"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "starting_and_stopping_shorewall.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

starting_and_stopping_shorewall.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):starting_and_stopping_shorewall.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 29 skipping to change at line 29
<copyright> <copyright>
<year>2004</year> <year>2004</year>
<year>2005</year> <year>2005</year>
<year>2006</year> <year>2006</year>
<year>2007</year> <year>2007</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
<legalnotice> <legalnotice>
<para>Permission is granted to copy, distribute and/or modify this <para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
skipping to change at line 204 skipping to change at line 206
<para><emphasis role="bold">Update:</emphasis><blockquote> <para><emphasis role="bold">Update:</emphasis><blockquote>
<para>In Shorewall 4.4.0 and later, the tarballs from shorewall.net <para>In Shorewall 4.4.0 and later, the tarballs from shorewall.net
follow the Debian convention when installed on a Debian or Ubuntu follow the Debian convention when installed on a Debian or Ubuntu
system. Beginning with Shorewall 4.4.10, you can revert to the prior system. Beginning with Shorewall 4.4.10, you can revert to the prior
behavior by setting SAFESTOP=1 in behavior by setting SAFESTOP=1 in
<filename>/etc/default/shorewall</filename>, <filename>/etc/default/shorewall</filename>,
<filename>/etc/default/shorewall6</filename>, etc.</para> <filename>/etc/default/shorewall6</filename>, etc.</para>
</blockquote></para> </blockquote></para>
</section> </section>
<section>
<title>systemd</title>
<para>As with SysV init described in the preceeding section, the behavior
of systemctl commands differ from the Shorewall CLI commands on
Debian-based systems. To make systemctl stop shorewall[-lite] and
systemctl restart shorewall[-lite] behave like shorewall stop and
shorewall restart, use this workaround provided by J Cliff
Armstrong:</para>
<para> Type (as root):</para>
<programlisting> <command>systemctl edit shorewall.service</command></pro
gramlisting>
<para>This will open the default terminal editor to a blank file in which
you can paste the following:</para>
<programlisting>[Service]
# reset ExecStop ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
<para>Then type</para>
<programlisting> <command>systemctl daemon-reload</command></programlisti
ng>
<para>to activate the changes. This change will survive future updates of
the shorewall package from apt repositories. The override file itself will
be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
<para>The same workaround may be applied to the other Shorewall products
(excluding Shorewall Init).</para>
</section>
<section id="Trace"> <section id="Trace">
<title>Tracing Command Execution and other Debugging Aids</title> <title>Tracing Command Execution and other Debugging Aids</title>
<para>Shorewall includes features for tracing and debugging. Commands <para>Shorewall includes features for tracing and debugging. Commands
involving the compiler can have the word <emphasis involving the compiler can have the word <emphasis
role="bold">trace</emphasis> inserted immediately after the role="bold">trace</emphasis> inserted immediately after the
command.</para> command.</para>
<para>Example:</para> <para>Example:</para>
<programlisting>shorewall trace check -r</programlisting> <programlisting><command>shorewall trace check -r</command> # Shorewall ve
rsions prior to 5.2.4
<command>shorewall check -D </command> # Shorewall versions 5.2.4 and lat
er</programlisting>
<para>This produces a large amount of diagnostic output to standard out <para>This produces a large amount of diagnostic output to standard out
during the compilation step. If entered on a command that doesn't invoke during the compilation step. If the command invokes the compiled firewall
the compiler, <emphasis role="bold">trace</emphasis> is ignored.</para> script, then that script's execution is traced to standard error. If
entered on a command that invokes neither the compiler nor the compiled
script, <emphasis role="bold">trace</emphasis> is ignored.</para>
<para>Commands that invoke a compiled fireawll script can have the word <para>Commands that invoke a compiled fireawll script can have the word
debug inserted immediately after the command.</para> debug inserted immediately after the command.</para>
<para>Example:</para> <para>Example:</para>
<programlisting>shorewall debug restart</programlisting> <programlisting><command>shorewall debug restart</command> # Shorewall ve
rsions prior to 5.2.4
<command>shorewall -D restart</command> # Shorewall versions 5.2.4 and lat
er</programlisting>
<para><emphasis role="bold">debug</emphasis> causes altered behavior of <para><emphasis role="bold">debug</emphasis> (-D) causes altered behavior
scripts generated by the Shorewall compiler. These scripts normally use of scripts generated by the Shorewall compiler. These scripts normally use
ip[6]tables-restore to install the Netfilter ruleset, but with debug, the ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
commands normally passed to iptables-restore in its input file are passed commands normally passed to iptables-restore in its input file are passed
individually to ip[6]tables. This is a diagnostic aid which allows individually to ip[6]tables. This is a diagnostic aid which allows
identifying the individual command that is causing ip[6]tables-restore to identifying the individual command that is causing ip[6]tables-restore to
fail; it should be used when ip[6]tables-restore fails when executing a fail; it should be used when ip[6]tables-restore fails when executing a
COMMIT command.</para> COMMIT command.</para>
<warning> <warning>
<para>The debug feature is strictly for problem analysis. When debug is <para>The debug feature is strictly for problem analysis. When debug is
used:</para> used:</para>
skipping to change at line 260 skipping to change at line 300
<listitem> <listitem>
<para>The rules are applied in the canonical ip[6]tables-restore <para>The rules are applied in the canonical ip[6]tables-restore
order. So if you need critical hosts to be always available during order. So if you need critical hosts to be always available during
start/restart, you may not be able to use debug.</para> start/restart, you may not be able to use debug.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</warning> </warning>
</section> </section>
<section id="Boot">
<title>Having Shorewall Start Automatically at Boot Time</title>
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
that Shorewall will start automatically at boot time. If you are using the
<command>install.sh </command>script from the .tgz and it cannot determine
how to configure automatic startup, a message to that effect will be
displayed. You will need to consult your distribution's documentation to
see how to integrate the <filename>/etc/init.d/shorewall</filename> script
into the distribution's startup mechanism.<caution>
<itemizedlist>
<listitem>
<para>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by editing
<filename>/etc/shorewall/shorewall.conf</filename> and setting
STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
edit <filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</para>
</listitem>
<listitem>
<para>If you use dialup or some flavor of PPP where your IP
address can change arbitrarily, you may want to start the firewall
in your <command>/etc/ppp/ip-up.local</command> script. I
recommend just placing <quote><command>/sbin/shorewall
restart</command></quote> in that script.</para>
</listitem>
</itemizedlist>
</caution></para>
</section>
<section id="Saved"> <section id="Saved">
<title>Saving a Working Configuration for Error Recovery and Fast <title>Saving a Working Configuration for Error Recovery and Fast
Startup</title> Startup</title>
<para>Once you have Shorewall working the way that you want it to, you can <para>Once you have Shorewall working the way that you want it to, you can
use <command>shorewall save</command> to <firstterm>save</firstterm> the use <command>shorewall save</command> to <firstterm>save</firstterm> the
commands necessary to recreate that configuration in a <firstterm>restore commands necessary to recreate that configuration in a <firstterm>restore
script</firstterm>.</para> script</firstterm>.</para>
<para>In its simplest form, the save command is just:</para> <para>In its simplest form, the save command is just:</para>
 End of changes. 7 change blocks. 
37 lines changed or deleted 52 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)