[Shorewall-devel] "shorewall stop"

Steve Herber herber at thing.com
Fri Jul 25 12:16:40 PDT 2003

I wonder if changing the way commands work is a good idea.  Adding a
new command, safe_stop, to what you describe below might be worthwhile.

I generally just install shorewall and leave it alone so I don't have 
much experience with the difference between stop and clear, reset, and 
other option.  So, I went to your site and found the page called
"Starting/Stopping and Monitoring the Firewall".  I know you have lots of
documentation, but describing the command "shorewall stop" as "stops the
firewall" does not tell me what happens to existing connections.  The same for
the other commands.  In the chart just under the state machine 
there is a nice, incomplete, list of some of the shorewall commands.  Clear is
not in the chart.  It would be nice if there was a third column that said what
happens to existing connections and what happens to new connection attempts.

So, I guess what I am saying is that maybe the problem people have with the stop
and clear commands have more to do with not fully understanding what happens to
their connections when the state is entered.  Maybe they don't quite understand
why they would use the state.  Expanding the documentation give another
opportunity to again point out the routestopped feature.

I think shorewall is almost perfect, not to big, not too many features, not too
many command options, so I would rather not see an existing command changed.
If you really need a new stop option, then maybe create a new command to invoke

As I was playing with the shorewall command, to see what the list of options on
my version, I realized that an expanded build-in help would be nice, and another
opportunity to avoid adding a new command:

shorewall help stop
	stop shuts down all existing connections
		except any to/from routestopped entries
		use it when ....

shorewall help clear
	clear does something else...
		use it when you ....

I hope these ideas are useful.


Steve Herber	herber at thing.com		work: 206-221-7262
Security Engineer, UW Medicine, IT Services	home: 425-454-2399

On 25 Jul 2003, Tom Eastep wrote:

> Although Shorewall provides safeguards against it, people seem to
> regularly shoot themselves in the foot when doing remote system
> administration. I've been thinking about this problem and wonder if a
> change to the way that "shorewall stop" behaves might help.
> Today, "shorewall stop" stops all traffic except to/from those
> destinations listed in /etc/shorewall/routestopped. An alternative
> behavior would be:
> a) Established connections and their related traffic would still be
> enabled. This means that "shorewall stop" wouldn't kill the ssh session
> from which you inadvertently issued the command.On the other hand, all
> other established connections would continue to work as well.
> b) All connection attempts FROM the firewall would be allowed. This
> would enable, for example, DNS lookups.
> c) New connections would still be accepted to/from those hosts listed in
> /etc/shorewall/routestopped.
> Comments?
> -Tom 

More information about the Shorewall-devel mailing list