From 8496bf0ff343a0444be5e2fdf0e4db4403423b67 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Mar 2020 13:22:25 -0700 Subject: [PATCH] Update Compiled Programs/Shorewall-lite article Signed-off-by: Tom Eastep --- docs/CompiledPrograms.xml | 391 ++++++++++++++++++-------------------- 1 file changed, 186 insertions(+), 205 deletions(-) diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index a3594d113..fb609e3d9 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -20,6 +20,8 @@ 2006-2010 + 2020 + Thomas M. Eastep @@ -227,10 +229,10 @@ cd <export directory> -/sbin/shorewall load firewall +/sbin/shorewall remote-startfirewall The load + url="starting_and_stopping_shorewall.htm#Load">remote-start command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via @@ -239,7 +241,8 @@ Example (firewall's DNS name is 'gateway'): - /sbin/shorewall load gateway + /sbin/shorewall remote-start + gateway Although scp and ssh are used by default, you can use other utilities by setting RSH_COMMAND and RCP_COMMAND in /etc/shorewall/shorewall.conf. @@ -261,119 +264,16 @@ then: cd <export directory> -/sbin/shorewall reload firewall +/sbin/shorewall remote-reload firewall The reload + url="manpages/shorewall.html">remote-reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and restarts Shorewall Lite on the remote system via ssh. The reload command also supports the '-c' + role="bold">remote-reload command also supports the '-c' option. - - I personally place a Makefile in each - export directory as follows: - -
- # Shorewall Packet Filtering Firewall Export Directory Makefile - V3.3 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2006 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.org -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -################################################################################ -# Place this file in each export directory. Modify each copy to set HOST -# to the name of the remote firewall corresponding to the directory. -# -# To make the 'firewall' script, type "make". -# -# Once the script is compiling correctly, you can install it by -# typing "make install". -# -################################################################################ -# V A R I A B L E S -# -# Files in the export directory on which the firewall script does not depend -# -IGNOREFILES = firewall% Makefile% trace% %~ -# -# Remote Firewall system -# -HOST = gateway -# -# Save some typing -# -LITEDIR = /var/lib/shorewall-lite -# -# Set this if the remote system has a non-standard modules directory -# -MODULESDIR= -# -# Default target is the firewall script -# -################################################################################ -# T A R G E T S -# -all: firewall -# -# Only generate the capabilities file if it doesn't already exist -# -capabilities: - ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" - scp root@$(HOST):$(LITEDIR)/capabilities . -# -# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that -# 'filter-out' will be presented with the list of files in this directory rather than "*" -# -firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities - shorewall compile -e . firewall -# -# Only reload on demand. -# -install: firewall - scp firewall firewall.conf root@$(HOST):$(LITEDIR) - ssh root@$(HOST) "/sbin/shorewall-lite restart" -# -# Save running configuration -# -save: - ssh root@$(HOST) "/sbin/shorewall-lite save" -# -# Remove generated files -# -clean: - rm -f capabilities firewall firewall.conf reload - -
- - That way, after I've changed the configuration, I can simply - type make or make - install. - - - The above Makefile is available at http://www.shorewall.org/pub/shorewall/contrib/Shorewall-lite/ - - - - I omit trace% because I often trace compiler execution while - I'm debugging new versions of Shorewall. - @@ -410,63 +310,63 @@ clean: run Debian or one of its derivatives (see above). - The /sbin/shorewall-lite program included + The /sbin/shorewall-lite program (which is a + symbolic link pointing to /sbin/shorewall) included with Shorewall Lite supports the same set of commands as the /sbin/shorewall program in a full Shorewall installation with the following exceptions:
- add + action + + actions + + check compile - delete + export - refresh + macro - reload + macros - try + remote-getrc - safe-start + remote-getcaps + + remote-reload + + remote-restart + + remote-start + + safe-reload safe-restart - show actions + safe-start - show macros + try + + update
- On systems with only Shorewall Lite installed, I recommend that - you create a symbolic link /sbin/shorewall and - point it at /sbin/shorewall-lite. That way, you can - use shorewall as the command regardless of which - product is installed. - -
- ln -sf shorewall-lite /sbin/shorewall -
-
Module Loading - As with a normal Shorewall configuration, the shorewall.conf - file can specify LOAD_HELPERS_ONLY which determines if the - modules file (LOAD_HELPERS_ONLY=No) or - helpers file (LOAD_HELPERS_ONLY=Yes) is used. - Normally, the file on the firewall system is used. If you want to - specify modules at compile time on the Administrative System, then you - must place a copy of the appropriate file - (modules or helpers) in the - firewall's configuration directory before compilation. + Normally, the helpers file on the firewall + system is used. If you want to specify modules at compile time on the + Administrative System, then you must place a copy of the + helpers file in the firewall's configuration + directory before compilation. In Shorewall 4.4.17, the EXPORTMODULES option was added to shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any - modules or helpers file - found on the CONFIG_PATH on the Administrative System during - compilation will be used. + helpers file found on the CONFIG_PATH on the + Administrative System during compilation will be used.
