| CompiledPrograms.xml (shorewall-docs-xml-5.2.3.6.tar.bz2) | : | CompiledPrograms.xml (shorewall-docs-xml-5.2.6.tar.bz2) |
|---|
| | |
| skipping to change at line 23 | | skipping to change at line 23 |
|---|
| | |
| <surname>Eastep</surname> | | <surname>Eastep</surname> |
| </author> | | </author> |
| </authorgroup> | | </authorgroup> |
| | |
| <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> | | <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> |
| | |
| <copyright> | | <copyright> |
| <year>2006-2010</year> | | <year>2006-2010</year> |
| | |
|
| | <year>2020</year> |
| | |
| <holder>Thomas M. Eastep</holder> | | <holder>Thomas M. Eastep</holder> |
| </copyright> | | </copyright> |
| | |
| <legalnotice> | | <legalnotice> |
| <para>Permission is granted to copy, distribute and/or modify this | | <para>Permission is granted to copy, distribute and/or modify this |
| document under the terms of the GNU Free Documentation License, Version | | document under the terms of the GNU Free Documentation License, Version |
| 1.2 or any later version published by the Free Software Foundation; with | | 1.2 or any later version published by the Free Software Foundation; with |
| no Invariant Sections, with no Front-Cover, and with no Back-Cover | | no Invariant Sections, with no Front-Cover, and with no Back-Cover |
| Texts. A copy of the license is included in the section entitled | | Texts. A copy of the license is included in the section entitled |
| <quote><ulink url="GnuCopyright.htm">GNU Free Documentation | | <quote><ulink url="GnuCopyright.htm">GNU Free Documentation |
| | |
| skipping to change at line 230 | | skipping to change at line 232 |
|---|
| <listitem> | | <listitem> |
| <para>The value of CONFIG_PATH used when the script is run | | <para>The value of CONFIG_PATH used when the script is run |
| on the firewall system is | | on the firewall system is |
| "/etc/shorewall-lite:/usr/share/shorewall-lite".</para> | | "/etc/shorewall-lite:/usr/share/shorewall-lite".</para> |
| </listitem> | | </listitem> |
| </itemizedlist> | | </itemizedlist> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <programlisting><command>cd <export directory></command> | | <programlisting><command>cd <export directory></command> |
|
| <command>/sbin/shorewall load firewall</command></programlisting> | | <command>/sbin/shorewall remote-startfirewall</command></programlisting> |
| | |
| <para>The <ulink | | <para>The <ulink |
|
| url="starting_and_stopping_shorewall.htm#Load"><command>load</comm
and></ulink> | | url="starting_and_stopping_shorewall.htm#Load"><command>remote-sta
rt</command></ulink> |
| command compiles a firewall script from the configuration files | | command compiles a firewall script from the configuration files |
| in the current working directory (using <command>shorewall | | in the current working directory (using <command>shorewall |
| compile -e</command>), copies that file to the remote system via | | compile -e</command>), copies that file to the remote system via |
| scp and starts Shorewall Lite on the remote system via | | scp and starts Shorewall Lite on the remote system via |
| ssh.</para> | | ssh.</para> |
| | |
| <para>Example (firewall's DNS name is 'gateway'):</para> | | <para>Example (firewall's DNS name is 'gateway'):</para> |
| | |
|
| <para><command>/sbin/shorewall load gateway</command><note> | | <para><command>/sbin/shorewall remote-start |
| | gateway</command><note> |
| <para>Although scp and ssh are used by default, you can use | | <para>Although scp and ssh are used by default, you can use |
| other utilities by setting RSH_COMMAND and RCP_COMMAND in | | other utilities by setting RSH_COMMAND and RCP_COMMAND in |
| <filename>/etc/shorewall/shorewall.conf</filename>.</para> | | <filename>/etc/shorewall/shorewall.conf</filename>.</para> |
| </note></para> | | </note></para> |
| | |
