diff --git a/Shorewall-docs/starting_and_stopping_shorewall.htm b/Shorewall-docs/starting_and_stopping_shorewall.htm deleted file mode 100644 index f13f33e81..000000000 --- a/Shorewall-docs/starting_and_stopping_shorewall.htm +++ /dev/null @@ -1,327 +0,0 @@ - - - - - - - - Starting and Stopping Shorewall - - -
-

Starting/Stopping and Monitoring the Firewall
-

-
-


-If you have a permanent internet connection such as DSL or Cable, I -recommend that you start the firewall automatically at boot. Once you -have installed "firewall" in your init.d directory, simply type -"chkconfig --add firewall". This will start the firewall in run levels -2-5 and stop it in run levels 1 and 6. If you want to configure your -firewall differently from this default, you can -use the "--level" option in chkconfig (see "man chkconfig") or using -your favorite graphical run-level editor.

-

Important Notes:
-

-
    -
  1. Shorewall startup is disabled by default. Once you have -configured your firewall, you can enable startup by removing the -file /etc/shorewall/startup_disabled. Note: Users of the .deb package -must edit /etc/default/shorewall and set 'startup=1'.
    -
    2. -
  2. If you use dialup, you may want to start the firewall in your -/etc/ppp/ip-up.local script. I recommend just placing "shorewall -restart" in that script.
    3. -
-

-

You can manually start and stop Shoreline Firewall using the -"shorewall" shell program. Please refer to the Shorewall -State Diagram is shown at the bottom of this page.

- -If you include the keyword debug as the first argument, then a -shell trace of the command is produced as in:
-
	shorewall debug start 2> /tmp/trace
-

The above command would trace the 'start' command and place the -trace information -in the file /tmp/trace
-

-

Beginning with version 1.4.7, shorewall can give detailed help about -each of its commands:
-

- -

The "shorewall" program may also be used to monitor the firewall.

- -Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of -commands for dealing with IP addresses and IP address ranges:
- -There is a set of commands dealing with dynamic blacklisting:
- -Finally, the "shorewall" program may be used to dynamically alter the -contents of a zone.
- -
Examples:
-
shorewall add ipsec0:192.0.2.24 -vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to -the zone vpn1
- shorewall delete ipsec0:192.0.2.24 vpn1 --- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1
-
-
-

The shorewall start, shorewall restart, shorewall -check, and shorewall try commands allow you to specify -which Shorewall -configuration to use:

-
-

shorewall [ -c configuration-directory ] -{start|restart|check}
-shorewall try configuration-directory

-
-

If a configuration-directory is specified, each time that -Shorewall is going to use a file in /etc/shorewall it will first look -in the configuration-directory . If the file is present in the configuration-directory, -that file will be used; otherwise, the file in /etc/shorewall will be -used.

-

When changing the configuration of a production firewall, I -recommend the following:

- -

If the configuration starts but doesn't work, just "shorewall -restart" to restore the old configuration. If the new configuration -fails to start, the "try" command will automatically start the old one -for you.

-

When the new configuration works then just

- -

The Shorewall State Diargram is depicted -below.
-

-
+
-
-

 
-

-You will note that the commands that result in state transitions use -the word "firewall" rather than "shorewall". That is because the actual -transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall -runs 'firewall" according to the following table:
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/sbin/shorewall Command
- 		Resulting /usr/share/shorewall/firewall -Command
- 		Effect if the Command Succeeds
-
shorewall start
- 		firewall start
- 		The system filters packets based on your current -Shorewall Configuration
-
shorewall stop
- 		firewall stop
- 		Only traffic to/from hosts listed in -/etc/shorewall/hosts is passed to/from/through the firewall. For -Shorewall versions beginning -with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf -then -in addition, all existing connections are retained and all connection -requests -from the firewall are accepted.
-
shorewall restart
- 		firewall restart
- 		Logically equivalent to "firewall stop;firewall -start"
-
shorewall add
- 		firewall add
- 		Adds a host or subnet to a dynamic zone
-
shorewall delete
- 		firewall delete
- 		Deletes a host or subnet from a dynamic zone
-
shorewall refresh
- 		firewall refresh
- 		Reloads rules dealing with static blacklisting, -traffic control and ECN.
-
shorewall reset
- 		firewall reset
- 		Resets traffic counters
-
shorewall clear
- 		firewall clear
- 		Removes all Shorewall rules, chains, addresses, -routes and ARP entries.
-
shorewall try
- 		firewall -c <new configuration> restart
-If unsuccessful then firewall start (standard configuration)
-If timeout then firewall restart (standard configuration)
-
-
-
-

