On 11/16/2014 9:29 AM, Thomas D. wrote: > Hi, > > on Gentoo we are going to enable shorewall-init per default. > > While testing I noticed that shorewall-init doesn't honor the > "STARTUP_ENABLED" configuration option. > > Is this a wanted behavior?
STARTUP_ENABLED is only implemented in Shorewall and Shoreall6 -- it has
no meaning in Shorewall-lite and Shorewall6-lite. When using those
products, the .conf file used to generate the firewall script is
generally located on a centralized administrative system.
>
> Imagine the following two situations:
>
> S1) Fresh installation.
>
> You have just installed shorewall, shorewall6 and shorewall-init.
> You only configured shorewall6. You don't want to use shorewall yet.
>
> On reboot, shorewall-init will first try to compile shorewall, which
> will fail:
>
>> Initializing "Shorewall-based firewalls": Compiling...
>> Processing /etc/shorewall/params ...
>> Processing /etc/shorewall/shorewall.conf...
>> Loading Modules...
>> ERROR: The 'zones' file does not exist or has zero size
>
> shorewall-init will stop here and doesn't try to initialize shorewall6.
>
> => The first failing product will prevent all the following products
> from initializing.
>
> You could argue that if someone don't want to use shorewall yet, he/she
> shouldn't add it to "PRODUCTS" in his/her shorewall-init configuration
> but I would suggest: shorewall-init should continue with the next
> product instead. See the next scenario why this might be useful.
I can agree that it would be useful for Shorewall-init to continue with
the next product rather than bailing out on the first error.
>
>
> S2) Imagine you have a working shorewall system (with shorewall and
> shorewall6 and shorewall-init which will initialize shorewall and
> shorewall6 on boot). Now you decide to disable shorewall for some
> reason. You do this by setting "STARTUP_ENABLED=No" in
> "/etc/shorewall/shorewall.conf".
>
> If you now restart, shorewall-init will check the firewall script
> ("shorewall compile -c" won't fail) and finally call
> "/var/lib/shorewall/firewall stop" which will block any IPv4 traffic.
That will work for Shorewall and Shorewall6, but not for the -lite
products.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