| <para>The first time that you issue a <command>load</command> | | <para>The first time that you issue a <command>load</command> |
| command, Shorewall will use ssh to run | | command, Shorewall will use ssh to run |
| <filename>/usr/share/shorewall-lite/shorecap</filename> on the | | <filename>/usr/share/shorewall-lite/shorecap</filename> on the |
| remote firewall to create a capabilities file in the firewall's | | remote firewall to create a capabilities file in the firewall's |
| administrative direction. See <link | | administrative direction. See <link |
| | |
| skipping to change at line 264 | | skipping to change at line 267 |
|---|
| </listitem> | | </listitem> |
| </orderedlist> | | </orderedlist> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>If you later need to change the firewall's configuration, | | <para>If you later need to change the firewall's configuration, |
| change the appropriate files in the firewall's export directory | | change the appropriate files in the firewall's export directory |
| then:</para> | | then:</para> |
| | |
| <programlisting><command>cd <export directory></command> | | <programlisting><command>cd <export directory></command> |
|
| <command>/sbin/shorewall reload firewall</command></programlisting> | | <command>/sbin/shorewall remote-reload firewall</command></programlisting> |
| | |
| <para>The <ulink | | <para>The <ulink |
|
| url="manpages/shorewall.html"><command>reload</command></ulink> | | url="manpages/shorewall.html"><command>remote-reload</command></ulink> |
| command compiles a firewall script from the configuration files in | | command compiles a firewall script from the configuration files in |
| the current working directory (using <command>shorewall compile | | the current working directory (using <command>shorewall compile |
| -e</command>), copies that file to the remote system via scp and | | -e</command>), copies that file to the remote system via scp and |
| restarts Shorewall Lite on the remote system via ssh. The <emphasis | | restarts Shorewall Lite on the remote system via ssh. The <emphasis |
|
| role="bold">reload</emphasis> command also supports the '-c' | | role="bold">remote-reload</emphasis> command also supports the '-c' |
| option.</para> | | option.</para> |
|
| | | |
| <para>I personally place a <filename>Makefile</filename> in each | | |
| export directory as follows:</para> | | |
| | |
| <blockquote> | | |
| <programlisting># Shorewall Packet Filtering Firewall Export Dir | | |
| ectory Makefile - V3.3 | | |
| # | | |
| # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2. | | |
| 0.txt] | | |
| # | | |
| # (c) 2006 - Tom Eastep (teastep@shorewall.net) | | |
| # | | |
| # Shorewall documentation is available at http://www.shorewall.net | | |
| # | | |
| # This program is free software; you can redistribute it and/or modify | | |
| # it under the terms of Version 2 of the GNU General Public License | | |
| # as published by the Free Software Foundation. | | |
| # | | |
| # This program is distributed in the hope that it will be useful, | | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | | |
| # GNU General Public License for more details. | | |
| # | | |
| # You should have received a copy of the GNU General Public License | | |
| # along with this program; if not, write to the Free Software | | |
| # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | | |
| USA. | | |
| ################################################################################ | | |
| # Place this file in each export directory. Modify each copy to set HOST | | |
| # to the name of the remote firewall corresponding to the directory. | | |
| # | | |
| # To make the 'firewall' script, type "make". | | |
| # | | |
| # Once the script is compiling correctly, you can install it by | | |
| # typing "make install". | | |
| # | | |
| ################################################################################ | | |
| # V A R I A B L E S | | |
| # | | |
