Thijs Kinkhorst wrote: >>/etc/init.d/shorewall stop will keep applied some of the shorewall settings > > > I experienced a problem that I think reduces to the same issue: I executed > "/etc/init.d/shorewall stop", thinking that it would disable the shorewall > rules and hence enable all traffic. However, running > "/etc/init.d/shorewall stop" left my system totally unreachable. I think > that's undesirable behaviour.
Lorenzo has changed the behaviour of the init script for Debian to make this the default behaviour for the benefit of those who are used to Debian init script behaviour. However, for those experienced with Shorewall, this is extremely undesirable behaviour. Stopping shorewall is semantically equivalent to saying "I don't want any more traffic passing through my firewall." The appropriate way to clear out Shorewall's rules is 'shorewall clear' (which is now called by '/etc/init.d/shorewall stop'). If you want your system to be reachable when you execute 'shorewall stop', then you should put the appropriate entries in /etc/shorewall/routestopped. Lorenzo, i think at the very least we need a clear, prominent comment in README.Debian that highlights the difference between 'shorewall stop' and '/etc/init.d/shorewall stop'. I personally think the discrepancy is undesirable and a better approach would be educating users about what 'shorewall stop' and 'shorewall clear' are designed to do. -- Paul <http://paulgear.webhop.net> -- Did you know? Using Microsoft Internet Explorer can make your computer less secure. Find out more at <http://browsehappy.com>.
signature.asc
Description: OpenPGP digital signature