Hi,
I'm trying to move from Shorewall to Shorewall-Lite. Could you please
read through this quick guide and see if I've misunderstood something
(there are a few things I'm not sure of)?
Safely migrating from Shorewall to Shorewall-Lite on a non-Debian
distro (pseudo-algorithm)
CAVEATS:
SW_ADMINISTRATIVE_SYSTEM=10.215.144.92
SW_TARGET_SYSTEM_1=10.215.144.91
SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE=eth0
SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR=/some/partition/elsewhere/shorewall/lite/1
1) on shorewall administrative system:
a) mkdir -p $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/
$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
c) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/stoppedrules and add:
ACCEPT $SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE:$SW_ADMINISTRATIVE_SYSTEM $FW tcp 22
[QUESTION] Is tcp/22 (ssh) enough?
d) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/shorewall.conf and
modify CONFIG_PATH.
[QUESTION] The current value (default) is:
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
In my current example, does it have to be the following?
CONFIG_PATH=":${SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR}:${SHAREDIR}/shorewall"
2) on shorewall-lite target system:
a) install shorewall-lite (without uninstalling shorewall)
b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities
rsync -a /tmp/capabilities
root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
rm /tmp/capabilities
[QUESTION] Is the above destination path correct?
c) [QUESTION] It's not clear to me where and how EXPORTPARAMS should
be set and why. Default is undefined.
Should I create it?
In which file?
In shorewall.conf
@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/?
In shorewall.conf @$SW_ADMINISTRATIVE_SYSTEM:/etc/shorewall/?
d) rsync -a /usr/share/shorewall/shorewallrc
root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
[QUESTION] Is this step necessary if I want to compile the firewall
script for testing purposes?
3) on shorewall administrative system:
a)
cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR /tmp/fw_$SW_TARGET_SYSTEM_1
===== TEST ======
To test the new compiled firewall script:
1) on shorewall administrative system:
rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/
2) on shorewall-lite target system (still has shorewall):
a) shorewall stop && /tmp/fw_$SW_TARGET_SYSTEM_1 start
b) make your tests.
b1) If errors:
/tmp/fw_$SW_TARGET_SYSTEM_1 stop ; shorewall start
Do your research, but at least everything is back up again and working.
b2) If OK:
connect to shorewall administrative system and run:
cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
/sbin/shorewall remote-start $SW_TARGET_SYSTEM_1
and eventually:
/sbin/shorewall remote-reload $SW_TARGET_SYSTEM_1
Thanks,
Vieri
PS:
'shorewall remote-getcaps' is the same as using shorecap or as
'shorewall-lite show -f capabilities'?
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
