Hello, Is it possible to put shorewall.conf elsewhere than in /etc/shorewall/ ? I haven''t seen a shorewall parameter to specify an alternative file nor did I notice any environment variable for that purpose. Thanks ! ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 3:36 PM, lanas wrote:> Hello, > > Is it possible to put shorewall.conf elsewhere than > in /etc/shorewall/ ? I haven''t seen a shorewall parameter to specify an > alternative file nor did I notice any environment variable for that > purpose.No -- Any system that runs Shorewall must have /etc/shorewall/shorewall.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
>> Is it possible to put shorewall.conf elsewhere than >> in /etc/shorewall/ ? I haven''t seen a shorewall parameter to specify an >> alternative file nor did I notice any environment variable for that >> purpose. >> > > No -- Any system that runs Shorewall must have > /etc/shorewall/shorewall.conf. >Not true! I do exactly what the OP suggested - my shorewall.conf is in a completely different directory - the trick is to modify /etc/init.d/shorewall and start with "shorewall start $options $config_directory" where $config_directory is the directory where shorewall.conf resides. I also redirected the path within shorewall.conf to look elsewhere for the rest of the Shorewall files, so yes - it is possible. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 4:39 PM, Mr Dash Four wrote:> >>> Is it possible to put shorewall.conf elsewhere than >>> in /etc/shorewall/ ? I haven''t seen a shorewall parameter to specify an >>> alternative file nor did I notice any environment variable for that >>> purpose. >>> >> >> No -- Any system that runs Shorewall must have >> /etc/shorewall/shorewall.conf. >> > Not true! I do exactly what the OP suggested - my shorewall.conf is in a > completely different directory - the trick is to modify > /etc/init.d/shorewall and start with "shorewall start $options > $config_directory" where $config_directory is the directory where > shorewall.conf resides. I also redirected the path within shorewall.conf > to look elsewhere for the rest of the Shorewall files, so yes - it is > possible.Try deleting /etc/shorewall/shorewall.conf and see what happens. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
>> Not true! I do exactly what the OP suggested - my shorewall.conf is in a >> completely different directory - the trick is to modify >> /etc/init.d/shorewall and start with "shorewall start $options >> $config_directory" where $config_directory is the directory where >> shorewall.conf resides. I also redirected the path within shorewall.conf >> to look elsewhere for the rest of the Shorewall files, so yes - it is >> possible. >> > > Try deleting /etc/shorewall/shorewall.conf and see what happens. >#rm /etc/shorewall/shorewall.conf #shorewall status /etc/shorewall/shorewall.conf does not exist! #touch /etc/shorewall/shorewall.conf #shorewall status Shorewall-4.4.13-Beta5 Status at dmz7.zieg.home-net - Fri Sep 17 00:51:00 BST 2010 Shorewall is running State:Started (Sun Sep 12 11:43:16 BST 2010) from /s_dmz7/shorewall/ Easy! ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> #rm /etc/shorewall/shorewall.conf > #shorewall status > /etc/shorewall/shorewall.conf does not exist! > #touch /etc/shorewall/shorewall.conf > #shorewall status > Shorewall-4.4.13-Beta5 Status at dmz7.zieg.home-net - Fri Sep 17 > 00:51:00 BST 2010 > Shorewall is running > State:Started (Sun Sep 12 11:43:16 BST 2010) from /s_dmz7/shorewall/ > > Easy! >OK, slight correction as "shorewall restart/reload" etc fails miserably with "startup is disabled" error message. The solution: "echo STARTUP_ENABLED=Yes > /etc/shorewall/shorewall.conf" should do the trick. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 5:12 PM, Mr Dash Four wrote:> >> #rm /etc/shorewall/shorewall.conf >> #shorewall status >> /etc/shorewall/shorewall.conf does not exist! >> #touch /etc/shorewall/shorewall.conf >> #shorewall status >> Shorewall-4.4.13-Beta5 Status at dmz7.zieg.home-net - Fri Sep 17 >> 00:51:00 BST 2010 >> Shorewall is running >> State:Started (Sun Sep 12 11:43:16 BST 2010) from /s_dmz7/shorewall/ >> >> Easy! >> > OK, slight correction as "shorewall restart/reload" etc fails miserably > with "startup is disabled" error message. The solution: "echo > STARTUP_ENABLED=Yes > /etc/shorewall/shorewall.conf" should do the trick.Which only confirms what I wrote -- any system that runs Shorewall must have /etc/shorewall/shorewall.conf; but you are correct that it can be a minimal file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> Which only confirms what I wrote -- any system that runs Shorewall must > have /etc/shorewall/shorewall.conf; but you are correct that it can be a > minimal file. >I am curious though - is there any reason to have this restriction? This ''configuration'' file with just ENABLE_STARTUP=Yes (while for all other options my own shorewall.conf is picked up) does not really make sense to me. