for the value of LITEDIR. + 3) If you need to change the configuration, after you + have modified the configuration: + + cd + /sbin/shorewall reload . - 3) On the firewall system, 'shorewall-lite start'. It is possible to have both shorewall and Shorewall Lite installed on the same system. diff --git a/Shorewall/help b/Shorewall/help index 10bd5ce35..d67d9698c 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -202,6 +202,19 @@ iprange) equivalent list of network/host addresses." ;; +load) + echo "load: load [ ] + If is omitted, then the current working directory is assumed. + + Requires that Shorewall Lite be installed on the named . + + Causes the shorewall configuration in to be compiled into a + program called '/firewall'. If compilation is successful, + the '/firewall' script is copied via scp to the + ${LITEDIR} directory on . If the script is copied + successfully, Shorewall Lite on is started via ssh." + ;; + logdrop) echo "$1: $1
... Causes packets from the specified
to be ignored and loged. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cfd814d61..5538ab36e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -47,14 +47,14 @@ Other changes in 3.2.0 RC 4 installed on your administrative system(s) and Shorewall Lite RC4 on the firewall system(s). -2) A "reload" command has been added. This command allows a non-root - user with ssh access to a remote system to compile a firewall - script on the local system and to install that script on the remote - system. +2) "load" and "reload" commands have been added. These commands allow + a non-root user with ssh access to a remote system to compile a + firewall script on the local system and to install that script on + the remote system. Syntax is: - shorewall reload [ ] + shorewall [re]load [ ] If is omitted, the current working directory is assumed. @@ -63,13 +63,15 @@ Other changes in 3.2.0 RC 4 /sbin/shorewall compile -e . firewall &&\ scp firewall root@:/var/lib/shorewall-lite/ &&\ - ssh root@ '/sbin/shorewall-lite restart' # Note 1 + ssh root@ '/sbin/shorewall-lite [re]start' # Note 1 In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then 'firewall' is copied to the (usually remote) using scp. If the copy succeeds, - Shorewall Lite on is restarted via ssh. + Shorewall Lite on is started or restarted via ssh ( + load causes Shorewall Lite to be started and 'reload' causes + Shorewall Lite to be re-started) Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 6bee3ee31..f3eaa2f55 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -49,6 +49,9 @@ # compensate for a change of # broadcast address on any "detect" # interface. +# shorewall [re]load [ ] +# Compile a script and install it on a +# remote Shorewall Lite system. # shorewall show [ ... ] Display the rules in each listed # shorewall show actions Displays the available actions # shorewall show log Print the last 20 log messages @@ -200,14 +203,14 @@ get_config() { # from /usr/share/shorewall/configpath. # export CONFIG_PATH - + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if [ ! -f $LOGFILE ]; then echo "LOGFILE ($LOGFILE) does not exist!" >&2 exit 2 fi - + if [ -n "$IPTABLES" ]; then if [ ! -e "$IPTABLES" ]; then echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 @@ -220,9 +223,9 @@ get_config() { exit 2 fi fi - + export IPTABLES - + # # See if we have a real version of "tail" -- use separate redirection so # that ash (aka /bin/sh on LRP) doesn't crap @@ -240,7 +243,7 @@ get_config() { validate_restorefile RESTOREFILE export RESTOREFILE - + case $STARTUP_ENABLED in No|no|NO) echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 @@ -255,7 +258,7 @@ get_config() { fi ;; esac - + case ${TC_ENABLED:=Internal} in No|NO|no) TC_ENABLED= @@ -263,7 +266,7 @@ get_config() { esac [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - + [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" export LOGFORMAT @@ -1299,18 +1302,25 @@ restore_command() { fi } # -# Reload command executor +# [Re]load command executor # -reload_command() +reload_command() { local verbose=$(make_verbose) - shorewall $debugging $verbose compile -e $1 $1/firewall && \ + if shorewall $debugging $verbose compile -e $1 $1/firewall && \ echo "Copying ${1}/firewall to ${2}:${LITEDIR}..." && \ - scp $1/firewall root@${2}:${LITEDIR}/ && \ - echo "Copy complete" && \ - ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \ - progress_message3 "System $2 reloaded" + scp $1/firewall root@${2}:${LITEDIR} + then + echo "Copy complete" + if [ $COMMAND = reload ]; then + ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \ + progress_message3 "System $2 reloaded" + else + ssh root@${2} "/sbin/shorewall-lite $debugging $verbose restart" && \ + progress_message3 "System $2 reloaded" + fi + fi } # # Help information @@ -1342,6 +1352,7 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" + echo " load [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" @@ -1653,7 +1664,7 @@ case "$COMMAND" in shift show_command $@ ;; - reload) + load|reload) shift case $# in 1) @@ -1668,7 +1679,7 @@ case "$COMMAND" in usage 1 ;; esac - + reload_command $directory $system ;; status) diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 1d0975aa9..08dc6f07a 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -214,6 +214,51 @@ /usr/share/shorewall-lite/shorecap > capabilities scp capabilities <admin system>:<this system's config dir> + + If you are running Debian or one of its derivatives like Ubuntu + then edit /etc/default/shorewall-lite and set startup=1. + + Shorewall Lite includes a very limited version of + shorewall.conf + (/etc/shorewall-lite/shorewall.conf). + It includes the following options which have the same meaning as in a + full Shorewall installation except as noted below: + +
