Shorewall users - Dec 2013 - Extension Script or systemd for Shorewall dependencies?

Hi,

I installed Shorewall, and launch it with systemd.

If I want to launch some other app, say OpenVPN, only after the
Shorewall is UP, should I use systemd''s ExecStartPost=, or the
/etc/shoreline/configfiles/{start,started} Extensions Scripts.

It seems both would work.

Is there any advantage of one way over the other?

Jen

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

On 12/3/2013 2:44 PM, jen142@promessage.com wrote:
> Hi,
> 
> I installed Shorewall, and launch it with systemd.
> 
> If I want to launch some other app, say OpenVPN, only after the
> Shorewall is UP, should I use systemd''s ExecStartPost=, or the
> /etc/shoreline/configfiles/{start,started} Extensions Scripts.
> 
> It seems both would work.
> 
> Is there any advantage of one way over the other?
The only time that I would use Shorewall extension scripts would be if
the init system didn''t support the dependent application.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

Hi

On Tue, Dec 3, 2013, at 04:15 PM, Tom Eastep wrote:
> The only time that I would use Shorewall extension scripts would be if
> the init system didn''t support the dependent application.
Ok, thanks.

When executing a local load/compile of a remote machine''s firewall
config for export, is the remote''s Shorewall-lite instance
reloaded/restarted by using "systemctl restart ...", or by directly
invoking the shorewall script?

Can the remote executable be changed?  For example, to use
/etc/systemd/system/my-shorewall-script.service, instead?

Also, what''s the right place to persistently change the
remote''s upload
directory -- from /etc/shorewall to /some/other/path/shorewall?

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

On 12/4/2013 8:09 AM, jen142@promessage.com wrote:
> Hi
> 
> On Tue, Dec 3, 2013, at 04:15 PM, Tom Eastep wrote:
>> The only time that I would use Shorewall extension scripts would be if
>> the init system didn''t support the dependent application.
> 
> Ok, thanks.
> 
> When executing a local load/compile of a remote machine''s firewall
> config for export, is the remote''s Shorewall-lite instance
> reloaded/restarted by using "systemctl restart ...", or by
directly
> invoking the shorewall script?
You can simply use the ''shorewall reload <remote
system>'' on the admin
system, or you must export then ''systemctl restart'' on the
remote firewall.
> 
> Can the remote executable be changed?  For example, to use
> /etc/systemd/system/my-shorewall-script.service, instead?
Instead of what?
> 
> Also, what''s the right place to persistently change the
remote''s upload
> directory -- from /etc/shorewall to /some/other/path/shorewall?
Change the shorewallrc VARLIB or VARDIR setting on the remote system and
copy that file into the remote system''s directory on the admin system.
Note that VARLIB/VARDIR changes the place where the compiled script runs
from.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

> You can simply use the ''shorewall reload <remote
system>'' on the admin
> system, or you must export then ''systemctl restart'' on
the remote
> firewall.
thanks
> > Can the remote executable be changed?  For example, to use
> > /etc/systemd/system/my-shorewall-script.service, instead?
> 
> Instead of what?
instead of whatever the answer to my prior question:

'' ... is the remote''s Shorewall-lite instance
reloaded/restarted by
using "systemctl restart ...",
or by directly invoking the shorewall script? ...''

is.

a local ''shorewall reload'' executes WHAT on the remote system?
"systemctl shorewall-lite"?

Where do I change whatever that default executable is to "to use
/etc/systemd/system/my-shorewall-script.service, instead" ?
> Change the shorewallrc VARLIB or VARDIR setting on the remote system and
> copy that file into the remote system''s directory on the admin
system.
> Note that VARLIB/VARDIR changes the place where the compiled script runs
> from.
thanks

Jen

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

On 12/4/2013 10:50 AM, jen142@promessage.com wrote:
> 
> 
>> You can simply use the ''shorewall reload <remote
system>'' on the admin
>> system, or you must export then ''systemctl restart''
on the remote
>> firewall.
> 
> thanks
Note that, after export, you may also ''shorewall-lite restart''
on the
remote system.
> 
>>> Can the remote executable be changed?  For example, to use
>>> /etc/systemd/system/my-shorewall-script.service, instead?
>>
>> Instead of what?
> 
> instead of whatever the answer to my prior question:
You seem to be fixated on systemd. What exactly are you trying to
accomplish?

Please refer to http://www.shorewall.org/Install.htm#id1169649892315. It
describes all of the configuration options available for relocating
Shorewall files.
> 
> '' ... is the remote''s Shorewall-lite instance
reloaded/restarted by
> using "systemctl restart ...",
> or by directly invoking the shorewall script? ...''
> 
> is.
> 
> a local ''shorewall reload'' executes WHAT on the remote
system?
> "systemctl shorewall-lite"?
No -- it executes "${SBINDIR}/shorewall-lite restart" where SBINDIR is
set in shorewallrc. See above.

Note That the ''shorewall-lite'' program uses shorewallrc to
determine
where the compiled script resides, but the name of the compiled script
is always assumed to be ''firewall''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk