Manage shorewall and shorewall6 files with a "don't repeat yourself" approach
It produces a shorewall
configuration and a shorewall6
configuration, from common and specific information, reducing the work required to maintain a dual-stack firewall.
- output configuration are in
build
- there is one output configuration for
shorewall
and one forshorewall6
- each file in
raw-common
folder is copied to bothshorewall
andshorewall6
output configuration - each file in
raw-shorewall
folder is appended to the config file inshorewall
output - each file in
raw-shorewall6
folder is appended to the config file inshorewall6
output - the host names and their ip are defined in
processed/addresses
and appended toshorewall/params
andshorewall6/params
- zones and interfaces and defined in
processed/interfaces
and appended toshorewall/zones
,shorewall6/zones
,shorewall/interfaces
,shorewall6/interfaces
- edit the files in
raw-*
- add your hosts and addresses in
processed/addresses
- add your interfaces and options in
processed/interfaces
- run
bin/merge.sh
Once your configurations are generated, you can push them to your firewall(s).
- push the files in
build/shorewall
to your firewall's/etc/shorewall
folder - push the files in
build/shorewall6
to your firewall's/etc/shorewall6
folder - run
sudo shorewall check
on your firewall - run
sudo shorewall6 check
on your firewall - run
sudo shorewall restart
on your firewall - run
sudo shorewall6 restart
on your firewall
This can be done using the helper script :
bin/apply-full.sh FWHOST1 FWHOST2 FWHOST3 ...
Pre-requisites :
LOGFILE
must be defined in the configuration ofshorewall-lite
andshorewall6-lite
on each remote firewall : you can installrsyslog
on each remote firewall and use/var/log/syslog
asLOGFILE
To apply on a remote host named FIREWALLHOST
which you can reach as root
using SSH :
- run
shorewall remote-start -c build/shorewall FIREWALLHOST
on your computer - run
shorewall6 remote-start -c build/shorewall6 FIREWALLHOST
on your computer
This can be done using the helper script :
bin/apply-lite.sh FWHOST1 FWHOST2 FWHOST3 ...