forked from extern/shorewall_code
307 lines
9.9 KiB
XML
307 lines
9.9 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall Init</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2010</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para>The Shorewall init scripts released from shorewall.net and by most
|
|
distributions start Shorewall after networking. This allows Shorewall to
|
|
detect the network configuration and taylor itself accordingly. It is
|
|
possible to start Shorewall prior to networking but doing so limits the
|
|
set of Shorewall features that can be used.</para>
|
|
|
|
<para>When Shorewall starts after networking, there is the possibility of
|
|
unwanted connections being accepted between the time that an interface
|
|
comes up and the time that Shorewall has finished starting up. Also,
|
|
Shorewall has had no means of reacting when interfaces are brought up and
|
|
down.</para>
|
|
|
|
<para>Beginning with Shorewall 4.4.10, a new package, <firstterm>Shorewall
|
|
Init</firstterm>, is available. Shorewall Init serves two purposes:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>It can 'close' the firewall before the network interfaces are
|
|
brought up during boot.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>It can change the firewall state as the result of interfaces
|
|
being brought up or taken down.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>These two features can be controlled independently. Shorewall Init
|
|
can be used together with any combination of the other Shorewall packages.
|
|
Shorewall-init works on RedHat-based, SuSE-based and Debian-based
|
|
distributions.</para>
|
|
</section>
|
|
|
|
<section id="Close">
|
|
<title>Closing the Firewall before the Network Interfaces are brought
|
|
up</title>
|
|
|
|
<para>When Shorewall-init is first installed, it does nothing until you
|
|
configure it.</para>
|
|
|
|
<para>The configuration file is <filename>/etc/default/shorewall-init
|
|
</filename>on Debian-based systems and
|
|
<filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
|
|
two settings in the file:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>PRODUCTS</term>
|
|
|
|
<listitem>
|
|
<para>Lists the Shorewall packages that you want to integrate with
|
|
Shorewall-init.</para>
|
|
|
|
<para>Example: PRODUCTS="shorewall shorewall6"</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>IFUPDOWN</term>
|
|
|
|
<listitem>
|
|
<para>When set to 1, enables integration with NetworkManager and the
|
|
ifup/ifdown scripts.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>To close your firewall before networking starts:</para>
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>In the Shorewall-init configuration file, set PRODUCTS to the
|
|
firewall products installed on your system.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Be sure that your current firewall script(s) (normally in
|
|
<filename>/var/lib/<product>/firewall</filename>) is(are)
|
|
compiled with the 4.4.10 compiler.</para>
|
|
|
|
<para>Shorewall and Shorewall6 users can execute these
|
|
commands:</para>
|
|
|
|
<simplelist>
|
|
<member>shorewall compile</member>
|
|
|
|
<member><command>shorewall6 compile</command></member>
|
|
</simplelist>
|
|
|
|
<para>Shorewall-lite and Shorewall6-lite users can execute these
|
|
commands on the administrative system:</para>
|
|
|
|
<simplelist>
|
|
<member><command>shorewall export
|
|
<replaceable>firewall-name-or-ip-address</replaceable></command></member>
|
|
|
|
<member><command>shorewall6 export
|
|
<replaceable>firewall-name-or-ip-address</replaceable></command></member>
|
|
</simplelist>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>That's all that is required.</para>
|
|
</section>
|
|
|
|
<section id="NM">
|
|
<title>Integration with NetworkManager and ifup/ifdown Scripts</title>
|
|
|
|
<para>To integrate with NetworkManager and ifup/ifdown, additional steps
|
|
are required. You probably don't want to enable this feature if you run a
|
|
link status monitor like FOOLSM.</para>
|
|
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>In the Shorewall-init configuration file, set IFUPDOWN=1.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>In your Shorewall interfaces file(s), set the
|
|
<option>required</option> option on any interfaces that must be up in
|
|
order for the firewall to start. At least one interface must have the
|
|
<option>required</option> or <option>optional</option> option if you
|
|
perform the next optional step.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Optional) -- If you have specified at least one
|
|
<option>required</option> or <option>optional</option> interface, you
|
|
can then disable automatic firewall startup at boot time. On Debian
|
|
systems, set startup=0 in
|
|
<filename>/etc/default/<replaceable>product</replaceable></filename>.
|
|
On other systems, use your service startup configuration tool
|
|
(chkconfig, insserv, ...) to disable startup.</para>
|
|
|
|
<warning>
|
|
<para>If your system uses Upstart as it's system initialization
|
|
daemon, you should not disable startup. Upstart is standard on
|
|
recent Ubuntu and Fedora releases and is optional on Debian.</para>
|
|
</warning>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>The following actions occur when an interface comes up:</para>
|
|
|
|
<informaltable>
|
|
<tgroup cols="3">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">FIREWALL STATE</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">INTERFACE</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">ACTION</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Any</entry>
|
|
|
|
<entry>Required</entry>
|
|
|
|
<entry>start</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>stopped</entry>
|
|
|
|
<entry>Optional</entry>
|
|
|
|
<entry>start</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>started</entry>
|
|
|
|
<entry>Optional</entry>
|
|
|
|
<entry>enable</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>started</entry>
|
|
|
|
<entry>Any</entry>
|
|
|
|
<entry>restart</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
|
|
<para>The following actions occur when an interface goes down:</para>
|
|
|
|
<informaltable>
|
|
<tgroup cols="3">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">FIREWALL STATE</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">INTERFACE</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">ACTION</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Any</entry>
|
|
|
|
<entry>Required</entry>
|
|
|
|
<entry>stop</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>stopped</entry>
|
|
|
|
<entry>Optional</entry>
|
|
|
|
<entry>start</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>started</entry>
|
|
|
|
<entry>Optional</entry>
|
|
|
|
<entry>disable</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>started</entry>
|
|
|
|
<entry>Any</entry>
|
|
|
|
<entry>restart</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
|
|
<para>For optional interfaces, the
|
|
<filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
|
|
files are maintained to reflect the state of the interface so that they
|
|
may be used by the standard <firstterm>isusable</firstterm> script. Please
|
|
note that the action is carried out using the current compiled script; the
|
|
configuration is not recompiled.</para>
|
|
|
|
<para>A new option has been added to <filename>shorewall.conf</filename>
|
|
and <filename>shorewall6.conf</filename>. The REQUIRE_INTERFACE option
|
|
determines the outcome when an attempt to start/restart/restore/refresh
|
|
the firewall is made and none of the optional interfaces are available.
|
|
With REQUIRE_INTERFACE=No (the default), the operation is performed. If
|
|
REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed
|
|
in the stopped state. This option is suitable for a laptop with both
|
|
ethernet and wireless interfaces. If either come up, the firewall starts.
|
|
If neither comes up, the firewall remains in the stopped state.</para>
|
|
|
|
<para>Similarly, if an optional interface goes down and there are no
|
|
optional interfaces remaining in the up state, then the firewall is
|
|
stopped.</para>
|
|
|
|
<para>On Debian-based systems, during system shutdown the firewall is
|
|
opened prior to network shutdown (<command>/etc/init.d/shorewall
|
|
stop</command> performs a 'clear' operation rather than a 'stop'). This is
|
|
required by Debian standards. You can change this default behavior by
|
|
setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
|
|
(<filename>/etc/default/shorewall6</filename>, ...).</para>
|
|
</section>
|
|
</article>
|