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/17/10 7:00 AM, Mr Dash Four wrote:> >> Which only confirms what I wrote -- any system that runs Shorewall must >> have /etc/shorewall/shorewall.conf; but you are correct that it can be a >> minimal file. >> > I am curious though - is there any reason to have this restriction? This > ''configuration'' file with just ENABLE_STARTUP=Yes (while for all other > options my own shorewall.conf is picked up) does not really make sense > to me.It''s the way that Shorewall works and the cost of changing it is high enough that it''s just not worth the effort. Your modification to /etc/init.d/shorewall only works on commands issued through that script. Unless your log file happens to be in the default place, even simple CLI commands like ''shorewall show log'' won''t work. The rules compiler is the only part of Shorewall that uses the directory specified in the ''start'' and ''restart'' commands. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> It''s the way that Shorewall works and the cost of changing it is high > enough that it''s just not worth the effort. >Fair enough.> Your modification to /etc/init.d/shorewall only works on commands issued > through that script. Unless your log file happens to be in the default > place, even simple CLI commands like ''shorewall show log'' won''t work. > The rules compiler is the only part of Shorewall that uses the directory > specified in the ''start'' and ''restart'' commands. >Just one thing I want to make sure - even though my /etc/shorewall.conf contains one line only, Shorewall itself is reading all other options from my custom-placed shorewall.conf right? I checked that yesterday, but it was late and I did not put a great effort in, so I might have been mistaken. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/17/10 7:28 AM, Mr Dash Four wrote:> >> It''s the way that Shorewall works and the cost of changing it is high >> enough that it''s just not worth the effort. >> > Fair enough. > >> Your modification to /etc/init.d/shorewall only works on commands issued >> through that script. Unless your log file happens to be in the default >> place, even simple CLI commands like ''shorewall show log'' won''t work. >> The rules compiler is the only part of Shorewall that uses the directory >> specified in the ''start'' and ''restart'' commands. >> > Just one thing I want to make sure - even though my /etc/shorewall.conf > contains one line only, Shorewall itself is reading all other options > from my custom-placed shorewall.conf right? I checked that yesterday, > but it was late and I did not put a great effort in, so I might have > been mistaken.It depends on which command is being executed. However, I just thought of a foolproof trick - If you really want to relocate shorewall.conf, place this in /etc/shorewall/shorewall.conf: INCLUDE /path/to/my/shorewall.conf In your ''real'' shorewall.conf, be sure to modify CONFIG_PATH so that it looks in your private config directory first. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
> It depends on which command is being executed. > > However, I just thought of a foolproof trick - If you really want to > relocate shorewall.conf, place this in /etc/shorewall/shorewall.conf: > > INCLUDE /path/to/my/shorewall.conf >Haven''t thought of that before, thanks for the tip!> In your ''real'' shorewall.conf, be sure to modify CONFIG_PATH so that it > looks in your private config directory first. >That''s the first thing I did in my own version of shorewall.conf - I use a (secured) directory where I place all ''sensitive'' files (that includes all shorewall configuration files) and the internal/application path (not the execute path!) is the first thing I changed and I am sure this is picked up by Shorewall. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev