Shorewall users - Nov 2002 - Shorewall operating status and how to stay "blocked"

Hi all,

I have just started using shorewall. So far so good. I have two
questions which I cant find an answer to either on the website or
googling.

They may be stupid so please forgive my ignorance.

1) What is shorewalls preferred operating status, running or stopped?
What I mean is, some firewalls start-up and run, and they do their
thing, then they stop. But the firewall is still really "working" even
if its not seen as a "running" service. 

I use Mdk 9.0. Shorewall, is always running by default.I have read about
the routestopped file and changed it accordingly. So I should be able to
see out if shorewall is stopped, right? Or, is shorewall supposed to be
running constantly and the routestopped is there as a contingency just
in case a problem happens?

Mdk 8.x''s used tiny firewall and bastille which ran once then stopped
(I
think).

2)How can I stay blocked?
When I scan my ports (esp. thru http://scan.sygate.com ) sometimes most
of my ports are blocked (stealthed). Then if I check back an hour later,
most are closed not blocked. Something seems to be happening, like the
rules are not being renewed?? =8^S 

if I then do:
shorewall stop
shorewall clear
shorewall start

... no change.

if i do:
shorewall stop
shorewall clear
shorewall clear
shorewall start


... it turns the ports to blocked (which is what I want dont I???).

I really like shorewall by the way. I have minimal experience in coding
having only used linux for a few months. but I must say, that I have had
great fun with shorewall. it seems fairly easy to use - even for
newbies.

Thank you for reading and if you can give me some answers I would be
very grateful.

cheers
Jes
fu11NO@SPAMyahoo.com

--On Tuesday, November 19, 2002 12:57:15 PM +1100 kronik <fu11@yahoo.com> 
wrote:
> Hi all,
>
> I have just started using shorewall. So far so good. I have two
> questions which I cant find an answer to either on the website or
> googling.
>
> They may be stupid so please forgive my ignorance.
>
> 1) What is shorewalls preferred operating status, running or stopped?
> What I mean is, some firewalls start-up and run, and they do their
> thing, then they stop. But the firewall is still really "working"
even
> if its not seen as a "running" service.
>
> I use Mdk 9.0. Shorewall, is always running by default.I have read about
> the routestopped file and changed it accordingly. So I should be able to
> see out if shorewall is stopped, right? Or, is shorewall supposed to be
> running constantly and the routestopped is there as a contingency just
> in case a problem happens?
>
> Mdk 8.x''s used tiny firewall and bastille which ran once then
stopped (I
> think).
>
Shorewall has three states:

Stopped: Only traffic permitted by entries in /etc/shorewall/routestopped 
is permitted.

Started: Shorewall''s active state; this is the state that you want 
Shorewall to be in. I should stress however that in this state THERE IS NOT 
ONE BIT OF MY CODE RUNNING!!! All state is maintained inside by NetFilter 
inside your kernel.

Cleared: As if Shorewall had never been installed (e.g. "Wide Open").
> 2)How can I stay blocked?
> When I scan my ports (esp. thru http://scan.sygate.com ) sometimes most
> of my ports are blocked (stealthed). Then if I check back an hour later,
> most are closed not blocked. Something seems to be happening, like the
> rules are not being renewed?? =8^S
>
This is complete nonsense -- Netfilter rules remain in your kernel until 
something in user space changes them. As stated above, NOT ONE BIT OF 
SHOREWALL CODE RUNS ONCE A SHOREWALL STATE CHANGE IS COMPLETED (unless you 
run /sbin/shorewall to monitor your firewall).
> if I then do:
> shorewall stop
> shorewall clear
> shorewall start
>
> ... no change.
>
> if i do:
> shorewall stop
> shorewall clear
> shorewall clear
> shorewall start
>
>
> ... it turns the ports to blocked (which is what I want dont I???).

What are you smoking? I want some!!!

Sorry for the 60''s expression but I want you to capture the output of 
"/sbin/shorewall status" after the single "shorewall clear"
and again after
the second "shorewall clear" -- there should not be any difference 
whatsoever.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

>
>
> --On Tuesday, November 19, 2002 12:57:15 PM +1100 kronik
> <fu11@yahoo.com>  wrote:
>
> This is complete nonsense -- Netfilter rules remain in your kernel until
>  something in user space changes them. As stated above, NOT ONE BIT OF
> SHOREWALL CODE RUNS ONCE A SHOREWALL STATE CHANGE IS COMPLETED (unless
> you  run /sbin/shorewall to monitor your firewall).
>
I should note that there ARE user-mode processes that can change your
firewall state. If your DHCP client runs a script each time it renews your
IP address and if that script contains errors, you can end up with an
unexpected change in your firewall''s configuration.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net