On Wed, Dec 4, 2019 at 4:07 PM Matt Darfeuille <matd...@gmail.com> wrote:
>
> I would suggest you to read/reread (1) as it contains some answers to
> your questions.
It's a great guide, but I at least have a couple of doubts. It doesn't
hurt to clear them up before it's too late ;-).
> It would be also good to make your questions as simple as possible (not
> using variable ...).
Actually, I thought some kind of pseudo-code would be the clearest way
to explain things and avoid confusion.
I try to re-phrase then.
> Also, testing on none-production system might be a good thing.
I do that of course, but there's almost always a surprise when setting
it up on a production system.
> > b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/
> > $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
> >
>
> Basically, you need to copy the configuration files from the firewall
> systems to the administrative system.
OK, I guess I can create a directory anywhere and to my liking, "as
long as I add it in CONFIG_PATH within shorewall.conf in that
directory". Is the second half of my sentence correct?
> > c) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/stoppedrules and add:
> > ACCEPT $SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE:$SW_ADMINISTRATIVE_SYSTEM $FW
> > tcp 22
> >
> > [QUESTION] Is tcp/22 (ssh) enough?
> >
>
> Yes, see (1).
OK, I just wanted to make extra sure that only ssh is used (could be
any port, of course).
> > d) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/shorewall.conf and
> > modify CONFIG_PATH.
> >
> > [QUESTION] The current value (default) is:
> > CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
> > In my current example, does it have to be the following?
> > CONFIG_PATH=":${SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR}:${SHAREDIR}/shorewall"
> >
>
> Can not answer this question without more information.
It's part of my earlier question (ignore it here).
> > 2) on shorewall-lite target system:
> >
> > a) install shorewall-lite (without uninstalling shorewall)
> >
>
> See (1).
The guide suggests to uninstall shorewall right away.
Here, I'm trying to keep both systems up so I can quickly revert.
> > b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities
> > rsync -a /tmp/capabilities
> > root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
> > rm /tmp/capabilities
> >
> > [QUESTION] Is the above destination path correct?
> >
>
> Use 'remote-getrc' to do that.
Do you mean I should use remote-getcaps from the adminsitrative
system? Isn't remote-getrc for shorewallrc?
>
> > d) rsync -a /usr/share/shorewall/shorewallrc
> > root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/
> > [QUESTION] Is this step necessary if I want to compile the firewall
> > script for testing purposes?
> >
>
> This file is required for compilation only.
So, if I need to compile then can I get it by running remote-getrc
from the administrative system?
> > 3) on shorewall administrative system:
> >
> > a)
> > cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
> > shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR
> > /tmp/fw_$SW_TARGET_SYSTEM_1
> >
>
> Shorewall-lite only requires 'firewall' and firewall.conf'.
OK, but isn't my command generating the same script with a different name?
As far as EXPORTPARAMS is concerned, I'll leave it undefined.
> > ===== TEST ======
> >
> > To test the new compiled firewall script:
> >
> > 1) on shorewall administrative system:
> > rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/
> >
>
> See (A) above.
So I just need to copy over the firewall.conf file as well.
> > PS:
> > 'shorewall remote-getcaps' is the same as using shorecap or as
> > 'shorewall-lite show -f capabilities'?
> >
>
> See (1) -- 'remote-getrc' and 'remote-getcaps' will pull the
> corresponding generated file to the administrative system.
Yes, but (1) indicates that "unlike the shorecap program, the show
capabilities command shows the kernel's current capabilities; it does
not attempt to load additional kernel modules". That's why I was
asking if remote-getcaps is more like shorecap or more like "show
capabilities".
Thanks a lot!
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