Updated 12/12/2003 - Tom -Eastep -

-

Copyright2001, 2002, 2003 Thomas M. Eastep.
-

-
- - diff --git a/Shorewall-docs/starting_and_stopping_shorewall.xml b/Shorewall-docs/starting_and_stopping_shorewall.xml new file mode 100755 index 000000000..d356d3782 --- /dev/null +++ b/Shorewall-docs/starting_and_stopping_shorewall.xml @@ -0,0 +1,437 @@ + + +
+ + + + Starting/Stopping and Monitoring the Firewall + + + + Tom + + Eastep + + + + 2003-12-12 + + + 2001-2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + +
+ Operating Shorewall + + If you have a permanent internet connection such as DSL or Cable, I + recommend that you start the firewall automatically at boot. Once you have + installed "firewall" in your init.d directory, simply type + "chkconfig --add firewall". This will start the firewall in run + levels 2-5 and stop it in run levels 1 and 6. If you want to configure + your firewall differently from this default, you can use the + "--level" option in chkconfig (see "man chkconfig") or + using your favorite graphical run-level editor. + + + + + Shorewall startup is disabled by default. Once you have + configured your firewall, you can enable startup by removing the + file /etc/shorewall/startup_disabled. Note: Users of the .deb + package must edit /etc/default/shorewall and set + 'startup=1'. + + + + If you use dialup, you may want to start the firewall in your + /etc/ppp/ip-up.local script. I recommend just placing "shorewall + restart" in that script. + + + + + You can manually start and stop Shoreline Firewall using the + "shorewall" shell program. Please refer to the Shorewall State + Diagram as shown at the bottom of this page. + + + + shorewall start - starts the firewall + + + + shorewall stop - stops the firewall; the only traffic permitted + through the firewall is from systems listed in + /etc/shorewall/routestopped (Beginning with version 1.4.7, if + ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in + addition, all existing connections are permitted and any new + connections originating from the firewall itself are allowed). + + + + shorewall restart - stops the firewall (if it's running) and + then starts it again + + + + shorewall reset - reset the packet and byte counters in the + firewall + + + + shorewall clear - remove all rules and chains installed by + Shoreline Firewall. The firewall is "wide open" + + + + shorewall refresh - refresh the rules involving the broadcast + addresses of firewall interfaces, the black list, traffic control + rules and ECN control rules. + + + + If you include the keyword debug as the first argument, then a shell + trace of the command is produced as in: + + shorewall debug start 2> /tmp/traceThe + above command would trace the 'start' command and place the trace + information in the file /tmp/trace + + Beginning with version 1.4.7, shorewall can give detailed help about + each of its commands: shorewall help [ command | host | address ]The + "shorewall" program may also be used to monitor the firewall. + + + + shorewall status - produce a verbose report about the firewall + (iptables -L -n -v) + + + + shorewall show chain1 [ chain2 ... ] - produce a verbose report + about the listed chains (iptables -L chain -n -v) Note: You may only + list one chain in the show command when running Shorewall version + 1.4.6 and earlier. Version 1.4.7 and later allow you to list multiple + chains in one command. + + + + shorewall show nat - produce a verbose report about the nat + table (iptables -t nat -L -n -v) + + + + shorewall show tos - produce a verbose report about the mangle + table (iptables -t mangle -L -n -v) + + + + shorewall show log - display the last 20 packet log entries. + + + + + shorewall show connections - displays the IP connections + currently being tracked by the firewall. + + + + shorewall show tc - displays information about the traffic + control/shaping configuration. + + + + shorewall monitor [ delay ] - Continuously display the firewall + status, last 20 log entries and nat. When the log entry display + changes, an audible alarm is sounded. + + + + shorewall hits - Produces several reports about the Shorewall + packet log messages in the current /var/log/messages file. + + + + shorewall version - Displays the installed version number. + + + + + shorewall check - Performs a cursory validation of the zones, + interfaces, hosts, rules and policy files.The + "check" command is totally unsuppored and does not parse and + validate the generated iptables commands. Even though the + "check" command completes successfully, the configuration may + fail to start. Problem reports that complain about errors that the + 'check' command does not detect will not be accepted.See + the recommended way to make configuration changes described below. + + + + shorewall try configuration-directory [ timeout ] - Restart + shorewall using the specified configuration and if an error occurs or + if the timeout option