Re: [Shorewall-users] Command 'shorewall reload' behavior
On 02/10/2018 08:52 AM, Matt Darfeuille wrote: > > It's always interesting to learn how Shorewall works! > Given your explanation it clearly makes no sense to nitpick about this. > The reason why I was asking is that my interface is configure by dhcp. > My understanding is that shorewall should be reloaded when a new lease > is acquired? It depends. If you use the interface's address variable, then you must reload the ruleset. Othewise, it should only be required when the interface first comes up. > Based on that asumption I have a script in > /etc/dhcp/dhclient-exit-hooks.d that will reload shorewall when the > 'reason' is 'BOUND' and I was simply looking for a way to only reload > shorewall when it is already started. You can: shorewall status > /dev/null 2>&1 && shorewall reload -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Command 'shorewall reload' behavior
On 2/8/2018 6:46 PM, Tom Eastep wrote: > On 02/08/2018 08:45 AM, Matt Darfeuille wrote: >> On 2/8/2018 5:17 PM, Tom Eastep wrote: >>> On 02/08/2018 04:20 AM, Matt Darfeuille wrote: Hi, From: http://shorewall.org/manpages/shorewall.html "Reload is similar to shorewall start except that it assumes that the firewall is already started. Existing connections are maintained." If I do 'shorewall stop' followed by 'shorewall reload' the firewall will be started: $ shorewall status Shorewall-5.1.12-RC1 Status ... Shorewall is running State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall compiled ... by Shorewall version 5.1.12-RC1) $ shorewall stop Stopping Shorewall Preparing iptables-restore input... Running /sbin/iptables-restore... done. $ shorewall status Shorewall-5.1.12-RC1 Status ... Shorewall is stopped State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall version 5.1.12-RC1) $ shorewall reload Shorewall is not running Starting Shorewall Initializing... Setting up Route Filtering... Setting up Martian Logging... Preparing iptables-restore input... Running /sbin/iptables-restore ... done. My understanding is that 'shorewall reload' should only reload shorewall when the state is 'started' or what Am I missing? In other words: why 'shorewall reload' starts the firewall when shorewall is stopped? >>> The generated script interprets 'reload' and 'restart' as 'start' when >>> the firewall is not currently started. >>> >> Is there any way to alter this so that the generated script would not >> unconditionally start the firewall? >> If no and if it makes sense could something to that effect be implemented? >> >> -Matt > > Because Shorewall is not a daemon, it's state at any point in time is > rather nebulous. The Shorewall state is recorded in two ways: > > 1. When the firewall is started, a filter-table chain named 'Shorewall' > is created. When the firewall is stopped, that chain is deleted. > That is what the CLI uses to determine if Shorewall is started or not. > 2. $VARDIR/state records the last state transition performed by Shorewall. > > > Of course, neither of these measures are even close to being foolproof > because they can be altered by simple administrative commands. > > For instance: > > root@Asus:~# shorewall status > Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:32 PST 2018 > > Shorewall is running > State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/ > (/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by > Shorewall version 5.2.0-Beta1) > > root@Asus:~# iptables -F shorewall > root@Asus:~# iptables -X shorewall > root@Asus:~# shorewall status > Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:46 PST 2018 > > Shorewall is stopped > State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/ > (/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by > Shorewall version 5.2.0-Beta1) > > root@Asus:~# > > With the system in this state, should we really be so pedantic as to > insist that 'start' be used rather than 'reload'? > > Note that when RESTART=restart, the 'restart' command is fundamentally > 'shorewall stop && shorewall start'; should 'restart' be denied in the > above situation? > > One thing is certain -- 'stop' and 'clear' must be allowed regardless of > whether the Shorewall chain exists or not. And given that requirement, I > don't think that we should quibble about when 'restart' and 'reload' are > allowable commands. > It's always interesting to learn how Shorewall works! Given your explanation it clearly makes no sense to nitpick about this. The reason why I was asking is that my interface is configure by dhcp. My understanding is that shorewall should be reloaded when a new lease is acquired? Based on that asumption I have a script in /etc/dhcp/dhclient-exit-hooks.d that will reload shorewall when the 'reason' is 'BOUND' and I was simply looking for a way to only reload shorewall when it is already started. Thanks for your answer and I'm looking forward to 5.2. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Command 'shorewall reload' behavior
On 02/08/2018 08:45 AM, Matt Darfeuille wrote: > On 2/8/2018 5:17 PM, Tom Eastep wrote: >> On 02/08/2018 04:20 AM, Matt Darfeuille wrote: >>> Hi, >>> >>> From: >>> >>> http://shorewall.org/manpages/shorewall.html >>> >>> "Reload is similar to shorewall start except that it assumes that the >>> firewall is already started. Existing connections are maintained." >>> >>> If I do 'shorewall stop' followed by 'shorewall reload' the firewall >>> will be started: >>> >>> $ shorewall status >>> Shorewall-5.1.12-RC1 Status ... >>> >>> Shorewall is running >>> State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall >>> compiled ... by Shorewall version 5.1.12-RC1) >>> >>> $ shorewall stop >>> Stopping Shorewall >>> Preparing iptables-restore input... >>> Running /sbin/iptables-restore... >>> done. >>> $ shorewall status >>> Shorewall-5.1.12-RC1 Status ... >>> >>> Shorewall is stopped >>> State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall >>> version 5.1.12-RC1) >>> >>> $ shorewall reload >>>Shorewall is not running >>> Starting Shorewall >>> Initializing... >>> Setting up Route Filtering... >>> Setting up Martian Logging... >>> Preparing iptables-restore input... >>> Running /sbin/iptables-restore ... >>> done. >>> >>> My understanding is that 'shorewall reload' should only reload shorewall >>> when the state is 'started' or what Am I missing? >>> >>> In other words: why 'shorewall reload' starts