SHOREWALL-INIT(8) [FIXME: manual] SHOREWALL-INIT(8)NAMEshorewall-init - Companion package
SYNOPSIS
/etc/init.d/shorewall-init [start|stop]
DESCRIPTION
Shorewall-init is an optional package (added in Shorewall 4.4.10) that
can be installed along with Shorewall, Shorewall6, Shorewall-lite
and/or Shorewall6-lite. It provides two key features:
1. It can close (stop) the firewall during boot prior to starting the
network. This can prevent unwanted connections from being accepted
after the network comes up but before the firewall is started.
2. It can interface with your distribution's ifup/ifdown scripts
and/or NetworkManager to allow firewall actions when an interface
starts or stops.
These two capabilities can be enabled separately.
After you install the shorewall-init package, you can activate it by
modifying the Shorewall-init configuration file:
· On Debian-based system, the file is /etc/default/shorewall-init.
· On other systems, the file is /etc/sysconfig/shorewall-init.
To activate the safe boot feature, edit the configuration file and set
PRODUCTS to a space-separated list of Shorewall products that you want
to be closed before networking starts.
Example:
PRODUCTS="shorewall shorewall6"
You also must insure that the compiled scripts for the listed products
are compiled using Shorewall 4.4.10 or later.
Shorewall
shorewall compile
Shorewall6
shorewall6 compile
Shorewall-lite
On the administrative system, enter the command shorewall export
firewall from the firewall's configuration directory.
Shorewall6-lite
On the administrative system, enter the command shorewall6 export
firewall from the firewall's configuration directory.
The second feature (ifup/ifdown and NetworkManager integration) should
only be activated on systems that do not use a link status monitor line
swping or LSM.
· Edit the configuration file and set IFUPDOWN=1
For NetworkManager integration, you will want to disable firewall
startup at boot and delay it to when your interface comes up. For this
to work correctly, you must set the required or the optional option on
at least one interface then:
· On Debian-based systems, edit /etc/default/product for each product
listed in the PRODUCTS setting and set startup=0.
· On other systems, use the distribution's service control tool
(insserv, chkconfig, etc.) to disable startup of the products
listed in the PRODUCTS setting.
On a laptop with both Ethernet and wireless interfaces, you will want
to make both interfaces optional and set the REQUIRE_INTERFACE option
to Yes in shorewall.conf[1](5) or shorewall6.conf[2] (5). This causes
the firewall to remain stopped until at least one of the interfaces
comes up.
FILES
/etc/default/shorewall-init (Debian-based systems) or
/etc/sysconfig/shorewall-init (other distributions)
SEE ALSOshorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)NOTES
1. shorewall.conf
http://www.shorewall.net/manpages/shorewall.conf.html
2. shorewall6.conf
http://www.shorewall.net/manpages/../Manpages6/shorewall6.conf.html
[FIXME: source] 12/19/2013 SHOREWALL-INIT(8)
