Starting shorewall
Paul Howarth
paul at city-fan.org
Sat Apr 8 11:19:53 UTC 2006
On Sat, 2006-04-08 at 11:50 +0100, Timothy Murphy wrote:
> Paul Howarth wrote:
>
> > On Sat, 2006-04-08 at 10:43 +0100, Kevin Browne wrote:
> >> Have you edited /etc/shorewall/shorewall.conf to set the line STARTUP=1,
> >> this enables shorewall to start on boot.
> >
> > You also need to "chkconfig shorewall on", and if you don't have
> > "chkconfig iptables off", that could interfere with shorewall.
>
> Thanks very much, that probably is the solution.
>
> I did have shorewall chkconfig-ed on,
> but I also had iptables on.
> I'll try turning it off.
>
> But I don't recall ever reading that one should turn off iptables
> if running shorewall?
> I assumed shorewall ran on top of iptables.
> In fact I always run "iptables -L" after re-booting,
> to make sure I am (relatively) safe.
>
> Incidentally, there has been a slight change
> in the behaviour of iptables - I guess after installing some update.
> It pauses now for a second or so when it mentions each local LAN,
> presumably while it checks that the LAN is accessible.
> I don't think it used to do this.
The iptables and shorewall scripts both do nominally the same thing -
build a set of netfilter rules to configure your firewall. After running
either of them, you can list the current rules using iptables -L etc.
Having both initscripts run is a recipe for confusion. It might work "by
accident" if you did:
service iptables start
service shorewall start
(that would rewrite the firewall rules using the shorewall design)
service iptables stop
(that would save the shorewall rules in the iptables state file, so
that the next time iptables was started, it would use the shorewall
rules)
However, shorewall is quite capable of setting up tearing down its own
rules, so it doesn't need any help from the iptables script.
Paul.
More information about the fedora-list
mailing list