Shorewall users - Nov 2008 - Does code in /etc/shorewall/start exec before or after Shorewall starts?

In the docs at http://www.shorewall.net/Shorewall-perl.html,

	"Your ipsets must be loaded before Shorewall starts. You are free to
try to do that with the following code in /etc/shorewall/start"

implies that code in /etc/shorewall/start is executed BEFORE Shorewall starts.

In the default /etc/shorewall/start

	# /etc/shorewall/start
	#
	#   Add commands below that you want to be executed after shorewall has
	#   been started or restarted.

implies that code in /etc/shorewall/start is loaded AFTER Shorewall starts.

Which is correct -- /etc/shorewall/start executes BEFORE or AFTER
shorewall starts?

--JC

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

JC Janos wrote:
> In the docs at http://www.shorewall.net/Shorewall-perl.html,
> 
> 	"Your ipsets must be loaded before Shorewall starts. You are free to
> try to do that with the following code in /etc/shorewall/start"
That seems to have been a typo that was corrected over night. It now reads:

	"Your ipsets must be loaded before Shorewall starts. You are free to
try to do that with the following code in /etc/shorewall/init"


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Hi,
> /etc/shorewall/init
It took a moment for me to even notice the difference in *your* post.

Thanks for catching & pointing that out.

--JC

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

On Wed, Nov 12, 2008 at 08:37:06PM -0800, JC Janos
wrote:
> In the docs at http://www.shorewall.net/Shorewall-perl.html,
> 
> 	"Your ipsets must be loaded before Shorewall starts. You are free to
> try to do that with the following code in /etc/shorewall/start"
> 
> implies that code in /etc/shorewall/start is executed BEFORE Shorewall
starts.
> 
> In the default /etc/shorewall/start
> 
> 	# /etc/shorewall/start
> 	#
> 	#   Add commands below that you want to be executed after shorewall has
> 	#   been started or restarted.
> 
> implies that code in /etc/shorewall/start is loaded AFTER Shorewall starts.
> 
> Which is correct -- /etc/shorewall/start executes BEFORE or AFTER
> shorewall starts?
> 
Have a look here: http://shorewall.net/shorewall_extension_scripts.htm

start -- invoked after the firewall has been started or restarted.

started -- invoked after the firewall has been marked as
''running''.

Also, if you look at /etc/shorewall/started, it says this:

# /etc/shorewall/started
#
#       Add commands below that you want to be executed after shorewall has
#       been completely started or restarted. The difference between this
#       extension script and /etc/shorewall/start is that this one is invoked
#       after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
#       after the ''shorewall'' chain has been created (thus
signaling that the
#       firewall is completely up.
#
#       This script should not change the firewall configuration directly but
#       may do so indirectly by running /sbin/shorewall with the
''nolock''
#       option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/