diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index e52ddc1e1..a70a88042 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -690,7 +690,13 @@ sub process_stoppedrules() {
my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
- first_entry "$doing $fn...";
+ first_entry sub() {
+ progress_message2("$doing $fn...");
+ unless ( $config{ADMINISABSENTMINDED} ) {
+ warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
+ $config{ADMINISABSENTMINDED} = 'Yes';
+ }
+ };
while ( read_a_line( NORMAL_READ ) ) {
@@ -2526,9 +2532,9 @@ EOF
"restore_default_route $config{USE_DEFAULT_RT}"
);
- my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
-
- add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains;
+ if ( $config{ADMINISABSENTMINDED} ) {
+ add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
+ }
if ( $family == F_IPV6 ) {
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;
diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules
index fd618eaa4..2ae67a390 100644
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -9,9 +9,9 @@
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
-#?SECTION ALL
-#?SECTION ESTABLISHED
-#?SECTION RELATED
-#?SECTION INVALID
-#?SECTION UNTRACKED
-?SECTION NEW
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
+SECTION NEW
diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml
index 825de0068..97bcbc1a5 100644
--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@@ -120,7 +120,7 @@
- notrack
+ notrack
The traffic will be exempted from connection
@@ -128,6 +128,13 @@
+
+
+ The source and dest options work best when used in
+ conjunction with ADMINISABSENTMINDED=Yes in shorewall6.conf(5).
+
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 787b840e0..e845ce064 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -283,15 +283,48 @@
The value of this variable affects Shorewall's stopped state.
- When ADMINISABSENTMINDED=No, only traffic to/from those addresses
- listed in shorewall-routestopped(5)
- is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
- in addition to traffic to/from addresses in shorewall-routestopped(5),
- connections that were active when Shorewall stopped continue to work
- and all new connections from the firewall system itself are allowed.
- If this variable is not set or is given the empty value then
+ The behavior differs depending on whether shorewall-routestopped(5)
+ or shorewall-stoppedrules(5)
+ is used:
+
+
+
+ routestopped
+
+
+ When ADMINISABSENTMINDED=No, only traffic to/from those
+ addresses listed in routestopped is
+ accepted when Shorewall is stopped. When
+ ADMINISABSENTMINDED=Yes, in addition to traffic to/from
+ addresses in routestopped, connections
+ that were active when Shorewall stopped continue to work and
+ all new connections from the firewall system itself are
+ allowed.
+
+
+
+
+ stoppedrules
+
+
+ If ADMINISABSENTMINDED=No, a warning message is issued
+ and the setting is ignored.
+
+ In addition to connections matching entries in
+ stoppedrules, existing connections
+ continue to work and all new connections from the firewall
+ system itself are allowed. To sever all existing connections
+ when the firewall is stopped, install the conntrack utility
+ and place the command conntrack -F in the
+ stopped user exit
+ (/etc/shorewall/stopped).
+
+
+
+
+ If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.
diff --git a/Shorewall6/manpages/shorewall6-routestopped.xml b/Shorewall6/manpages/shorewall6-routestopped.xml
index 56795fcc9..29eca9e38 100644
--- a/Shorewall6/manpages/shorewall6-routestopped.xml
+++ b/Shorewall6/manpages/shorewall6-routestopped.xml
@@ -116,30 +116,11 @@
- critical
+ notrack
- Allow traffic between the firewall and these hosts
- throughout '[re]start', 'stop' and 'clear'. Specifying
- critical on one or more
- entries will cause your firewall to be "totally open" for a
- brief window during each of those operations. Examples of
- where you might want to use this are:
-
-
-
- 'Ping' nodes with heartbeat.
-
-
-
- LDAP server(s) if you use LDAP Authentication
-
-
-
- NFS Server if you have an NFS-mounted root
- filesystem.
-
-
+ The traffic will be exempted from connection
+ tracking.
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 19cd2de18..e6a178241 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -218,18 +218,50 @@
role="bold">Yes|No]
- The value of this variable affects Shorewall6's stopped state.
- When ADMINISABSENTMINDED=No, only traffic to/from those addresses
- listed in shorewall6-routestopped(5)
- is accepted when Shorewall6 is stopped. When
- ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
- shorewall6-routestopped(5),
- connections that were active when Shorewall6 stopped continue to
- work and all new connections from the firewall system itself are
- allowed. If this variable is not set or is given the empty value
- then ADMINISABSENTMINDED=No is assumed.
+ The value of this variable affects Shorewall's stopped state.
+ The behavior differs depending on whether shorewall6-routestopped(5)
+ or shorewall6-stoppedrules(5)
+ is used:
+
+
+
+ routestopped
+
+
+ When ADMINISABSENTMINDED=No, only traffic to/from those
+ addresses listed in routestopped is
+ accepted when Shorewall is stopped. When
+ ADMINISABSENTMINDED=Yes, in addition to traffic to/from
+ addresses in routestopped, connections
+ that were active when Shorewall stopped continue to work and
+ all new connections from the firewall system itself are
+ allowed.
+
+
+
+
+ stoppedrules
+
+
+ If ADMINISABSENTMINDED=No, a warning message is issued
+ and the setting is ignored.
+
+ In addition to connections matching entries in
+ stoppedrules, existing connections
+ continue to work and all new connections from the firewall
+ system itself are allowed. To sever all existing connections
+ when the firewall is stopped, install the conntrack utility
+ and place the command conntrack -F in the
+ stopped user exit
+ (/etc/shorewall6/stopped).
