On 02/08/2018 08:45 AM, Matt Darfeuille wrote: > On 2/8/2018 5:17 PM, Tom Eastep wrote: >> On 02/08/2018 04:20 AM, Matt Darfeuille wrote: >>> Hi, >>> >>> From: >>> >>> http://shorewall.org/manpages/shorewall.html >>> >>> "Reload is similar to shorewall start except that it assumes that the >>> firewall is already started. Existing connections are maintained." >>> >>> If I do 'shorewall stop' followed by 'shorewall reload' the firewall >>> will be started: >>> >>> $ shorewall status >>> Shorewall-5.1.12-RC1 Status ... >>> >>> Shorewall is running >>> State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall >>> compiled ... by Shorewall version 5.1.12-RC1) >>> >>> $ shorewall stop >>> Stopping Shorewall.... >>> Preparing iptables-restore input... >>> Running /sbin/iptables-restore... >>> done. >>> $ shorewall status >>> Shorewall-5.1.12-RC1 Status ... >>> >>> Shorewall is stopped >>> State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall >>> version 5.1.12-RC1) >>> >>> $ shorewall reload >>> Shorewall is not running >>> Starting Shorewall.... >>> Initializing... >>> Setting up Route Filtering... >>> Setting up Martian Logging... >>> Preparing iptables-restore input... >>> Running /sbin/iptables-restore ... >>> done. >>> >>> My understanding is that 'shorewall reload' should only reload shorewall >>> when the state is 'started' or what Am I missing? >>> >>> In other words: why 'shorewall reload' starts the firewall when >>> shorewall is stopped? >>> >> The generated script interprets 'reload' and 'restart' as 'start' when >> the firewall is not currently started. >> > Is there any way to alter this so that the generated script would not > unconditionally start the firewall? > If no and if it makes sense could something to that effect be implemented? > > -Matt
Because Shorewall is not a daemon, it's state at any point in time is
rather nebulous. The Shorewall state is recorded in two ways:
1. When the firewall is started, a filter-table chain named 'Shorewall'
is created. When the firewall is stopped, that chain is deleted.
That is what the CLI uses to determine if Shorewall is started or not.
2. $VARDIR/state records the last state transition performed by Shorewall.
Of course, neither of these measures are even close to being foolproof
because they can be altered by simple administrative commands.
For instance:
root@Asus:~# shorewall status
Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:32 PST 2018
Shorewall is running
State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/
(/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by Shorewall
version 5.2.0-Beta1)
root@Asus:~# iptables -F shorewall
root@Asus:~# iptables -X shorewall
root@Asus:~# shorewall status
Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:46 PST 2018
Shorewall is stopped
State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/
(/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by Shorewall
version 5.2.0-Beta1)
root@Asus:~#
With the system in this state, should we really be so pedantic as to
insist that 'start' be used rather than 'reload'?
Note that when RESTART=restart, the 'restart' command is fundamentally
'shorewall stop && shorewall start'; should 'restart' be denied in the
above situation?
One thing is certain -- 'stop' and 'clear' must be allowed regardless of
whether the Shorewall chain exists or not. And given that requirement, I
don't think that we should quibble about when 'restart' and 'reload' are
allowable commands.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
