Shorewall restart on PPP link change
March 23, 2009 – 2:28 pmI’ve found great joy running a Shorewall firewall on a Linux box but I came across the problem that when the PPP interface for an ADSL, WiMAX or VPN link goes up or down, Shorewall needs to be restarted to take the new IP address assignments into account. To this solve this problem I’ve written a few scripts to make it all work nicely for South African users.
Firstly put the following two scripts in the /usr/bin directory (or any directory of your choice):
/usr/bin/shorewall-flag-restart.sh (chmod u+x):
#!/bin/bash
set –e
set –u
RESTART_NEEDED=/var/lib/shorewall/shorewall-restartneeded
set -o noclobber
if [ ! -r $RESTART_NEEDED ]; then
date > $RESTART_NEEDED 2>&1
fi
/usr/bin/shorewall-check-restart.sh (chmod u+x):
#!/bin/bash
set -e
set -uRESTART_NEEDED=/var/lib/shorewall/shorewall-restartneeded
RESTARTING=/var/lib/shorewall/shorewall-restarting
RESTARTED=/var/lib/shorewall/shorewall-restarted# The restart needed flag is put in place by the ip up/down scripts. If
# it doesn’t exist or is older than the shorewall restart flag file, we
# don’t need to do anything.
if [ ! -r $RESTART_NEEDED ]; then
exit 0
fi
if [ -r $RESTARTING ]; then
exit 0
fi
if [ $RESTARTED -nt $RESTART_NEEDED ]; then
rm -f $RESTART_NEEDED
exit 0
fi# Make a mutex – should exit the script if this file already exists,
# due to the combination of the set -e and noclobber options.
set -o noclobber
echo "$$: `date`" >$RESTARTING## We only remove the $RESTART_NEEDED if the restart succeeds.
#if /sbin/shorewall restart >/dev/null 2>&1; then
# rm -f $RESTARTING
# rm -f $RESTART_NEEDED
#else
# rm -f $RESTARTING
#fi# Remove the $RESTART_NEEDED and replace if failure.
rm -f $RESTART_NEEDED
if /sbin/shorewall restart >/dev/null 2>&1; then
rm -f $RESTARTING
else
rm -f $RESTARTING
if [ ! -r $RESTARTING ]; then
echo "$$: `date`" >$RESTART_NEEDED
fi
fi
Then symbolic link the shorewall-flag-restart.sh script in the /etc/ppp/ip-up.d/ and /etc/ppp-ip-down.d/ directories so that the firewall gets restarted when a PPP interface goes up or down:
ln -s /usr/bin/shorewall-flag-restart.sh /etc/ppp/ip-up.d/shorewall-flag-restart
ln -s /usr/bin/shorewall-flag-restart.sh /etc/ppp/ip-down.d/shorewall-flag-restart
Then schedule cron to check for the restart flag every minute:
/etc/cron.d/shorewall-restart:
MAILTO=root
*/1 * * * * root [ -x /usr/bin/shorewall-check-restart.sh ] && /usr/bin/shorewall-check-restart.sh >/dev/null
These scripts were developed and tested on a Debian system. If anyone has any improvements or recommendations I’d appreciate to hear from you.
One Response to “Shorewall restart on PPP link change”
Nice Scripts!
implemented and working as expected. I did add logging to each file using the handy command ‘logger’ so that i can check in my log files when the automated restarts happen.
eg.: logger [ShorewallRestarter] Shorewall has been flagged for restart.
if you using syslog-ng and setup filters for shorewall (like i did) those log entries end up in the shorewall log file i created.
thanks again for the scripts !
By Mike on Mar 23, 2009