Hi, I'm trying to move from Shorewall to Shorewall-Lite. Could you please read through this quick guide and see if I've misunderstood something (there are a few things I'm not sure of)?
Safely migrating from Shorewall to Shorewall-Lite on a non-Debian distro (pseudo-algorithm) CAVEATS: SW_ADMINISTRATIVE_SYSTEM=10.215.144.92 SW_TARGET_SYSTEM_1=10.215.144.91 SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE=eth0 SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR=/some/partition/elsewhere/shorewall/lite/1 1) on shorewall administrative system: a) mkdir -p $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/ $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/ c) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/stoppedrules and add: ACCEPT $SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE:$SW_ADMINISTRATIVE_SYSTEM $FW tcp 22 [QUESTION] Is tcp/22 (ssh) enough? d) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/shorewall.conf and modify CONFIG_PATH. [QUESTION] The current value (default) is: CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" In my current example, does it have to be the following? CONFIG_PATH=":${SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR}:${SHAREDIR}/shorewall" 2) on shorewall-lite target system: a) install shorewall-lite (without uninstalling shorewall) b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities rsync -a /tmp/capabilities root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/ rm /tmp/capabilities [QUESTION] Is the above destination path correct? c) [QUESTION] It's not clear to me where and how EXPORTPARAMS should be set and why. Default is undefined. Should I create it? In which file? In shorewall.conf @$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/? In shorewall.conf @$SW_ADMINISTRATIVE_SYSTEM:/etc/shorewall/? d) rsync -a /usr/share/shorewall/shorewallrc root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/ [QUESTION] Is this step necessary if I want to compile the firewall script for testing purposes? 3) on shorewall administrative system: a) cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR /tmp/fw_$SW_TARGET_SYSTEM_1 ===== TEST ====== To test the new compiled firewall script: 1) on shorewall administrative system: rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/ 2) on shorewall-lite target system (still has shorewall): a) shorewall stop && /tmp/fw_$SW_TARGET_SYSTEM_1 start b) make your tests. b1) If errors: /tmp/fw_$SW_TARGET_SYSTEM_1 stop ; shorewall start Do your research, but at least everything is back up again and working. b2) If OK: connect to shorewall administrative system and run: cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR /sbin/shorewall remote-start $SW_TARGET_SYSTEM_1 and eventually: /sbin/shorewall remote-reload $SW_TARGET_SYSTEM_1 Thanks, Vieri PS: 'shorewall remote-getcaps' is the same as using shorecap or as 'shorewall-lite show -f capabilities'? _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users