| # Files in the export directory on which the firewall script does not depend | | |
| # | | |
| IGNOREFILES = firewall% Makefile% trace% %~ | | |
| # | | |
| # Remote Firewall system | | |
| # | | |
| HOST = gateway | | |
| # | | |
| # Save some typing | | |
| # | | |
| LITEDIR = /var/lib/shorewall-lite | | |
| # | | |
| # Set this if the remote system has a non-standard modules directory | | |
| # | | |
| MODULESDIR= | | |
| # | | |
| # Default target is the firewall script | | |
| # | | |
| ################################################################################ | | |
| # T A R G E T S | | |
| # | | |
| all: firewall | | |
| # | | |
| # Only generate the capabilities file if it doesn't already exist | | |
| # | | |
| capabilities: | | |
| ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/sho | | |
| recap > $(LITEDIR)/capabilities" | | |
| scp root@$(HOST):$(LITEDIR)/capabilities . | | |
| # | | |
| # Compile the firewall script. Using the 'wildcard' function causes "*" to be ex | | |
| panded so that | | |
| # 'filter-out' will be presented with the list of files in this directory rather | | |
| than "*" | | |
| # | | |
| firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilitie | | |
| s | | |
| shorewall compile -e . firewall | | |
| # | | |
| # Only reload on demand. | | |
| # | | |
| install: firewall | | |
| scp firewall firewall.conf root@$(HOST):$(LITEDIR) | | |
| ssh root@$(HOST) "/sbin/shorewall-lite restart" | | |
| # | | |
| # Save running configuration | | |
| # | | |
| save: | | |
| ssh root@$(HOST) "/sbin/shorewall-lite save" | | |
| # | | |
| # Remove generated files | | |
| # | | |
| clean: | | |
| rm -f capabilities firewall firewall.conf reload | | |
| </programlisting> | | |
| </blockquote> | | |
| | |
| <para>That way, after I've changed the configuration, I can simply | | |
| type <command>make</command> or <emphasis role="bold">make | | |
| install</emphasis>.</para> | | |
| | |
| <note> | | |
| <para>The above Makefile is available at <ulink | | |
| url="http://www1.shorewall.net/pub/shorewall/contrib/Shorewall-lite/ | | |
| ">http://www.shorewall.net/pub/shorewall/contrib/Shorewall-lite/</ulink></para> | | |
| </note> | | |
| | |
| <note> | | |
| <para>I omit trace% because I often trace compiler execution while | | |
| I'm debugging new versions of Shorewall.</para> | | |
| </note> | | |
| </listitem> | | </listitem> |
| </orderedlist> | | </orderedlist> |
| | |
| <para>There is a <filename>shorewall-lite.conf</filename> file installed | | <para>There is a <filename>shorewall-lite.conf</filename> file installed |
| as part of Shorewall Lite | | as part of Shorewall Lite |
| (<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can | | (<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can |
| use that file on the firewall system to override some of the settings | | use that file on the firewall system to override some of the settings |
| from the shorewall.conf file in the export directory.</para> | | from the shorewall.conf file in the export directory.</para> |
| | |
| <para>Settings that you can override are:</para> | | <para>Settings that you can override are:</para> |
| | |
| skipping to change at line 413 | | skipping to change at line 313 |
|---|
| | |
| <member>RESTOREFILE</member> | | <member>RESTOREFILE</member> |
| </simplelist> | | </simplelist> |
| </blockquote> | | </blockquote> |
| | |
| <para>You will normally never touch | | <para>You will normally never touch |
| <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you | | <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you |
| run Debian or one of its derivatives (see <link | | run Debian or one of its derivatives (see <link |
| linkend="Debian">above</link>).</para> | | linkend="Debian">above</link>).</para> |
| | |
|
| <para>The <filename>/sbin/shorewall-lite</filename> program included | | <para>The <filename>/sbin/shorewall-lite</filename> program (which is a |
