[Shorewall-newbies] A few shorewall questions

Alex Martin shorewall at rettc.com
Mon Feb 23 13:25:02 PST 2004


David Shepherd wrote:

>I'm a student network administrator for the condo complex I live in.  I
>have 2 main questions about shorewall:
> 
>1.)  Can the rules/policy config be updated without having to completely
>restarting shorewall?  How would I go about doing this?  Or is this just
>something that I shouldn't worry about?  I just get easy complaints from
>the students that live here (being the internet is used 24-7 in a
>college complex) if the system goes down for even a minute.  I would
>like to prevent this.
>  
>
As current connections are not dropped when doing a shorewall restart, 
you should not worry about restarts, as unless new rules specifically 
deny traffic that is current in the connections list.

About 'shorewall restart':
"For Shorewall versions beginning with 1.4.7, if ADMINISABSENTMINDED=Yes 
in /etc/shorewall/shorewall.conf then in addition, all existing 
connections are retained and all connection requests from the firewall 
are accepted."

 From http://shorewall.net/starting_and_stopping_shorewall.htm

> 
>2.)  I want to setup an intranet web server on the linux box that
>shorewall is running on so the residents can register themselves with
>me.  I actually was hoping there was a way to have a web script to run
>on this site that will automatically enter the mac address (that they
>specify in one of the fields as their systems mac address on the
>website) into the mac list so they can only access the internet after
>they register with me.  This is a way that I can know who is who when
>running the sniffer so if I need to knock them off for abuse, I know who
>it is so I can notify them first.  I will have a third NIC card that is
>connected to the internal network that will only allow connection to
>this web server where they can register.  Then the other two NICs are
>used for the internet access.  Is this even possible for a web script to
>add their mac address to the mac list of shorewall? 
>
Yes, it must be written of course.

> And will shorewall
>restrict the people that are not on this mac list from the internet?
>  
>
Yes, as long as your rules/policy is setup for this.

>Would doing a "shorewall refresh" update the mac list instead of having
>to restart shorewall completely ever time a user is added?  
>
I am not sure about this. Anyone?

But, if ADMINISABSENTMINDED=yes in shorewall.conf, your users will not 
notice any disconnects related to 'shorewall restart'. 

I assume that your only qualms about doing a restart are the possibility 
of dropping active connections, so I think that this solves the problem.

>We only have
>about 400 nodes but I don't want to have to reboot the system when we
>get new macs added.  About half the condos are rented out and we have
>turnovers every semester with about 100-200 new or different MAC
>addresses.  I will manually remove the old macs, I just want to know if
>it's possible to add macs to a mac list for an access control.  Only
>macs on this list are let through, kind of an opposite of blacklist.
> 
>
I don't see why a reboot is necessary in relation to firewalling. If you 
mean 'restart' then see above.
Also, please read http://shorewall.net/starting_and_stopping_shorewall.htm

Alex Martin
http://www.rettc.com



More information about the Shorewall-newbies mailing list