diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index 4b64582c7..a6b4e8017 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -60,8 +60,8 @@
KVM (Kernel-mode Virtual
Machine)
- Shorewall
- Perl
+ Shorewall on a
+ Laptop
@@ -70,8 +70,8 @@
Limiting Connection
Rates
- Shorewall Setup
- Guide
+ Shorewall
+ Perl
@@ -79,7 +79,8 @@
Logging
- SMB
+ Shorewall Setup
+ Guide
@@ -87,9 +88,7 @@
Macros
- SNAT
- (Source Network Address
- Translation)
+ SMB
@@ -99,8 +98,9 @@
MAC
Verification
- Split DNS the Easy
- Way
+ SNAT
+ (Source Network Address
+ Translation)
@@ -109,8 +109,8 @@
Man Pages
- Squid with
- Shorewall
+ Split DNS the Easy
+ Way
@@ -120,9 +120,8 @@
Manual
Chains
- Starting/stopping the
- Firewall
+ Squid with
+ Shorewall
@@ -133,8 +132,9 @@
Masquerading
- Static (one-to-one)
- NAT
+ Starting/stopping the
+ Firewall
@@ -145,7 +145,8 @@
from a Single Firewall (Russian)
- Support
+ Static (one-to-one)
+ NAT
@@ -155,8 +156,7 @@
Multiple Zones Through One
Interface
- Tips and
- Hints
+ Support
@@ -166,8 +166,8 @@
My Shorewall
Configuration
- Traffic
- Accounting
+ Tips and
+ Hints
@@ -177,8 +177,8 @@
Netfilter
Overview
- Traffic
- Shaping/QOS - Simple
+ Traffic
+ Accounting
@@ -187,9 +187,8 @@
Network Mapping
- Traffic Shaping/QOS -
- Complex (Russian)
+ Traffic
+ Shaping/QOS - Simple
@@ -199,8 +198,9 @@
One-to-one NAT (Static
NAT)
- Transparent
- Proxy
+ Traffic Shaping/QOS -
+ Complex (Russian)
@@ -209,7 +209,8 @@
OpenVPN
- UPnP
+ Transparent
+ Proxy
@@ -219,8 +220,7 @@
OpenVZ
- Upgrade
- Issues
+ UPnP
@@ -229,8 +229,7 @@
Operating
Shorewall
- Upgrading to Shorewall 4.4
- (Upgrading Debian Lenny to Squeeze)
+ OpenVZ
@@ -240,7 +239,8 @@
Packet
Marking
- VPN
+ Upgrading to Shorewall 4.4
+ (Upgrading Debian Lenny to Squeeze)
@@ -251,7 +251,7 @@
Packet Processing in a
Shorewall-based Firewall
- VPN Passthrough
+ VPN
@@ -260,8 +260,7 @@
'Ping' Management
- White List
- Creation
+ VPN Passthrough
@@ -270,8 +269,8 @@
Port
Forwarding
- Xen - Shorewall in a Bridged Xen
- DomU
+ White List
+ Creation
@@ -280,8 +279,8 @@
Port Information
- Xen - Shorewall in Routed
- Xen Dom0
+ Xen - Shorewall in a Bridged Xen
+ DomU
@@ -291,7 +290,8 @@
Port Knocking and Other Uses
of the 'Recent Match'
-
+ Xen - Shorewall in Routed
+ Xen Dom0
@@ -371,8 +371,8 @@
Kazaa
Filtering
- Shorewall on a
- Laptop
+ Shorewall
+ Init
diff --git a/docs/Shorewall-init.xml b/docs/Shorewall-init.xml
new file mode 100644
index 000000000..615ac6b1f
--- /dev/null
+++ b/docs/Shorewall-init.xml
@@ -0,0 +1,284 @@
+
+
+
+
+
+
+ Shorewall Init
+
+
+
+ Tom
+
+ Eastep
+
+
+
+
+
+
+ 2010
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License.
+
+
+
+
+ Introduction
+
+ The Shorewall init scripts released from shorewall.net and by most
+ distributions start Shorewall after networking. This allows Shorewall to
+ detect the network configuration and taylor itself accordingly. It is
+ possible to start Shorewall prior to networking but doing so limits the
+ set of Shorewall features that can be used.
+
+ When Shorewall starts after networking, there is the possibility of
+ unwanted connections being accepted between the time that an interface
+ comes up and the time that Shorewall has finished starting up. Also,
+ Shorewall has had no means of reacting when interfaces are brought up and
+ down.
+
+ Beginning with Shorewall 4.4.10, a new package, Shorewall
+ Init, is available. Shorewall Init serves two purposes:
+
+
+
+ It can 'close' the firewall before the network interfaces are
+ brought up during boot.
