Starting/Stopping and Monitoring the Firewall
If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type "chkconfig
--add firewall". This will start the firewall in run levels 2-5 and stop
it in run levels 1 and 6. If you want to configure your firewall differently
from this default, you can use the "--level" option in chkconfig
(see "man chkconfig") or using your favorite graphical run-level editor.
Important Note:
If you use dialup, you may want to start the firewall in your /etc/ppp/ip-up.local
script. I recommend just placing "shorewall restart" in that script.
You can manually start and stop Shoreline Firewall using the "shorewall"
shell program:
- shorewall start - starts the firewall
- shorewall stop - stops the firewall
- shorewall restart - stops the firewall (if it's running) and
then starts it again
- shorewall reset - reset the packet and byte counters in the
firewall
- shorewall clear - remove all rules and chains installed by
Shoreline Firewall
- shorewall refresh - refresh the rules involving the broadcast addresses
of firewall interfaces and the black and white lists.
The "shorewall" program may also be used to monitor the firewall.
- shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)
- shorewall show chain - produce a verbose report about chain
(iptables -L chain -n -v)
- shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)
- shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)
- shorewall show log - display the last 20 packet log entries.
- shorewall show connections - displays the IP connections currently being
tracked by the firewall.
- shorewall
show
tc
- displays information about the traffic control/shaping configuration.
- shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.
- shorewall hits - Produces several reports about the Shorewall packet log
messages in the current /var/log/messages file.
- shorewall version - Displays the installed
version number.
- shorewall check - Performs a cursory validation
of the zones, interfaces, hosts, rules and policy files.
The "check" command does not parse and
validate the generated iptables commands so even though the "check" command
completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below.
- shorewall try configuration-directory [ timeout ] - Restart shorewall using the
specified configuration and if an error occurs or if the timeout
option is given and the new configuration has been up for that many seconds
then shorewall is restarted using the standard configuration.
- shorewall deny, shorewall reject, shorewall accept and shorewall save
implement dynamic blacklisting.
- shorewall logwatch (added in version 1.3.2) - Monitors the
LOGFILE and produces an audible alarm when new Shorewall
messages are logged.
The shorewall start, shorewall restart, shorewall check and
shorewall try commands allow you to specify which
Shorewall configuration
to use:
shorewall [ -c configuration-directory ] {start|restart|check}
shorewall try configuration-directory
If a configuration-directory is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the configuration-directory
. If the file is present in the configuration-directory, that file
will be used; otherwise, the file in /etc/shorewall will be used.
When changing the configuration of a production firewall, I recommend the
following:
- mkdir /etc/test
- cd /etc/test
- <copy any files that you need to change from /etc/shorewall to . and change them here>
- shorewall -c . check
- <correct any errors found by check and check again>
- /sbin/shorewall try .
If the configuration starts but doesn't work, just "shorewall restart" to
restore the old configuration. If the new configuration fails to start, the
"try" command will automatically start the old one for you.
When the new configuration works then just
- cp * /etc/shorewall
- cd
- rm -rf /etc/test
Updated 8/8/2002 - Tom
Eastep
Copyright
© 2001, 2002 Thomas M. Eastep.