@@ -503,10 +403,6 @@ clean: Install Shorewall Lite on the firewall system. - - If you are running Debian or one of its derivatives like - Ubuntu then edit /etc/default/shorewall-lite - and set startup=1. @@ -753,52 +649,126 @@ clean: kernel/iptables capabilities of the target system. Here is a sample file: -
- # -# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008 + +# Shorewall 5.2.3.3 detected the following iptables/netfilter capabilities - Mon 16 Sep 2019 01:32:20 PM PDT # -NAT_ENABLED=Yes -MANGLE_ENABLED=Yes -MULTIPORT=Yes -XMULTIPORT=Yes -CONNTRACK_MATCH=Yes -POLICY_MATCH=Yes -PHYSDEV_MATCH=Yes -PHYSDEV_BRIDGE=Yes -LENGTH_MATCH=Yes -IPRANGE_MATCH=Yes -RECENT_MATCH=Yes -OWNER_MATCH=Yes -IPSET_MATCH=Yes -CONNMARK=Yes -XCONNMARK=Yes -CONNMARK_MATCH=Yes -XCONNMARK_MATCH=Yes -RAW_TABLE=Yes -IPP2P_MATCH= -CLASSIFY_TARGET=Yes -ENHANCED_REJECT=Yes -KLUDGEFREE=Yes -MARK=Yes -XMARK=Yes -MANGLE_FORWARD=Yes -COMMENTS=Yes +ACCOUNT_TARGET= ADDRTYPE=Yes -TCPMSS_MATCH=Yes +AMANDA_HELPER= +ARPTABLESJF= +AUDIT_TARGET=Yes +BASIC_EMATCH=Yes +BASIC_FILTER=Yes +CAPVERSION=50200 +CHECKSUM_TARGET=Yes +CLASSIFY_TARGET=Yes +COMMENTS=Yes +CONDITION_MATCH= +CONNLIMIT_MATCH=Yes +CONNMARK_MATCH=Yes +CONNMARK=Yes +CONNTRACK_MATCH=Yes +CPU_FANOUT=Yes +CT_TARGET=Yes +DSCP_MATCH=Yes +DSCP_TARGET=Yes +EMULTIPORT=Yes +ENHANCED_REJECT=Yes +EXMARK=Yes +FLOW_FILTER=Yes +FTP0_HELPER= +FTP_HELPER=Yes +FWMARK_RT_MASK=Yes +GEOIP_MATCH= +GOTO_TARGET=Yes +H323_HELPER= HASHLIMIT_MATCH=Yes +HEADER_MATCH= +HELPER_MATCH=Yes +IFACE_MATCH= +IMQ_TARGET= +IPMARK_TARGET= +IPP2P_MATCH= +IPRANGE_MATCH=Yes +IPSET_MATCH_COUNTERS=Yes +IPSET_MATCH_NOMATCH=Yes +IPSET_MATCH=Yes +IPSET_V5=Yes +IPTABLES_S=Yes +IRC0_HELPER= +IRC_HELPER=Yes +KERNELVERSION=41900 +KLUDGEFREE=Yes +LENGTH_MATCH=Yes +LOGMARK_TARGET= +LOG_TARGET=Yes +MANGLE_ENABLED=Yes +MANGLE_FORWARD=Yes +MARK_ANYWHERE=Yes +MARK=Yes +MASQUERADE_TGT=Yes +MULTIPORT=Yes +NAT_ENABLED=Yes +NAT_INPUT_CHAIN=Yes +NETBIOS_NS_HELPER= +NETMAP_TARGET=Yes +NEW_CONNTRACK_MATCH=Yes +NEW_TOS_MATCH=Yes +NFACCT_MATCH=Yes +NFLOG_SIZE=Yes +NFLOG_TARGET=Yes NFQUEUE_TARGET=Yes +OLD_CONNTRACK_MATCH= +OLD_HL_MATCH= +OLD_IPP2P_MATCH= +OLD_IPSET_MATCH= +OWNER_MATCH=Yes +OWNER_NAME_MATCH=Yes +PERSISTENT_SNAT=Yes +PHYSDEV_BRIDGE=Yes +PHYSDEV_MATCH=Yes +POLICY_MATCH=Yes +PPTP_HELPER= +RAW_TABLE=Yes REALM_MATCH=Yes -CAPVERSION=40190 -
