[Shorewall-newbies] A few shorewall questions
shorewall at rettc.com
Mon Feb 23 13:25:02 PST 2004
David Shepherd wrote:
>I'm a student network administrator for the condo complex I live in. I
>have 2 main questions about shorewall:
>1.) Can the rules/policy config be updated without having to completely
>restarting shorewall? How would I go about doing this? Or is this just
>something that I shouldn't worry about? I just get easy complaints from
>the students that live here (being the internet is used 24-7 in a
>college complex) if the system goes down for even a minute. I would
>like to prevent this.
As current connections are not dropped when doing a shorewall restart,
you should not worry about restarts, as unless new rules specifically
deny traffic that is current in the connections list.
About 'shorewall restart':
"For Shorewall versions beginning with 1.4.7, if ADMINISABSENTMINDED=Yes
in /etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the firewall
>2.) I want to setup an intranet web server on the linux box that
>shorewall is running on so the residents can register themselves with
>me. I actually was hoping there was a way to have a web script to run
>on this site that will automatically enter the mac address (that they
>specify in one of the fields as their systems mac address on the
>website) into the mac list so they can only access the internet after
>they register with me. This is a way that I can know who is who when
>running the sniffer so if I need to knock them off for abuse, I know who
>it is so I can notify them first. I will have a third NIC card that is
>connected to the internal network that will only allow connection to
>this web server where they can register. Then the other two NICs are
>used for the internet access. Is this even possible for a web script to
>add their mac address to the mac list of shorewall?
Yes, it must be written of course.
> And will shorewall
>restrict the people that are not on this mac list from the internet?
Yes, as long as your rules/policy is setup for this.
>Would doing a "shorewall refresh" update the mac list instead of having
>to restart shorewall completely ever time a user is added?
I am not sure about this. Anyone?
But, if ADMINISABSENTMINDED=yes in shorewall.conf, your users will not
notice any disconnects related to 'shorewall restart'.
I assume that your only qualms about doing a restart are the possibility
of dropping active connections, so I think that this solves the problem.
>We only have
>about 400 nodes but I don't want to have to reboot the system when we
>get new macs added. About half the condos are rented out and we have
>turnovers every semester with about 100-200 new or different MAC
>addresses. I will manually remove the old macs, I just want to know if
>it's possible to add macs to a mac list for an access control. Only
>macs on this list are let through, kind of an opposite of blacklist.
I don't see why a reboot is necessary in relation to firewalling. If you
mean 'restart' then see above.
Also, please read http://shorewall.net/starting_and_stopping_shorewall.htm
More information about the Shorewall-newbies