| | symbolic link pointing to <filename>/sbin/shorewall</filename>) included |
| with Shorewall Lite supports the same set of commands as the | | with Shorewall Lite supports the same set of commands as the |
| <filename>/sbin/shorewall</filename> program in a full Shorewall | | <filename>/sbin/shorewall</filename> program in a full Shorewall |
| installation with the following exceptions:</para> | | installation with the following exceptions:</para> |
| | |
| <blockquote> | | <blockquote> |
| <simplelist> | | <simplelist> |
|
| <member>add</member> | | <member>action</member> |
| | |
| | <member>actions</member> |
| | |
| | <member>check</member> |
| | |
| <member>compile</member> | | <member>compile</member> |
| | |
|
| <member>delete</member> | | <member>export</member> |
| | |
|
| <member>refresh</member> | | <member>macro</member> |
| | |
|
| <member>reload</member> | | <member>macros</member> |
| | |
|
| <member>try</member> | | <member>remote-getrc</member> |
| | |
|
| <member>safe-start</member> | | <member>remote-getcaps</member> |
| | |
|
| <member>safe-restart</member> | | <member>remote-reload</member> |
| | |
|
| <member>show actions</member> | | <member>remote-restart</member> |
| | |
|
| <member>show macros</member> | | <member>remote-start</member> |
| </simplelist> | | |
| </blockquote> | | |
| | |
|
| <para>On systems with only Shorewall Lite installed, I recommend that | | <member>safe-reload</member> |
| you create a symbolic link <filename>/sbin/shorewall</filename> and | | |
| point it at <filename>/sbin/shorewall-lite</filename>. That way, you can | | |
| use <command>shorewall</command> as the command regardless of which | | |
| product is installed.</para> | | |
| | |
|
| <blockquote> | | <member>safe-restart</member> |
| <programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command> | | |
| </programlisting> | | <member>safe-start</member> |
| | |
| | <member>try</member> |
| | |
| | <member>update</member> |
| | </simplelist> |
| </blockquote> | | </blockquote> |
| | |
| <section> | | <section> |
| <title>Module Loading</title> | | <title>Module Loading</title> |
| | |
|
| <para>As with a normal Shorewall configuration, the shorewall.conf | | <para>Normally, the <filename>helpers</filename> file on the firewall |
| file can specify LOAD_HELPERS_ONLY which determines if the | | system is used. If you want to specify modules at compile time on the |
| <filename>modules</filename> file (LOAD_HELPERS_ONLY=No) or | | Administrative System, then you must place a copy of the |
| <filename>helpers</filename> file (LOAD_HELPERS_ONLY=Yes) is used. | | <filename>helpers</filename> file in the firewall's configuration |
| Normally, the file on the firewall system is used. If you want to | | directory before compilation.</para> |
| specify modules at compile time on the Administrative System, then you | | |
| must place a copy of the appropriate file | | |
| (<filename>modules</filename> or <filename>helpers</filename>) in the | | |
| firewall's configuration directory before compilation.</para> | | |
| | |
| <para>In Shorewall 4.4.17, the EXPORTMODULES option was added to | | <para>In Shorewall 4.4.17, the EXPORTMODULES option was added to |
| shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any | | shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any |
|
| <filename>modules</filename> or <filename>helpers</filename> file | | <filename>helpers</filename> file found on the CONFIG_PATH on the |
| found on the CONFIG_PATH on the Administrative System during | | Administrative System during compilation will be used.</para> |
| compilation will be used.</para> | | |
| </section> | | </section> |
| | |
| <section id="Converting"> | | <section id="Converting"> |
| <title>Converting a system from Shorewall to Shorewall Lite</title> | | <title>Converting a system from Shorewall to Shorewall Lite</title> |
| | |
