[Shorewall-devel] "shorewall stop"

Tom Eastep teastep at shorewall.net
Fri Jul 25 21:03:59 PDT 2003


Steve,

On Fri, 2003-07-25 at 11:16, Steve Herber wrote:
> I wonder if changing the way commands work is a good idea.  Adding a
> new command, safe_stop, to what you describe below might be worthwhile.

I think having two different "stopped" states is a bad idea.

> 
> I generally just install shorewall and leave it alone so I don't have 
> much experience with the difference between stop and clear, reset, and 
> other option.  So, I went to your site and found the page called
> "Starting/Stopping and Monitoring the Firewall".  I know you have lots of
> documentation, but describing the command "shorewall stop" as "stops the
> firewall" does not tell me what happens to existing connections.  The same for
> the other commands.  In the chart just under the state machine 
> there is a nice, incomplete, list of some of the shorewall commands.  Clear is
> not in the chart.  It would be nice if there was a third column that said what
> happens to existing connections and what happens to new connection attempts.

I've cleaned it up a bit.

> 
> So, I guess what I am saying is that maybe the problem people have with the stop
> and clear commands have more to do with not fully understanding what happens to
> their connections when the state is entered.  Maybe they don't quite understand
> why they would use the state.  Expanding the documentation give another
> opportunity to again point out the routestopped feature.

I think that like yourself, most users have never seen that page so I
don't have a great deal of enthusiasm for spending time improving it.

> 
> I think shorewall is almost perfect, not to big, not too many features, not too
> many command options, so I would rather not see an existing command changed.
> If you really need a new stop option, then maybe create a new command to invoke
> it.

We're not really talking so much about explicit "shorewall stop"
commands as we are the implicit "stop" when an error occurs in one of
the other commands.

> 
> As I was playing with the shorewall command, to see what the list of options on
> my version, I realized that an expanded build-in help would be nice, and another
> opportunity to avoid adding a new command:
> 
> shorewall help stop
> 	stop shuts down all existing connections
> 		except any to/from routestopped entries
> 		use it when ....
> 
> shorewall help clear
> 	clear does something else...
> 		use it when you ....
> 

If someone wants to send me a patch, I'll merge it and maintain the
improved help when I do future changes.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-devel mailing list