On 2013-05-05 13:57:10 +0000, CACook@... said:
> Today I noticed to my horror that my firewall was ACCEPTing EVERYTHING.
> It was like this for a couple of weeks. I found the reason was I'd
> removed 'tor' from the services file and so Shorewall failed to start.
> I've removed tor from the rules file now, and of course it works.
> But routestopped has only eth0, which is not connected. (wlan0 is) The
> policy file seems to have everything DENYed.
> So I don't understand how this could have happened?
Startup behavior with Shorewall can be a bit tricky.
If you happen to run xUbuntu, you need to know that Upstart can't
guarantee that a 'shorewall stop' command is issued (and locks down the
firewall to routestopped) before the network is brought up.
None of that matters, as you have discovered, with an invalid Shorewall
While I haven't tested this, it's likely that this also applies to
running 'shorewall stop' to lock the firewall to the routestopped
As I recall, Shorewall checks its configuration, and will not change
*anything* without a valid config. This applies for both adding and
removing of rules, policies, and so on.
It appears likely you had an invalid config (as stated in your first
paragraph), and had rebooted the machine.
I'm willing to bet you didn't notice the message that shorewall didn't
start - either because you weren't watching, or because a boot splash
hid the message.
It doesn't matter what your policy, rules, or anything else is
configured. As I recall, if your configuration isn't valid, shorewall
won't apply any of it.
The default boot state for the Linux kernel allows any network
connection. It's likely it is also the state shorewall will leave you
with if your configuration is not valid.
'shorewall check' is very useful; ALWAYS run it after modifying your