| <para>Converting a firewall system that is currently running Shorewall | | <para>Converting a firewall system that is currently running Shorewall |
| to run Shorewall Lite instead is straight-forward.</para> | | to run Shorewall Lite instead is straight-forward.</para> |
| | |
| <orderedlist numeration="loweralpha"> | | <orderedlist numeration="loweralpha"> |
| <listitem> | | <listitem> |
| | |
| skipping to change at line 506 | | skipping to change at line 406 |
|---|
| <filename>stoppedrules</filename> file.</para> | | <filename>stoppedrules</filename> file.</para> |
| | |
| <programlisting><command>shorewall stop</command></programlisting> | | <programlisting><command>shorewall stop</command></programlisting> |
| | |
| <para><emphasis role="bold">We recommend that you uninstall | | <para><emphasis role="bold">We recommend that you uninstall |
| Shorewall at this point.</emphasis></para> | | Shorewall at this point.</emphasis></para> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>Install Shorewall Lite on the firewall system.</para> | | <para>Install Shorewall Lite on the firewall system.</para> |
|
| | | |
| <para>If you are running Debian or one of its derivatives like | | |
| Ubuntu then edit <filename>/etc/default/shorewall-lite</filename> | | |
| and set startup=1.</para> | | |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
| <para>On the administrative system:</para> | | <para>On the administrative system:</para> |
| | |
| <para>It's a good idea to include the IP address of the | | <para>It's a good idea to include the IP address of the |
| administrative system in the firewall system's <ulink | | administrative system in the firewall system's <ulink |
| url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</f
ilename> | | url="manpages/shorewall-stoppedrules.html"><filename>stoppedrules</f
ilename> |
| file</ulink>.</para> | | file</ulink>.</para> |
| | |
| | |
| skipping to change at line 756 | | skipping to change at line 652 |
|---|
| | |
| <section id="Shorecap"> | | <section id="Shorecap"> |
| <title>The /etc/shorewall/capabilities file and the shorecap | | <title>The /etc/shorewall/capabilities file and the shorecap |
| program</title> | | program</title> |
| | |
| <para>As mentioned above, the | | <para>As mentioned above, the |
| <filename>/etc/shorewall/capabilities</filename> file specifies that | | <filename>/etc/shorewall/capabilities</filename> file specifies that |
| kernel/iptables capabilities of the target system. Here is a sample | | kernel/iptables capabilities of the target system. Here is a sample |
| file:</para> | | file:</para> |
| | |
|
| <blockquote> | | <programlisting> |
| <programlisting># | | # Shorewall 5.2.3.3 detected the following iptables/netfilter capabilities - Mon |
| # Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 | | 16 Sep 2019 01:32:20 PM PDT |
| 07:28:12 PDT 2008 | | |
| # | | # |
|
| NAT_ENABLED=Yes | | ACCOUNT_TARGET= |
| MANGLE_ENABLED=Yes | | ADDRTYPE=Yes |
| MULTIPORT=Yes | | AMANDA_HELPER= |
| XMULTIPORT=Yes | | ARPTABLESJF= |
| | AUDIT_TARGET=Yes |
| | BASIC_EMATCH=Yes |
| | BASIC_FILTER=Yes |
| | CAPVERSION=50200 |
| | CHECKSUM_TARGET=Yes |
| | CLASSIFY_TARGET=Yes |
| | COMMENTS=Yes |
| | CONDITION_MATCH= |
| | CONNLIMIT_MATCH=Yes |
| | CONNMARK_MATCH=Yes |
| | CONNMARK=Yes |
| CONNTRACK_MATCH=Yes | | CONNTRACK_MATCH=Yes |
|
| POLICY_MATCH=Yes | | CPU_FANOUT=Yes |
| PHYSDEV_MATCH=Yes | | CT_TARGET=Yes |
| PHYSDEV_BRIDGE=Yes | | DSCP_MATCH=Yes |
| LENGTH_MATCH=Yes | | DSCP_TARGET=Yes |
| | EMULTIPORT=Yes |
| | ENHANCED_REJECT=Yes |
| | EXMARK=Yes |
| | FLOW_FILTER=Yes |
| | FTP0_HELPER= |
| | FTP_HELPER=Yes |
| | FWMARK_RT_MASK=Yes |
| | GEOIP_MATCH= |
| | GOTO_TARGET=Yes |
| | H323_HELPER= |
| | HASHLIMIT_MATCH=Yes |
| | HEADER_MATCH= |
| | HELPER_MATCH=Yes |
| | IFACE_MATCH= |
| | IMQ_TARGET= |
| | IPMARK_TARGET= |
| | IPP2P_MATCH= |
| IPRANGE_MATCH=Yes | | IPRANGE_MATCH=Yes |
|
| RECENT_MATCH=Yes | | IPSET_MATCH_COUNTERS=Yes |
| OWNER_MATCH=Yes | | IPSET_MATCH_NOMATCH=Yes |
