On Wed, Dec 4, 2019 at 4:07 PM Matt Darfeuille <matd...@gmail.com> wrote: > > I would suggest you to read/reread (1) as it contains some answers to > your questions.
It's a great guide, but I at least have a couple of doubts. It doesn't hurt to clear them up before it's too late ;-). > It would be also good to make your questions as simple as possible (not > using variable ...). Actually, I thought some kind of pseudo-code would be the clearest way to explain things and avoid confusion. I try to re-phrase then. > Also, testing on none-production system might be a good thing. I do that of course, but there's almost always a surprise when setting it up on a production system. > > b) rsync -a root@$SW_TARGET_SYSTEM_1:/etc/shorewall/ > > $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/ > > > > Basically, you need to copy the configuration files from the firewall > systems to the administrative system. OK, I guess I can create a directory anywhere and to my liking, "as long as I add it in CONFIG_PATH within shorewall.conf in that directory". Is the second half of my sentence correct? > > c) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/stoppedrules and add: > > ACCEPT $SW_TARGET_SYSTEM_1_WHERE_ADM_IFACE:$SW_ADMINISTRATIVE_SYSTEM $FW > > tcp 22 > > > > [QUESTION] Is tcp/22 (ssh) enough? > > > > Yes, see (1). OK, I just wanted to make extra sure that only ssh is used (could be any port, of course). > > d) edit $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/shorewall.conf and > > modify CONFIG_PATH. > > > > [QUESTION] The current value (default) is: > > CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" > > In my current example, does it have to be the following? > > CONFIG_PATH=":${SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR}:${SHAREDIR}/shorewall" > > > > Can not answer this question without more information. It's part of my earlier question (ignore it here). > > 2) on shorewall-lite target system: > > > > a) install shorewall-lite (without uninstalling shorewall) > > > > See (1). The guide suggests to uninstall shorewall right away. Here, I'm trying to keep both systems up so I can quickly revert. > > b) /usr/share/shorewall-lite/shorecap > /tmp/capabilities > > rsync -a /tmp/capabilities > > root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/ > > rm /tmp/capabilities > > > > [QUESTION] Is the above destination path correct? > > > > Use 'remote-getrc' to do that. Do you mean I should use remote-getcaps from the adminsitrative system? Isn't remote-getrc for shorewallrc? > > > d) rsync -a /usr/share/shorewall/shorewallrc > > root@$SW_ADMINISTRATIVE_SYSTEM:$SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR/ > > [QUESTION] Is this step necessary if I want to compile the firewall > > script for testing purposes? > > > > This file is required for compilation only. So, if I need to compile then can I get it by running remote-getrc from the administrative system? > > 3) on shorewall administrative system: > > > > a) > > cd $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR > > shorewall -e $SW_ADMINISTRATIVE_SYSTEM_TARGET_1_DIR > > /tmp/fw_$SW_TARGET_SYSTEM_1 > > > > Shorewall-lite only requires 'firewall' and firewall.conf'. OK, but isn't my command generating the same script with a different name? As far as EXPORTPARAMS is concerned, I'll leave it undefined. > > ===== TEST ====== > > > > To test the new compiled firewall script: > > > > 1) on shorewall administrative system: > > rsync -a /tmp/fw_$SW_TARGET_SYSTEM_1 root@$SW_TARGET_SYSTEM_1:/tmp/ > > > > See (A) above. So I just need to copy over the firewall.conf file as well. > > PS: > > 'shorewall remote-getcaps' is the same as using shorecap or as > > 'shorewall-lite show -f capabilities'? > > > > See (1) -- 'remote-getrc' and 'remote-getcaps' will pull the > corresponding generated file to the administrative system. Yes, but (1) indicates that "unlike the shorecap program, the show capabilities command shows the kernel's current capabilities; it does not attempt to load additional kernel modules". That's why I was asking if remote-getcaps is more like shorecap or more like "show capabilities". Thanks a lot! Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users