Provided by: shorewall_5.0.4-1_all bug

NAME

       shorewall-init - Companion package

SYNOPSIS

       /etc/init.d/shorewall-init [start|stop]

DESCRIPTION

       Shorewall-init is an optional package (added in Shorewall 4.4.10) that can be installed
       along with Shorewall, Shorewall6, Shorewall-lite and/or Shorewall6-lite. It provides two
       key features:

        1. It can close (stop) the firewall during boot prior to starting the network. This can
           prevent unwanted connections from being accepted after the network comes up but before
           the firewall is started.

        2. It can interface with your distribution's ifup/ifdown scripts and/or NetworkManager to
           allow firewall actions when an interface starts or stops.

       These two capabilities can be enabled separately.

       After you install the shorewall-init package, you can activate it by modifying the
       Shorewall-init configuration file:

       •   On Debian-based system, the file is /etc/default/shorewall-init.

       •   On other systems, the file is /etc/sysconfig/shorewall-init.

       To activate the safe boot feature, edit the configuration file and set PRODUCTS to a
       space-separated list of Shorewall products that you want to be closed before networking
       starts.

       Example:
           PRODUCTS="shorewall shorewall6"

       You also must insure that the compiled scripts for the listed products are compiled using
       Shorewall 4.4.10 or later.

       Shorewall
           shorewall compile

       Shorewall6
           shorewall6 compile

       Shorewall-lite
           On the administrative system, enter the command shorewall export firewall from the
           firewall's configuration directory.

       Shorewall6-lite
           On the administrative system, enter the command shorewall6 export firewall from the
           firewall's configuration directory.

       The second feature (ifup/ifdown and NetworkManager integration) should only be activated
       on systems that do not use a link status monitor line swping or LSM.

       •   Edit the configuration file and set IFUPDOWN=1

       For NetworkManager integration, you will want to disable firewall startup at boot and
       delay it to when your interface comes up. For this to work correctly, you must set the
       required or the optional option on at least one interface then:

       •   On Debian-based systems, edit /etc/default/product for each product listed in the
           PRODUCTS setting and set startup=0.

       •   On other systems, use the distribution's service control tool (insserv, chkconfig,
           etc.) to disable startup of the products listed in the PRODUCTS setting.

       On a laptop with both Ethernet and wireless interfaces, you will want to make both
       interfaces optional and set the REQUIRE_INTERFACE option to Yes in shorewall.conf[1](5) or
       shorewall6.conf[2] (5). This causes the firewall to remain stopped until at least one of
       the interfaces comes up.

FILES

       /etc/default/shorewall-init (Debian-based systems) or /etc/sysconfig/shorewall-init (other
       distributions)

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5),
       shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
       shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
       shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
       shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
       shorewall-tunnels(5), shorewall-zones(5)

NOTES

        1. shorewall.conf
           http://www.shorewall.net/manpages/shorewall.conf.html

        2. shorewall6.conf
           http://www.shorewall.net/manpages6/shorewall6.conf.html