+
+
+
+
+ If this variable is not set or is given the empty value then
+ ADMINISABSENTMINDED=No is assumed.
diff --git a/docs/standalone.xml b/docs/standalone.xml
index 34d6da9c5..c7bb78967 100644
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -515,15 +515,16 @@ root@lists:~#
If you wish to enable connections from the Internet to your firewall
and you find an appropriate macro in
- /etc/shorewall/macro.*, the general format of a rule
- in /etc/shorewall/rules is:
+ /usr/share/shorewall/macro.*, the general format of a
+ rule in /etc/shorewall/rules is:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<macro>(ACCEPT) net $FW
Be sure to add your rules after the line that reads SECTION NEW.
+ role="bold">SECTION NEW (?SECTION NEW in Shorewall 4.6.0 and
+ later).
@@ -605,19 +606,34 @@ SSH(ACCEPT) net $FW
shorewall stop
. When the firewall is
stopped, routing is enabled on those hosts that have an entry in
/etc/shorewall/routestopped.
- A running firewall may be restarted using the shorewall
- restart
command. If you want to totally remove any trace
- of Shorewall from your Netfilter configuration, use
- shorewall clear
.
+ url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules
+ (/etc/shorewall/routestopped
+ in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
+ the shorewall restart
command. If you
+ want to totally remove any trace of Shorewall from your Netfilter
+ configuration, use shorewall
+ clear
.
If you are connected to your firewall from the Internet, do not
issue a shorewall stop
command unless
- you have added an entry for the IP address that you are connected from
- to /etc/shorewall/routestopped.
- Also, I don't recommend using shorewall
+ you have either:
+
+
+
+ Used ADMINISABSENTMINDED=Yes in
+ /etc/shorewall/shorewall.conf or
+
+
+
+ added an entry for the IP address that you are connected from
+ to /etc/shorewall/routestopped.
+
+
+
+ Also, I don't recommend using shorewall
restart
; it is better to create an alternate
configuration and test it using the
@@ -954,8 +953,8 @@ DNS(ACCEPT) $FW dmz:10.10.11.1
a defined macro. Shorewall includes a number of
defined macros and you can add your own.
To see the list of macros included with your version of Shorewall, run the
- command ls
- /usr/share/shorewall/macro.*.
+ command shorewall show
+ macros.
You don't have to use defined macros when coding a rule in
/etc/shorewall/rules. The first example above (name
@@ -1128,12 +1127,14 @@ ACCEPT net $FW tcp 80 The firewall is started using the shorewall start
command and stopped using shorewall stop. When the
firewall is stopped, routing is enabled on those hosts that have an entry
- in /etc/shorewall/routestopped.
- A running firewall may be restarted using the shorewall
- restart command. If you want to totally remove any trace of
- Shorewall from your Netfilter configuration, use shorewall
- clear.
+ in /etc/shorewall/stoppedrules
+ (/etc/shorewall/routestopped
+ on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
+ the shorewall restart command. If you want to totally
+ remove any trace of Shorewall from your Netfilter configuration, use
+ shorewall clear.
@@ -1144,16 +1145,26 @@ ACCEPT net $FW tcp 80 /etc/shorewall/routestopped accordingly.
If you are connected to your firewall from the Internet, do not
- issue a shorewall stop command unless you have
- added an entry for the IP address that you are connected from to
- /etc/shorewall/routestopped.
- Also, I don't recommend using shorewall restart; it
- is better to create an alternate
- configuration and test it using the shorewall
- try command.
+ issue a shorewall stop
command
+ unless you have either:
+
+
+
+ Used ADMINISABSENTMINDED=Yes in
+ /etc/shorewall/shorewall.conf; or
+
+
+
+ added an entry for the IP address that
+ you are connected from to /etc/shorewall/routestopped.
+
+
+
+ Also, I don't recommend using shorewall
+ restart
; it is better to create an alternate
+ configuration and test it using the shorewall
+ try
command.
The firewall will start after your network interfaces have been
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index 870b05b91..5026414a6 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -171,7 +171,6 @@
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
-/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
~#
@@ -203,8 +202,9 @@
If you install using the .deb, you will find that your
/etc/shorewall directory
- is empty. This is intentional. The released configuration file
- skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config.
Simply copy the files you need from that directory to /etc/shorewall and modify the
@@ -910,8 +910,8 @@ DNS(ACCEPT) $FW netThis rule allows
In the rule shown above, DNS
(ACCEPT)is an example of
a macro invocation. Shorewall includes a number of
- macros (see /usr/share/shorewall/macro.*) and you can add your own.
+ macros (command shorewall show macros)
+ and you can add your own.
You don't have to use defined macros when coding a rule in
/etc/shorewall/rules; Shorewall will start slightly
@@ -1046,7 +1046,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workshorewall stop. When the firewall is
stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped.
+ url="manpages/shorewall-routestopped.html">routestopped
+ (Shorewall 4.5.7 and earlier) or in /etc/shorewall/stoppedrules.
A running firewall may be restarted using the shorewall
restart
command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use
@@ -1063,10 +1065,22 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
If you are connected to your firewall from the Internet, do not
issue a shorewall stop
command
- unless you have added an entry for the IP address
- that you are connected from to /etc/shorewall/routestopped.
- Also, I don't recommend using shorewall
+ unless you have either:
+
+
+
+ Used ADMINISABSENTMINDED=Yes in
+ /etc/shorewall/shorewall.conf; or
+
+
+
+ added an entry for the IP address that
+ you are connected from to /etc/shorewall/routestopped.
+
+
+
+ Also, I don't recommend using shorewall
restart
; it is better to create an alternate
configuration and test it using the shorewall
try
command.