<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                 
  <meta http-equiv="Content-Language" content="en-us">
                 
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                 
  <meta name="ProgId" content="FrontPage.Editor.Document">
                 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Starting and Stopping Shorewall</title>
</head>
  <body>
                                                                        
                                                                        
                                       
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
                                                                        
              <tbody>
        <tr>
                                                                        
                <td width="100%">                                       
                                                                        
      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
  the Firewall</font></h1>
                                                                        
                </td>
                                                                        
              </tr>
                                                                        
                        
  </tbody>    
</table>
                                                                        
                                                                        
                                                                        
                                      
<p>   If you have a permanent internet connection such as DSL     or Cable,
  I  recommend that you start the firewall     automatically at boot. Once
 you  have installed      "firewall" in your init.d directory, simply type
     "chkconfig --add firewall". This will start the     firewall in run
levels   2-5 and stop it in run levels 1 and 6.     If you want to configure
your  firewall differently from this     default, you can use the "--level"
option  in     chkconfig (see "man chkconfig") or using your     favorite
graphical  run-level editor.</p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
<p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
    </p>
       
<ol>
      <li>Shorewall startup is disabled by default. Once you have configured
  your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
  Note: Users of the .deb package must edit /etc/default/shorewall and set 
 'startup=1'.<br>
      </li>
      <li>If you use dialup, you may want to start the firewall     in your 
 /etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart" 
 in that script.</li>
       
</ol>
       
<p>                                                                     
           </p>
                                                                        
                                                                        
                                                                        
                                        
<p>   You can manually start and stop Shoreline Firewall using     the "shorewall" 
   shell program: </p>
                                                                        
          
<ul>
        <li>shorewall start - starts the firewall</li>
        <li>shorewall stop - stops the firewall</li>
        <li>shorewall restart - stops the firewall (if it's             running)
  and  then starts it again</li>
        <li>shorewall reset - reset the packet and byte counters        
    in the  firewall</li>
        <li>shorewall clear - remove all rules and chains             installed
  by Shoreline  Firewall</li>
        <li>shorewall refresh - refresh the rules involving the broadcast 
        addresses  of firewall interfaces and the black and white lists.</li>
         
</ul>
If you include the keyword <i>debug</i> as the first argument, then a shell
trace of the command is produced as in:<br>
<pre>	<font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
                                                                        
                                                                        
                                                                        
                                        
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace</p>
<p>   The "shorewall" program may also be used to monitor the     firewall.</p>
                                                                        
          
<ul>
        <li>shorewall status - produce a verbose report about the firewall
           (iptables -L -n -v)</li>
        <li>shorewall show <i>chain</i> - produce a verbose report about
    <i>chain             </i>(iptables -L <i>chain</i> -n -v)</li>
        <li>shorewall show nat - produce a verbose report about the nat table
            (iptables -t nat -L -n -v)</li>
        <li>shorewall show tos - produce a verbose report about the mangle
 table          (iptables -t mangle -L -n -v)</li>
        <li>shorewall show log - display the last 20 packet log entries.</li>
        <li>shorewall show connections - displays the IP connections currently
  being     tracked by the firewall.</li>
        <li>shorewall                                                   
                                 show                                   
                                                 tc     - displays information
  about the traffic control/shaping configuration.</li>
        <li>shorewall monitor [ delay ] - Continuously display the firewall 
           status, last 20 log entries and nat. When the log entry display
            changes, an audible alarm is sounded.</li>
        <li>shorewall hits - Produces several reports about the Shorewall 
packet  log          messages in the current /var/log/messages file.</li>
        <li>shorewall version -  Displays the installed     version number.</li>
        <li>shorewall check -  Performs a <u>cursory</u> validation     of
 the  zones, interfaces, hosts, rules and policy files.    <font
 size="4" color="#ff6666"><b>The "check" command does not parse and     validate
the   generated iptables commands so even though the "check" command    
completes   successfully, the configuration may fail to start. See the  
  recommended   way to make configuration changes described below. </b></font>
   </li>
        <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> 
]  -  Restart shorewall using the     specified configuration and if an error
  occurs or if the<i> timeout </i>    option is given and the new configuration
  has been up for that many seconds     then shorewall is restarted using
the  standard configuration.</li>
        <li>shorewall deny, shorewall reject, shorewall accept and shorewall
  save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
        <li>shorewall logwatch (added in version 1.3.2) - Monitors the  
     <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
      messages are logged.</li>
         
</ul>
  Finally, the "shorewall" program may be used to dynamically alter the contents
 of a zone.<br>
   
<ul>
    <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
 specified interface (and host if included) to the specified zone.</li>
    <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
 the specified interface (and host if included) from the specified zone.</li>
   
</ul>
   
<blockquote>Examples:<br>
       
  <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24  from interface ipsec0 to the zone vpn1<br>
    <font color="#009900"><b>  shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24  from interface ipsec0 from zone vpn1<br>
    </blockquote>
  </blockquote>
                                                                        
                                                  
<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b>�and 
   <b>shorewall try </b>commands allow you to specify which <a
 href="configuration_file_basics.htm#Configs">   Shorewall configuration</a> 
   to use:</p>
                                                                        
                                                 
<blockquote>                                                            
                                                                        
  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
      shorewall try <i>configuration-directory</i></p>
      </blockquote>
                                                                        
                                                       
<p>  If a <i>configuration-directory</i> is specified, each time that Shorewall 
   is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> 
    . If the file is present in the <i>configuration-directory</i>, that file
   will be used; otherwise, the file in /etc/shorewall will be used.</p>
                                                                        
                                                                        
                                                                        
       
<p>  When changing the configuration of a production firewall, I recommend
  the   following:</p>
                                                                        
                                                                        
                                                                        
       
<ul>
                                                                        
                <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
                                                                        
                <li><font color="#009900"><b>cd /etc/test</b></font></li>
                                                                        
                <li>&lt;copy any files that you need to change from /etc/shorewall
  to . and change them here&gt;</li>
                                                                        
                <li><font color="#009900"><b>shorewall -c . check</b></font></li>
                                                                        
                <li>&lt;correct any errors found by check and check again&gt;</li>
                                                                        
                <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
         
</ul>
                                                                        
                                                       
<p>  If the configuration starts but doesn't work, just "shorewall restart"
  to   restore the old configuration. If the new configuration fails to start,
  the   "try" command will automatically start the old one for you.</p>
                                                                        
                                                                        
                                                                        
       
<p>  When the new configuration works then just </p>
                                                                        
                                                                        
                                                                        
       
<ul>
                                                                        
                <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
                                                                        
                <li><font color="#009900"><b>cd</b></font></li>
                                                                        
                <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
         
</ul>
                                                                        
                                                                        
                                                                        
       
<p><font size="2">   Updated 1/9/2003 - <a href="support.htm">Tom  Eastep</a> 
     </font></p>
                                                                        
                                                                        
                                   
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
     � <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
                                                                        
                                                                        
                               <br>
    <br>
   <br>
  <br>
 <br>
</body>
</html>