Hi,

I'm trying to move from Shorewall to Shorewall-Lite. Could you please
read through this quick guide and see if I've misunderstood something
(there are a few things I'm not sure of)?

Safely migrating from Shorewall to Shorewall-Lite on a non-Debian
distro (pseudo-algorithm)

CAVEATS:
SW_ADMINISTRATIVE_SYSTEM=10.215.144.92
SW_TARGET_SYSTEM_1=10.215.144.91
SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE=eth0
SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR=/some/partition/elsewhere/shorewall/lite/1

1) on shorewall administrative system:

a) mkdir -p $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR

b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/
$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/

c) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/stoppedrules and add:
ACCEPT $SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE:$SW_ADMINISTRATIVE_SYSTEM $FW tcp 22

[QUESTION] Is tcp/22 (ssh) enough?

d) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/shorewall.conf and
modify CONFIG_PATH.

[QUESTION] The current value (default) is:
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
In my current example, does it have to be the following?
CONFIG_PATH=":${SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR}:${SHAREDIR}/shorewall"

2) on shorewall-lite target system:

a) install shorewall-lite (without uninstalling shorewall)

b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities
rsync -a /tmp/capabilities
root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
rm /tmp/capabilities

[QUESTION] Is the above destination path correct?

c) [QUESTION] It's not clear to me where and how EXPORTPARAMS should
be set and why. Default is undefined.
Should I create it?
In which file?
In shorewall.conf
@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/?
In shorewall.conf @$SW_ADMINISTRATIVE_SYSTEM:/etc/shorewall/?

d) rsync -a /usr/share/shorewall/shorewallrc
root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
[QUESTION] Is this step necessary if I want to compile the firewall
script for testing purposes?

3) on shorewall administrative system:

a)
cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR /tmp/fw_$SW_TARGET_SYSTEM_1

===== TEST ======

To test the new compiled firewall script:

1) on shorewall administrative system:
rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/

2) on shorewall-lite target system (still has shorewall):

a) shorewall stop && /tmp/fw_$SW_TARGET_SYSTEM_1 start

b) make your tests.

b1) If errors:
/tmp/fw_$SW_TARGET_SYSTEM_1 stop ; shorewall start
Do your research, but at least everything is back up again and working.

b2) If OK:
connect to shorewall administrative system and run:
cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
/sbin/shorewall remote-start $SW_TARGET_SYSTEM_1

and eventually:
/sbin/shorewall remote-reload $SW_TARGET_SYSTEM_1

Thanks,

Vieri

PS:
'shorewall remote-getcaps' is the same as using shorecap or as
'shorewall-lite show -f capabilities'?


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to