Hi,
on Gentoo we are going to enable shorewall-init per default.
While testing I noticed that shorewall-init doesn't honor the
"STARTUP_ENABLED" configuration option.
Is this a wanted behavior?
Imagine the following two situations:
S1) Fresh installation.
You have just installed shorewall, shorewall6 and shorewall-init.
You only configured shorewall6. You don't want to use shorewall yet.
On reboot, shorewall-init will first try to compile shorewall, which
will fail:
> Initializing "Shorewall-based firewalls": Compiling...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> ERROR: The 'zones' file does not exist or has zero size
shorewall-init will stop here and doesn't try to initialize shorewall6.
=> The first failing product will prevent all the following products
from initializing.
You could argue that if someone don't want to use shorewall yet, he/she
shouldn't add it to "PRODUCTS" in his/her shorewall-init configuration
but I would suggest: shorewall-init should continue with the next
product instead. See the next scenario why this might be useful.
S2) Imagine you have a working shorewall system (with shorewall and
shorewall6 and shorewall-init which will initialize shorewall and
shorewall6 on boot). Now you decide to disable shorewall for some
reason. You do this by setting "STARTUP_ENABLED=No" in
"/etc/shorewall/shorewall.conf".
If you now restart, shorewall-init will check the firewall script
("shorewall compile -c" won't fail) and finally call
"/var/lib/shorewall/firewall stop" which will block any IPv4 traffic.
-Thomas
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
