On Fri, Oct 05, 2007 at 09:28:47PM -0400, Roberto C. S?nchez wrote:
> On Fri, Oct 05, 2007 at 06:12:02PM -0700, Tom Eastep wrote:
> >
> > See this from the Debian .diff.
> >
> > +# stop the firewall
> > +shorewall_stop () {
> > + echo -n "Stopping \"Shorewall firewall\": "
> > + $SRWL clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
> > -----
> > + return 0
> > +}
> > +
> >
> > So if you use the Debian init scripts and run "/etc/init.d/shorewall
> > stop", what you really get is "shorewall clear".
> >
> > If you follow the Shorewall documentation and run "shorewall stop"
> > instead, you get the behavior you (and we) wanted in the first place.
> >
> > Lesson:
> >
> > If you don't get your Shorewall packages from shorewall.net, you can't
> > be sure that they do what the developers intended.
> >
> This might merit a bug report against the Debian package.
It's the fix to #342609. The problem is that the required behaviour
from "/etc/init.d/foo stop" on a Debian host is not the same thing as
the expected behaviour from "shorewall stop". shorewall interprets
"stop" as meaning "stop the firewall, so no traffic moves", while
Debian interprets it as "stop the package, so my system behaves as if
it wasn't installed". It's a question of whether you're thinking of
the host as being a firewall, or as being a platform for various
packages to run on.
There is no solution other than user education. Don't use the init
script if you meant to say "shorewall stop". The word just doesn't
mean the same thing in different contexts.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