+ + VERBOSITY + + LOGFILE + + LOGFORMAT — used by /sbin/shorewall + for finding 'Shorewall' log messages. If LOGFORMAT was specified + in the shorewall.conf file used at compile time on the + administrative system, then the format of the messages themselves + is defined by that value. If LOGFORMAT was not specified at + compile time then the firewall script will use the value from + /etc/shorewall-lite/shorewall.conf on the + firewall system. + + IPTABLES — determines the iptables binary to be used by + /sbin/shorewall. The compiled firewall script + will use the IPTABLES specified in + shorewall.conf at compile time on the + administrative system, if any; if IPTABLES was not specified at + compile time then the IPTABLES value from + /etc/shorewall-lite/shorewall.conf on the + firewall system will be used by the firewall script. + + PATH + + SHOREWALL_SHELL + + SUBSYSLOCK + + RESTOREFILE + +
+ + Edit the shorewall.conf file as required. @@ -239,81 +284,17 @@ cd <configuration directory> -/sbin/shorewall compile -e . firewall -scp firewall root@<firewall system>:/var/lib/shorewall-lite/ +/sbin/shorewall load . firewall - - The 'firewall' script is in /var/lib/shorewall-lite in packages - from shorewall.net. The package maintainers for the various - distributions are free to choose the directory where the script - will be stored under their distribution. See the output of - shorewall[-lite] show config for the value of - LITEDIR on your distribution. - - Example: - - gateway:~ # shorewall-lite show config -Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite -LITEDIR is /var/lib/shorewall-lite -gateway:~ # - + The load command compiles a firewall script from the + configuration files in the current working directory, copies that + file to the remote system via scp and starts Shorewall Lite on the + remote system via ssh. - - - On each firewall system: - - Modify /etc/shorewall-lite/shorewall.conf - as needed. - - If you are running Debian or one of its derivatives like Ubuntu - then edit /etc/default/shorewall-lite and set startup=1. - - shorewall-lite start - - Shorewall Lite includes a very limited version of - shorewall.conf - (/etc/shorewall-lite/shorewall.conf). It - includes the following options which have the same meaning as in a full - Shorewall installation except as noted below: - -
- - VERBOSITY - - LOGFILE - - LOGFORMAT — used by /sbin/shorewall for - finding 'Shorewall' log messages. If LOGFORMAT was specified in the - shorewall.conf file used at compile time on the administrative system, - then the format of the messages themselves is defined by that value. - If LOGFORMAT was not specified at compile time then the firewall - script will use the value from - /etc/shorewall-lite/shorewall.conf on the - firewall system. - - IPTABLES — determines the iptables binary to be used by - /sbin/shorewall. The compiled firewall script - will use the IPTABLES specified in shorewall.conf - at compile time on the administrative system, if any; if IPTABLES was - not specified at compile time then the IPTABLES value from - /etc/shorewall-lite/shorewall.conf on the - firewall system will be used by the firewall script. - - PATH - - SHOREWALL_SHELL - - SUBSYSLOCK - - RESTOREFILE - -
- The /sbin/shorewall-lite program included with Shorewall Lite supports the same set of commands as the /sbin/shorewall program in a full Shorewall diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 39465e86e..ae186777d 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -889,6 +889,61 @@ gateway:~ # + + load (Added in Shorewall 3.2.0 RC4 -- not supported by Shorewall + Lite) + + + load [ <directory> ] + <system> + + If <directory> is omitted, the current working directory + is assumed. + + Allows a non-root user to compile a shorewall script and + install it on a system (provided that the user has root access to + the system via ssh). The command is equivalent to: + + + /sbin/shorewall compile -e <directory> + <directory>/firewall &&\ + + scp <directory>/firewall + root@<system>:/var/lib/shorewall-lite/ + &&\ + + ssh root@<system> '/sbin/shorewall-lite + start' + + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called + firewall in that directory. If compilation + succeeds, then firewall is copied to + <system> using scp. If the copy succeeds, Shorewall Lite on + <system> is started via ssh. + + + The 'firewall' script is in /var/lib/shorewall-lite in packages + from shorewall.net. The package maintainers for the various + distributions are free to choose the directory where the script + will be stored under their distribution. See the output of + shorewall[-lite] show config for the value of + LITEDIR on your distribution. + + Example: + + gateway:~ # shorewall-lite show config +Default CONFIG_PATH is /etc/shorewall-lite:/usr/share/shorewall-lite +LITEDIR is /var/lib/shorewall-lite +gateway:~ # + + + Example: shorewall reload gateway + + + logdrop diff --git a/tools/build/makeshorewall b/tools/build/makeshorewall index cdeaf3401..8fe16d061 100755 --- a/tools/build/makeshorewall +++ b/tools/build/makeshorewall @@ -59,7 +59,7 @@ DIR=$PWD # # location and options for GnuPG # -GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" +GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" ################################################################################ # V A R I A B L E S ################################################################################