+
+
+
+ It can change the firewall state as the result of interfaces
+ being brought up or taken down.
+
+
+
+ These two features can be controlled independently. Shorewall Init
+ can be used together with any combination of the other Shorewall packages.
+ Shorewall-init works on RedHat-based, SuSE-based and Debian-based
+ distributions.
+
+
+
+ Closing the Firewall before the Network Interfaces are brought
+ up
+
+ When Shorewall-init is first installed, it does nothing until you
+ configure it.
+
+ The configuration file is /etc/default/shorewall-init
+ on Debian-based systems and
+ /etc/sysconfig/shorewall-init otherwise. There are
+ two settings in the file:
+
+
+
+ PRODUCTS
+
+
+ Lists the Shorewall packages that you want to integrate with
+ Shorewall-init.
+
+ Example: PRODUCTS="shorewall shorewall6"
+
+
+
+
+ IFUPDOWN
+
+
+ When set to 1, enables integration with NetworkManager and the
+ ifup/ifdown scripts.
+
+
+
+
+ To close your firewall before networking starts:
+
+
+
+ In the Shorewall-init configuration file, set PRODUCTS to the
+ firewall products installed on your system.
+
+
+
+ Be sure that your current firewall script(s) (normally in
+ /var/lib/<product>/firewall) is(are)
+ compiled with the 4.4.10 compiler.
+
+ Shorewall and Shorewall6 users can execute these
+ commands:
+
+
+ shorewall compile
+
+ shorewall6 compile
+
+
+ Shorewall-lite and Shorewall6-lite users can execute these
+ commands on the administrative system:
+
+
+ shorewall export
+ firewall-name-or-ip-address
+
+ shorewall6 export
+ firewall-name-or-ip-address
+
+
+
+
+ That's all that is required.
+
+
+
+ Integration with NetworkManager and ifup/ifdown Scripts
+
+ To integrate with NetworkManager and ifup/ifdown, additional steps
+ are required. You probably don't want to enable this feature if you run a
+ link status monitor like swping or LSM.
+
+
+
+ In the Shorewall-init configuration file, set IFUPDOWN=1.
+
+
+
+ In your Shorewall interfaces file(s), set the
+ option on any interfaces that must be up in
+ order for the firewall to start. At least one interface must have the
+ or option if you
+ perform the next optional step.
+
+
+
+ Optional) -- If you have specified at least one
+ or interface, you
+ can then disable automatic firewall startup at boot time. On
+ Debian-based systems, set startup=0 in
+ /etc/default/product.
+ On other systems, use your service startup configuration tool
+ (chkconfig, insserv, ...) to disable startup.
+
+
+
+ The following actions occur when an interface comes up:
+
+
+
+
+
+ FIREWALL STATE
+
+ INTERFACE
+
+ ACTION
+
+
+
+ Any
+
+ Required
+
+ start
+
+
+
+ stopped
+
+ Optional
+
+ start
+
+
+
+ started
+
+ Any
+
+ restart
+
+
+
+
+
+ The following actions occur when an interface goes down:
+
+
+
+
+
+ FIREWALL STATE
+
+ INTERFACE
+
+ ACTION
+
+
+
+ Any
+
+ Required
+
+ stop
+
+
+
+ stopped
+
+ Optional
+
+ start
+
+
+
+ started
+
+ Any
+
+ restart
+
+
+
+
+
+ For optional interfaces, the
+ /var/lib/product/interface.state
+ files are maintained to reflect the state of the interface so that they
+ may be used by the standard isusable script. Please
+ note that the action is carried out using the current compiled script; the
+ configuration is not recompiled.
+
+ A new option has been added to shorewall.conf
+ and shorewall6.conf. The REQUIRE_INTERFACE option
+ determines the outcome when an attempt to start/restart/restore/refresh
+ the firewall is made and none of the optional interfaces are available.
+ With REQUIRE_INTERFACE=No (the default), the operation is performed. If
+ REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed
+ in the stopped state. This option is suitable for a laptop with both
+ ethernet and wireless interfaces. If either come up, the firewall starts.
+ If neither comes up, the firewall remains in the stopped state.
+
+ Similarly, if an optional interface goes down and there are no
+ optional interfaces remaining in the up state, then the firewall is
+ stopped.
+
+ On Debian-based systems, during system shutdown the firewall is
+ opened prior to network shutdown (/etc/init.d/shorewall
+ stop performs a 'clear' operation rather than a 'stop'). This is
+ required by Debian standards. You can change this default behavior by
+ setting SAFESTOP=1 in /etc/default/shorewall
+ (/etc/default/shorewall6, ...).
+
+