On 12/4/2019 4:58 PM, Vieri Di Paola wrote:
> On Wed, Dec 4, 2019 at 4:07 PM Matt Darfeuille <[email protected]> wrote:
>>
>
>>> b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/
>>> $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
>>>
>>
>> Basically, you need to copy the configuration files from the firewall
>> systems to the administrative system.
>
> OK, I guess I can create a directory anywhere and to my liking, "as
> long as I add it in CONFIG_PATH within shorewall.conf in that
> directory". Is the second half of my sentence correct?
>
Your assumption is correct, however, the following is enough:
CONFIG_PATH="/usr/share/shorewall"
>
>>> 2) on shorewall-lite target system:
>>>
>>> a) install shorewall-lite (without uninstalling shorewall)
>>>
>>
>> See (1).
>
> The guide suggests to uninstall shorewall right away.
> Here, I'm trying to keep both systems up so I can quickly revert.
>
>From my point of view, you are out of luck here.
>>> b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities
>>> rsync -a /tmp/capabilities
>>> root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
>>> rm /tmp/capabilities
>>>
>>> [QUESTION] Is the above destination path correct?
>>>
>>
>> Use 'remote-getrc' to do that.
>
> Do you mean I should use remote-getcaps from the adminsitrative
> system? Isn't remote-getrc for shorewallrc?
>
Yes my bad, all 'remote-*' commands are to be used on the
administrative system exclusively.
The command 'remote-getcaps' will capture the capabilities file while
'remote-getrc' will capture 'shorewallrc'.
>>
>>> d) rsync -a /usr/share/shorewall/shorewallrc
>>> root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
>>> [QUESTION] Is this step necessary if I want to compile the firewall
>>> script for testing purposes?
>>>
>>
>> This file is required for compilation only.
>
> So, if I need to compile then can I get it by running remote-getrc
> from the administrative system?
>
Yes, you are correct.
>>> 3) on shorewall administrative system:
>>>
>>> a)
>>> cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
>>> shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
>>> /tmp/fw_$SW_TARGET_SYSTEM_1
>>>
>>
>> Shorewall-lite only requires 'firewall' and firewall.conf'.
>
> OK, but isn't my command generating the same script with a different name?
>
The following command as non-root user will generate the required files
(try, try.conf) that are to be used on the firewall system.
/sbin/shorewall compile -e try
> As far as EXPORTPARAMS is concerned, I'll leave it undefined.
>
Can't comment on this.
>>> ===== TEST ======
>>>
>>> To test the new compiled firewall script:
>>>
>>> 1) on shorewall administrative system:
>>> rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/
>>>
>>
>> See (A) above.
>
> So I just need to copy over the firewall.conf file as well.
>
The 'firewall' ('try') and 'firewall.conf' ('try.conf') files are required.
>>> PS:
>>> 'shorewall remote-getcaps' is the same as using shorecap or as
>>> 'shorewall-lite show -f capabilities'?
>>>
>>
>> See (1) -- 'remote-getrc' and 'remote-getcaps' will pull the
>> corresponding generated file to the administrative system.
>
> Yes, but (1) indicates that "unlike the shorecap program, the show
> capabilities command shows the kernel's current capabilities; it does
> not attempt to load additional kernel modules". That's why I was
> asking if remote-getcaps is more like shorecap or more like "show
> capabilities".
>
All 'remote-*' commands invoke 'shorecap'.
-Matt
--
Matt Darfeuille
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