the firewall when >>> shorewall is stopped? >>> >> The generated script interprets 'reload' and 'restart' as 'start' when >> the firewall is not currently started. >> > Is there any way to alter this so that the generated script would not > unconditionally start the firewall? > If no and if it makes sense could something to that effect be implemented? > > -Matt Because Shorewall is not a daemon, it's state at any point in time is rather nebulous. The Shorewall state is recorded in two ways: 1. When the firewall is started, a filter-table chain named 'Shorewall' is created. When the firewall is stopped, that chain is deleted. That is what the CLI uses to determine if Shorewall is started or not. 2. $VARDIR/state records the last state transition performed by Shorewall. Of course, neither of these measures are even close to being foolproof because they can be altered by simple administrative commands. For instance: root@Asus:~# shorewall status Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:32 PST 2018 Shorewall is running State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by Shorewall version 5.2.0-Beta1) root@Asus:~# iptables -F shorewall root@Asus:~# iptables -X shorewall root@Asus:~# shorewall status Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:46 PST 2018 Shorewall is stopped State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by Shorewall version 5.2.0-Beta1) root@Asus:~# With the system in this state, should we really be so pedantic as to insist that 'start' be used rather than 'reload'? Note that when RESTART=restart, the 'restart' command is fundamentally 'shorewall stop && shorewall start'; should 'restart' be denied in the above situation? One thing is certain -- 'stop' and 'clear' must be allowed regardless of whether the Shorewall chain exists or not. And given that requirement, I don't think that we should quibble about when 'restart' and 'reload' are allowable commands. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Command 'shorewall reload' behavior
On 2/8/2018 5:17 PM, Tom Eastep wrote: > On 02/08/2018 04:20 AM, Matt Darfeuille wrote: >> Hi, >> >> From: >> >> http://shorewall.org/manpages/shorewall.html >> >> "Reload is similar to shorewall start except that it assumes that the >> firewall is already started. Existing connections are maintained." >> >> If I do 'shorewall stop' followed by 'shorewall reload' the firewall >> will be started: >> >> $ shorewall status >> Shorewall-5.1.12-RC1 Status ... >> >> Shorewall is running >> State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall >> compiled ... by Shorewall version 5.1.12-RC1) >> >> $ shorewall stop >> Stopping Shorewall >> Preparing iptables-restore input... >> Running /sbin/iptables-restore... >> done. >> $ shorewall status >> Shorewall-5.1.12-RC1 Status ... >> >> Shorewall is stopped >> State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall >> version 5.1.12-RC1) >> >> $ shorewall reload >>Shorewall is not running >> Starting Shorewall >> Initializing... >> Setting up Route Filtering... >> Setting up Martian Logging... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore ... >> done. >> >> My understanding is that 'shorewall reload' should only reload shorewall >> when the state is 'started' or what Am I missing? >> >> In other words: why 'shorewall reload' starts the firewall when >> shorewall is stopped? >> > > The generated script interprets 'reload' and 'restart' as 'start' when > the firewall is not currently started. > Is there any way to alter this so that the generated script would not unconditionally start the firewall? If no and if it makes sense could something to that effect be implemented? -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Command 'shorewall reload' behavior
On 02/08/2018 04:20 AM, Matt Darfeuille wrote: > Hi, > > From: > > http://shorewall.org/manpages/shorewall.html > > "Reload is similar to shorewall start except that it assumes that the > firewall is already started. Existing connections are maintained." > > If I do 'shorewall stop' followed by 'shorewall reload' the firewall > will be started: > > $ shorewall status > Shorewall-5.1.12-RC1 Status ... > > Shorewall is running > State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall > compiled ... by Shorewall version 5.1.12-RC1) > > $ shorewall stop > Stopping Shorewall > Preparing iptables-restore input... > Running /sbin/iptables-restore... > done. > $ shorewall status > Shorewall-5.1.12-RC1 Status ... > > Shorewall is stopped > State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall > version 5.1.12-RC1) > > $ shorewall reload >Shorewall is not running > Starting Shorewall > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Preparing iptables-restore input... > Running /sbin/iptables-restore ... > done. > > My understanding is that 'shorewall reload' should only reload shorewall > when the state is 'started' or what Am I missing? > > In other words: why 'shorewall reload' starts the firewall when > shorewall is stopped? > The generated script interprets 'reload' and 'restart' as 'start' when the firewall is not currently started. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Command 'shorewall reload' behavior
Hi, From: http://shorewall.org/manpages/shorewall.html "Reload is similar to shorewall start except that it assumes that the firewall is already started. Existing connections are maintained." If I do 'shorewall stop' followed by 'shorewall reload' the firewall will be started: $ shorewall status Shorewall-5.1.12-RC1 Status ... Shorewall is running State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall compiled ... by Shorewall version 5.1.12-RC1) $ shorewall stop Stopping Shorewall Preparing iptables-restore input... Running /sbin/iptables-restore... done. $ shorewall status Shorewall-5.1.12-RC1 Status ... Shorewall is stopped State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall version 5.1.12-RC1) $ shorewall reload Shorewall is not running Starting Shorewall Initializing... Setting up Route Filtering... Setting up Martian Logging... Preparing iptables-restore input... Running /sbin/iptables-restore ... done. My understanding is that 'shorewall reload' should only reload shorewall when the state is 'started' or what Am I missing? In other words: why 'shorewall reload' starts the firewall when shorewall is stopped? -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users