I just setup shorewall from the Redhat rpm''s linked off the shorewall page. Its up and running but I have some simple questions. When I installed CentOS, I disabled the firewall (both iptables and ip6tables service were left running though). How does shorewall interact with upstreams iptables configuration? Would it always overwrite anything configured with its own configuration once started? How is system security handled while booting, when does shorewall start protecting the machine during boot? Is there a period of time when the machine may be unprotected? Thanks for any pointers! jlc ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Joseph L. Casale wrote:> When I installed CentOS, I disabled the firewall (both iptables> and ip6tables service were left running though). How does shorewall> interact with upstreams iptables configuration? Would it always overwrite> anything configured with its own configuration once started? Yes -- assuming that Shorewall is started after the other firewall. But you should always disable your distribution''s default firewall when installing Shorewall.> How is system security handled while booting, when does shorewall> start protecting the machine during boot? You can answer that question yourself -- look at your init script configuration. But normally, Shorewall starts after networking but before any Internet-accessible services.> Is there a period of time when the machine may be unprotected?That depends on the answer to the previous question. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>Yes -- assuming that Shorewall is started after the other firewall. But >you should always disable your distribution''s default firewall when >installing Shorewall.Thanks for the confirmation.>You can answer that question yourself -- look at your init script >configuration. But normally, Shorewall starts after networking but >before any Internet-accessible services.My init scripts for run level 3 for example look like this: Could it not be renamed as S09 for example? I am not sure if it depends on anything before its current place. Can you point me to a source of documentation where I might devise what Shorewall depends on so I can make this decision? K02dhcdbd K89rdisc S19rpcgssd K02NetworkManager K90bluetooth S22messagebus K02NetworkManagerDispatcher K99readahead_later S25netfs K02oddjobd S00microcode_ctl S25shorewall K05conman S02lvm2-monitor S26hidd K05saslauthd S04readahead_early S28autofs K10psacct S05kudzu S44acpid K20nfs S06cpuspeed S55sshd K24irda S08ip6tables S56cups K50netconsole S08iptables S80sendmail K69rpcsvcgssd S10network S85gpm K73ypbind S11auditd S90crond K74nscd S12restorecond S95anacron K85mdmpd S12syslog S95atd K87multipathd S13irqbalance S97yum-updatesd K88pcscd S13mcstrans S98haldaemon K88wpa_supplicant S13portmap S99firstboot K89dund S14nfslock S99local K89netplugd S15mdmonitor S99smartd K89pand S18rpcidmapd Thanks for all the help! jlc ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Joseph L. Casale wrote:>> Yes -- assuming that Shorewall is started after the other firewall. But >> you should always disable your distribution''s default firewall when >> installing Shorewall. > > Thanks for the confirmation. > >> You can answer that question yourself -- look at your init script >> configuration. But normally, Shorewall starts after networking but >> before any Internet-accessible services. > > My init scripts for run level 3 for example look like this:> Could it not be renamed as S09 for example? I am not sure if it depends on> anything before its current place. Can you point me to a source of > documentation where I might devise what Shorewall depends on so I can > make this decision? <rant> I sure wish you would configure your mailer to wrap lines at some reasonable length; each paragraph in your posts is one long line which means that quoting is a real PITA. I have to manually wrap them before I can read them in my reply composition window. Thanks </rant> Trivially /usr and /var must be available. Networking must also be available if you use Shorewall features that require it. So if you are using any of those, You need to make at least S10 (since ''shorewall'' collates after ''network'', the order will be correct). The manpages point out configuration choices that will require networking to be available. Here''s a brief (and probably incomplete) summary: Any use of the ''detect'' keyword requires networking as does the use of an interface name in the SOURCE column of /etc/shorewall/masq; also DETECT_DNAT_IPADDRS=Yes in shorewall.conf. Shorewall''s multi-ISP support requires networking to be up before Shorewall since the routing configuration is manipulated. Shorewall Traffic Shaping also needs IP to be configured. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>Trivially /usr and /var must be available. Networking must also be available >if you use Shorewall features that require it. So if you are using any of >those, You need to make at least S10 (since ''shorewall'' collates after >''network'', the order will be correct). > >The manpages point out configuration choices that will require networking to >be available. Here''s a brief (and probably incomplete) summary:Tom, Greatly appreciate your help! jlc Ps. What is an appropriate length, I can change that in the my Exchange Server:) ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Joseph L. Casale wrote:> > Ps. What is an appropriate length, I can change that in the my Exchange Server:)72-78 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone