I would suggest you to read/reread (1) as it contains some answers to
your questions.
It would be also good to make your questions as simple as possible (not
using variable ...).
Also, testing on none-production system might be a good thing.
Inline replying.
On 12/3/2019 2:47 PM, Vieri Di Paola wrote:
> Hi,
>
> I'm trying to move from Shorewall to Shorewall-Lite. Could you please
> read through this quick guide and see if I've misunderstood something
> (there are a few things I'm not sure of)?
>
> Safely migrating from Shorewall to Shorewall-Lite on a non-Debian
> distro (pseudo-algorithm)
>
> CAVEATS:
> SW_ADMINISTRATIVE_SYSTEM=10.215.144.92
> SW_TARGET_SYSTEM_1=10.215.144.91
> SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE=eth0
> SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR=/some/partition/elsewhere/shorewall/lite/1
>
> 1) on shorewall administrative system:
>
> a) mkdir -p $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
>
> b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/
> $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
>
Basically, you need to copy the configuration files from the firewall
systems to the administrative system.
> c) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/stoppedrules and add:
> ACCEPT $SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE:$SW_ADMINISTRATIVE_SYSTEM $FW tcp
> 22
>
> [QUESTION] Is tcp/22 (ssh) enough?
>
Yes, see (1).
> d) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/shorewall.conf and
> modify CONFIG_PATH.
>
> [QUESTION] The current value (default) is:
> CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
> In my current example, does it have to be the following?
> CONFIG_PATH=":${SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR}:${SHAREDIR}/shorewall"
>
Can not answer this question without more information.
> 2) on shorewall-lite target system:
>
> a) install shorewall-lite (without uninstalling shorewall)
>
See (1).
> b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities
> rsync -a /tmp/capabilities
> root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
> rm /tmp/capabilities
>
> [QUESTION] Is the above destination path correct?
>
Use 'remote-getrc' to do that.
> d) rsync -a /usr/share/shorewall/shorewallrc
> root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
> [QUESTION] Is this step necessary if I want to compile the firewall
> script for testing purposes?
>
This file is required for compilation only.
> 3) on shorewall administrative system:
>
> a)
> cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
> shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
> /tmp/fw_$SW_TARGET_SYSTEM_1
>
Shorewall-lite only requires 'firewall' and firewall.conf'.
> ===== TEST ======
>
> To test the new compiled firewall script:
>
> 1) on shorewall administrative system:
> rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/
>
See (A) above.
>
> PS:
> 'shorewall remote-getcaps' is the same as using shorecap or as
> 'shorewall-lite show -f capabilities'?
>
See (1) -- 'remote-getrc' and 'remote-getcaps' will pull the
corresponding generated file to the administrative system.
1) http://shorewall.org/Shorewall-Lite.html
-Matt
--
Matt Darfeuille
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
