When I stop Shorewall, the firewall is wide open. Isn that a security risk?
It is important to understand that the scripts in /etc/init.d are generally provided by your distribution and not by the Shorewall developers. These scripts must meet the requirements of the distribution’s packaging system which may conflict with the requirements of a tight firewall. So when you say “…when I stop Shorewall…” it is necessary to distinguish between the commands /sbin/shorewall stop and /etc/init.d/shorewall stop. /sbin/shorewall stop places the firewall in a safe state, the details of which depend on your /etc/shorewall/routestopped file (shorewall-routestopped(8)) and on the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf (shorewall.conf(8)). /etc/init.d/shorewall stop may or may not do the same thing. In the case of Debian™ systems for example, that command actually executes /sbin/shorewall clear which opens the firewall completely. In other words, in the init script’s stop reverses the effect of start. One way to avoid these differences is to install S
