[Shorewall-devel] "shorewall stop"
teastep at shorewall.net
Fri Jul 25 21:03:59 PDT 2003
On Fri, 2003-07-25 at 11:16, Steve Herber wrote:
> I wonder if changing the way commands work is a good idea. Adding a
> new command, safe_stop, to what you describe below might be worthwhile.
I think having two different "stopped" states is a bad idea.
> I generally just install shorewall and leave it alone so I don't have
> much experience with the difference between stop and clear, reset, and
> other option. So, I went to your site and found the page called
> "Starting/Stopping and Monitoring the Firewall". I know you have lots of
> documentation, but describing the command "shorewall stop" as "stops the
> firewall" does not tell me what happens to existing connections. The same for
> the other commands. In the chart just under the state machine
> there is a nice, incomplete, list of some of the shorewall commands. Clear is
> not in the chart. It would be nice if there was a third column that said what
> happens to existing connections and what happens to new connection attempts.
I've cleaned it up a bit.
> So, I guess what I am saying is that maybe the problem people have with the stop
> and clear commands have more to do with not fully understanding what happens to
> their connections when the state is entered. Maybe they don't quite understand
> why they would use the state. Expanding the documentation give another
> opportunity to again point out the routestopped feature.
I think that like yourself, most users have never seen that page so I
don't have a great deal of enthusiasm for spending time improving it.
> I think shorewall is almost perfect, not to big, not too many features, not too
> many command options, so I would rather not see an existing command changed.
> If you really need a new stop option, then maybe create a new command to invoke
We're not really talking so much about explicit "shorewall stop"
commands as we are the implicit "stop" when an error occurs in one of
the other commands.
> As I was playing with the shorewall command, to see what the list of options on
> my version, I realized that an expanded build-in help would be nice, and another
> opportunity to avoid adding a new command:
> shorewall help stop
> stop shuts down all existing connections
> except any to/from routestopped entries
> use it when ....
> shorewall help clear
> clear does something else...
> use it when you ....
If someone wants to send me a patch, I'll merge it and maintain the
improved help when I do future changes.
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-devel