| IPSET_MATCH=Yes | | IPSET_MATCH=Yes |
|
| CONNMARK=Yes | | IPSET_V5=Yes |
| XCONNMARK=Yes | | IPTABLES_S=Yes |
| CONNMARK_MATCH=Yes | | IRC0_HELPER= |
| XCONNMARK_MATCH=Yes | | IRC_HELPER=Yes |
| RAW_TABLE=Yes | | KERNELVERSION=41900 |
| IPP2P_MATCH= | | |
| CLASSIFY_TARGET=Yes | | |
| ENHANCED_REJECT=Yes | | |
| KLUDGEFREE=Yes | | KLUDGEFREE=Yes |
|
| MARK=Yes | | LENGTH_MATCH=Yes |
| XMARK=Yes | | LOGMARK_TARGET= |
| | LOG_TARGET=Yes |
| | MANGLE_ENABLED=Yes |
| MANGLE_FORWARD=Yes | | MANGLE_FORWARD=Yes |
|
| COMMENTS=Yes | | MARK_ANYWHERE=Yes |
| ADDRTYPE=Yes | | MARK=Yes |
| TCPMSS_MATCH=Yes | | MASQUERADE_TGT=Yes |
| HASHLIMIT_MATCH=Yes | | MULTIPORT=Yes |
| | NAT_ENABLED=Yes |
| | NAT_INPUT_CHAIN=Yes |
| | NETBIOS_NS_HELPER= |
| | NETMAP_TARGET=Yes |
| | NEW_CONNTRACK_MATCH=Yes |
| | NEW_TOS_MATCH=Yes |
| | NFACCT_MATCH=Yes |
| | NFLOG_SIZE=Yes |
| | NFLOG_TARGET=Yes |
| NFQUEUE_TARGET=Yes | | NFQUEUE_TARGET=Yes |
|
| | OLD_CONNTRACK_MATCH= |
| | OLD_HL_MATCH= |
| | OLD_IPP2P_MATCH= |
| | OLD_IPSET_MATCH= |
| | OWNER_MATCH=Yes |
| | OWNER_NAME_MATCH=Yes |
| | PERSISTENT_SNAT=Yes |
| | PHYSDEV_BRIDGE=Yes |
| | PHYSDEV_MATCH=Yes |
| | POLICY_MATCH=Yes |
| | PPTP_HELPER= |
| | RAW_TABLE=Yes |
| REALM_MATCH=Yes | | REALM_MATCH=Yes |
|
| CAPVERSION=40190</programlisting> | | REAP_OPTION=Yes |
| </blockquote> | | RECENT_MATCH=Yes |
| | RESTORE_WAIT_OPTION=Yes |
| | RPFILTER_MATCH=Yes |
| | SANE0_HELPER= |
| | SANE_HELPER= |
| | SIP0_HELPER= |
| | SIP_HELPER= |
| | SNMP_HELPER= |
| | STATISTIC_MATCH=Yes |
| | TARPIT_TARGET= |
| | TCPMSS_MATCH=Yes |
| | TCPMSS_TARGET=Yes |
| | TFTP0_HELPER= |
| | TFTP_HELPER= |
| | TIME_MATCH=Yes |
| | TPROXY_TARGET=Yes |
| | UDPLITEREDIRECT= |
| | ULOG_TARGET= |
| | WAIT_OPTION=Yes |
| | XCONNMARK_MATCH=Yes |
| | XCONNMARK=Yes |
| | XMARK=Yes |
| | XMULTIPORT=Yes</programlisting> |
| | |
| <para>As you can see, the file contains a simple list of shell variable | | <para>As you can see, the file contains a simple list of shell variable |
| assignments — the variables correspond to the capabilities listed by the | | assignments — the variables correspond to the capabilities listed by the |
| <command>shorewall show capabilities</command> command and they appear in | | <command>shorewall show capabilities</command> command and they appear in |
| the same order as the output of that command.</para> | | the same order as the output of that command.</para> |
| | |
|
| <para>To aid in creating this file, Shorewall Lite includes a | | <para>The capabilities file can be generated automatically from the |
| <command>shorecap</command> program. The program is installed in the | | administrative system by using the <command>remote-getcaps</command> |
| <filename class="directory">/usr/share/shorewall-lite/</filename> | | command. Should that option fail for any reason, the file can be generated |
| | manually on the remote firewall.</para> |
| | |
| | <para>To aid in creating this file on the remote firewall, Shorewall Lite |
| | includes a <command>shorecap</command> program. The program is installed |
| | in the <filename class="directory">/usr/share/shorewall-lite/</filename> |
| directory and may be run as follows:</para> | | directory and may be run as follows:</para> |
| | |
| <blockquote> | | <blockquote> |
| <para><command>[ IPTABLES=<iptables binary> ] [ | | <para><command>[ IPTABLES=<iptables binary> ] [ |
| MODULESDIR=<kernel modules directory> ] | | MODULESDIR=<kernel modules directory> ] |
| /usr/share/shorewall-lite/shorecap > capabilities</command></para> | | /usr/share/shorewall-lite/shorecap > capabilities</command></para> |
| </blockquote> | | </blockquote> |
| | |
| <para>The IPTABLES and MODULESDIR options have their <ulink | | <para>The IPTABLES and MODULESDIR options have their <ulink |
| url="manpages/shorewall.conf.html">usual Shorewall default | | url="manpages/shorewall.conf.html">usual Shorewall default |
| | |