is given and the new configuration has been up + for that many seconds then shorewall is restarted using the standard + configuration. + + + + shorewall logwatch (added in version 1.3.2) - Monitors the + LOGFILE and produces an audible alarm when new Shorewall messages are + logged. + + + + Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of + commands for dealing with IP addresses and IP address ranges: + + + + shorewall ipcalc [ address mask | address/vlsm ] - displays the + network address, broadcast address, network in CIDR notation and + netmask corresponding to the input[s]. + + + + shorewall iprange address1-address2 - Decomposes the specified + range of IP addresses into the equivalent list of network/host + addresses. + + + + There is a set of commands dealing with dynamic blacklisting: + + + + shorewall drop <ip address list> - causes packets from + the listed IP addresses to be silently dropped by the firewall. + + + + + shorewall reject <ip address list> - causes packets from + the listed IP addresses to be rejected by the firewall. + + + + shorewall allow <ip address list> - re-enables receipt + of packets from hosts previously blacklisted by a drop or reject + command. + + + + shorewall save - save the dynamic blacklisting configuration so + that it will be automatically restored the next time that the firewall + is restarted. + + + + show dynamic - displays the dynamic blacklisting chain. + + + + Finally, the "shorewall" program may be used to dynamically + alter the contents of a zone. + + + + shorewall add interface[:host] zone - Adds the specified + interface (and host if included) to the specified zone. + + + + shorewall delete interface[:host] zone - Deletes the specified + interface (and host if included) from the specified zone. + + Examples: shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1 + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1 + + + + The shorewall start, shorewall restart, shorewall check, and + shorewall try commands allow you to specify which Shorewall configuration + to use: + + shorewall [ -c configuration-directory ] {start|restart|check} + shorewall try configuration-directory + + If a configuration-directory is specified, each + time that Shorewall is going to use a file in /etc/shorewall it will first + look in the configuration-directory . If the file is + present in the configuration-directory, that file + will be used; otherwise, the file in /etc/shorewall will be used. When + changing the configuration of a production firewall, I recommend the + following: + + + + mkdir /etc/test + + + + cd /etc/test + + + + <copy any files that you need to change from /etc/shorewall + to . and change them here> + + + + shorewall -c . check + + + + <correct any errors found by check and check again> + + + + + /sbin/shorewall try . + + + + If the configuration starts but doesn't work, just + "shorewall restart" to restore the old configuration. If the new + configuration fails to start, the "try" command will automatically + start the old one for you. + + When the new configuration works then just: + + + + cp * /etc/shorewall + + + + cd + + + + rm -rf /etc/test + + + + The Shorewall State Diargram is depicted below. + + You will note that the commands that result in state transitions use + the word "firewall" rather than "shorewall". That is + because the actual transitions are done by /usr/share/shorewall/firewall; + /sbin/shorewall runs 'firewall" according to the following table: + + + + + + /sbin/shorewall Command + + Resulting /usr/share/shorewall/firewall + Command + + Effect if the Command Succeeds + + + + + + shorewall start + + firewall start + + The system filters packets based on your current Shorewall + Configuration + + + + shorewall stop + + firewall stop + + Only traffic to/from hosts listed in /etc/shorewall/hosts + is passed to/from/through the firewall. For Shorewall versions + beginning with 1.4.7, if ADMINISABSENTMINDED=Yes in + /etc/shorewall/shorewall.conf then in addition, all existing + connections are retained and all connection requests from the + firewall are accepted. + + + + shorewall restart + + firewall restart + + Logically equivalent to "firewall stop;firewall + start" + + + + shorewall add + + firewall add + + Adds a host or subnet to a dynamic zone + + + + shorewall delete + + firewall delete + + Deletes a host or subnet from a dynamic zone + + + + shorewall refresh + + firewall refresh + + Reloads rules dealing with static blacklisting, traffic + control and ECN. + + + + shorewall reset + + firewall reset + + Resets traffic counters + + + + shorewall clear + + firewall clear + + Removes all Shorewall rules, chains, addresses, routes and + ARP entries. + + + + shorewall try + + firewall -c <new configuration> restart If + unsuccessful then firewall start (standard configuration) If + timeout then firewall restart (standard configuration) + + + + + + +
+
\ No newline at end of file