+REAP_OPTION=Yes +RECENT_MATCH=Yes +RESTORE_WAIT_OPTION=Yes +RPFILTER_MATCH=Yes +SANE0_HELPER= +SANE_HELPER= +SIP0_HELPER= +SIP_HELPER= +SNMP_HELPER= +STATISTIC_MATCH=Yes +TARPIT_TARGET= +TCPMSS_MATCH=Yes +TCPMSS_TARGET=Yes +TFTP0_HELPER= +TFTP_HELPER= +TIME_MATCH=Yes +TPROXY_TARGET=Yes +UDPLITEREDIRECT= +ULOG_TARGET= +WAIT_OPTION=Yes +XCONNMARK_MATCH=Yes +XCONNMARK=Yes +XMARK=Yes +XMULTIPORT=Yes As you can see, the file contains a simple list of shell variable assignments — the variables correspond to the capabilities listed by the shorewall show capabilities command and they appear in the same order as the output of that command. - To aid in creating this file, Shorewall Lite includes a - shorecap program. The program is installed in the - /usr/share/shorewall-lite/ + The capabilities file can be generated automatically from the + administrative system by using the remote-getcaps + command. Should that option fail for any reason, the file can be generated + manually on the remote firewall. + + To aid in creating this file on the remote firewall, Shorewall Lite + includes a shorecap program. The program is installed + in the /usr/share/shorewall-lite/ directory and may be run as follows:
@@ -825,41 +795,52 @@ CAPVERSION=40190 show capabilities command shows the kernel's current capabilities; it does not attempt to load additional kernel modules. + + Once generated, the file can be copied manually to the + administrative system.
Running compiled programs directly - Compiled firewall programs are complete shell programs that support - the following command line forms: + Compiled firewall programs are complete shell programs that may be + run directly. Here is the output from the program's help command + (Shorewall version 5.2.4) -
- - <program> [ -q ] [ -v ] [ -n ] - start + <program> [ options ] <command> - <program> [ -q ] [ -v ] [ -n ] - stop +<command> is one of: + start + stop + clear + disable <interface> + down <interface> + enable <interface> + reset + reenable <interface> + refresh + reload + restart + run <command> [ <parameter> ... ] + status + up <interface> + savesets <file> + call <function> [ <parameter> ... ] + help + version + info - <program> [ -q ] [ -v ] [ -n ] - clear +Options are: - <program> [ -q ] [ -v ] [ -n ] - refresh - - <program> [ -q ] [ -v ] [ -n ] - reset - - <program> [ -q ] [ -v ] [ -n ] - restart - - <program> [ -q ] [ -v ] [ -n ] - status - - <program> [ -q ] [ -v ] [ -n ] - version - -
+ -v and -q Standard Shorewall verbosity controls + -n Don't update routing configuration + -p Purge Conntrack Table + -t Timestamp progress Messages + -c Save/restore iptables counters + -V <verbosity> Set verbosity explicitly + -R <file> Override RESTOREFILE setting + -T Trace execution + The options have the same meanings as when they are passed to /sbin/shorewall itself. The default VERBOSITY level