Starting/Stopping and Monitoring the Firewall

If you have a permanent internet connection such as DSL or Cable, I recommend that you start the firewall automatically at boot. Once you have installed "firewall" in your init.d directory, simply type "chkconfig --add firewall". This will start the firewall in run levels 2-5 and stop it in run levels 1 and 6. If you want to configure your firewall differently from this default, you can use the "--level" option in chkconfig (see "man chkconfig") or using your favorite graphical run-level editor.

Important Notes:

  1. Shorewall startup is disabled by default. Once you have configured your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. Note: Users of the .deb package must edit /etc/default/shorewall and set 'startup=1'.
  2. If you use dialup, you may want to start the firewall in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" in that script.

You can manually start and stop Shoreline Firewall using the "shorewall" shell program:

The "shorewall" program may also be used to monitor the firewall.

The shorewall start, shorewall restart, shorewall check  and shorewall try commands allow you to specify which Shorewall configuration to use:

shorewall [ -c configuration-directory ] {start|restart|check}
shorewall try configuration-directory

If a configuration-directory is specified, each time that Shorewall is going to use a file in /etc/shorewall it will first look in the configuration-directory . If the file is present in the configuration-directory, that file will be used; otherwise, the file in /etc/shorewall will be used.

When changing the configuration of a production firewall, I recommend the following:

If the configuration starts but doesn't work, just "shorewall restart" to restore the old configuration. If the new configuration fails to start, the "try" command will automatically start the old one for you.

When the new configuration works then just

Updated 9/26/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.