| skipping to change at line 828 | | skipping to change at line 798 |
|---|
| <para>The <filename>capabilities</filename> file may also be creating | | <para>The <filename>capabilities</filename> file may also be creating |
| using <filename>/sbin/shorewall-lite</filename>:<blockquote> | | using <filename>/sbin/shorewall-lite</filename>:<blockquote> |
| <para><command>shorewall-lite show -f capabilities > | | <para><command>shorewall-lite show -f capabilities > |
| capabilities</command></para> | | capabilities</command></para> |
| </blockquote></para> | | </blockquote></para> |
| | |
| <para>Note that unlike the <command>shorecap</command> program, the | | <para>Note that unlike the <command>shorecap</command> program, the |
| <command>show capabilities</command> command shows the kernel's current | | <command>show capabilities</command> command shows the kernel's current |
| capabilities; it does not attempt to load additional kernel | | capabilities; it does not attempt to load additional kernel |
| modules.</para> | | modules.</para> |
|
| | |
| | <para>Once generated, the file can be copied manually to the |
| | administrative system.</para> |
| </section> | | </section> |
| | |
| <section id="Running"> | | <section id="Running"> |
| <title>Running compiled programs directly</title> | | <title>Running compiled programs directly</title> |
| | |
|
| <para>Compiled firewall programs are complete shell programs that support | | <para>Compiled firewall programs are complete shell programs that may be |
| the following command line forms:</para> | | run directly. Here is the output from the program's help command |
| | (Shorewall version 5.2.4)</para> |
| <blockquote> | | |
| <simplelist> | | <programlisting><program> [ options ] <command> |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | |
| start</command></member> | | <command> is one of: |
| | start |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | stop |
| stop</command></member> | | clear |
| | disable <interface> |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | down <interface> |
| clear</command></member> | | enable <interface> |
| | reset |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | reenable <interface> |
| refresh</command></member> | | refresh |
| | reload |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | restart |
| reset</command></member> | | run <command> [ <parameter> ... ] |
| | status |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | up <interface> |
| restart</command></member> | | savesets <file> |
| | call <function> [ <parameter> ... ] |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | help |
| status</command></member> | | version |
| | info |
| <member><command><program> [ -q ] [ -v ] [ -n ] | | |
| version</command></member> | | Options are: |
| </simplelist> | | |
| </blockquote> | | -v and -q Standard Shorewall verbosity controls |
| | -n Don't update routing configuration |
| | -p Purge Conntrack Table |
| | -t Timestamp progress Messages |
| | -c Save/restore iptables counters |
| | -V <verbosity> Set verbosity explicitly |
| | -R <file> Override RESTOREFILE setting |
| | -T Trace execution |
| | </programlisting> |
| | |
| <para>The options have the same meanings as when they are passed to | | <para>The options have the same meanings as when they are passed to |
| <filename>/sbin/shorewall</filename> itself. The default VERBOSITY level | | <filename>/sbin/shorewall</filename> itself. The default VERBOSITY level |
| is the level specified in the <filename>shorewall.conf</filename> file | | is the level specified in the <filename>shorewall.conf</filename> file |
| used when the program was compiled.</para> | | used when the program was compiled.</para> |
| </section> | | </section> |
| </article> | | </article> |
| | | |
| End of changes. 35 change blocks. |
|---|
| 216 lines changed or deleted | | 188 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 