Shorewall 2.2.0 is expected to be released in the February/March
timeframe so it is now time to begin thinking about preparing to
upgrade. This is particularly important for those of you still running
Shorewall 1.4 since support for that version will end with the release
of 2.2.
For those of you still running Shorewall 1.4, here are some things that
you can do ahead of time to ease the upgrade to 2.2.
-----------------------------------------------------------------------------
a) Shorewall 2.0 and 2.2 don''t allow you to specify rate limiting in
the ACTION
column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate
limiting
specifications over to the RATE LIMIT column.
b) The "dropunclean" and "logunclean" interface options are
no longer
supported on 2.0 and 2.2 so you should remove them from the OPTIONS column in
/etc/shorewall/interfaces.
c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat
switches from "Yes" to "No". So if that column is empty in
any of your
entries, you will want to change it to "Yes".
d) The NAT_BEFORE_RULES option is removed and Shorewall will behave as if
NAT_BEFORE_RULES=No had been specified. This will only affect people using
one-to-one NAT. If you use one-to-one NAT and you also have DNAT rules, it
would be a good idea to switch to NAT_BEFORE_RULES=No now if you
haven''t
already done so to be sure that none of your DNAT rules have been hiding
behind entries in your /etc/shorewall/nat file.
If you take these steps ahead of time, you should be able to upgrade easily
from Shorewall 1.4.x to Shorewall 2.2.0. You will only have to make changes
after the upgrade if:
a) You have created an /etc/shorewall/common file for reasons other than
dropping SMB traffic rather than rejecting it. In that case, you will
need to rename your /etc/shorewall/common file to /etc/shorewall/initdone
and remove all references to the ''common'' chain.
b) You have defined User Sets in /etc/shorewall/usersets. You will need to
convert to using User-defined actions that control connections based on the
effective user-id and/or group-id of the firewall-resident application making
the connection.
----------------------------------------------------------------------------
For those of you running Shorewall 1.4 or Shorewall 2.0:
1) Shorewall configuration files except shorewall.conf are now empty
(they contain only comments).
/etc/shorewall/zones
/etc/shorewall/policy
/etc/shorewall/tos
If you are using the RPM, it would be a good idea to modify those
files (just add a comment) so that you won''t end up with empty
files
after the upgrade.
2) If you have not changed /etc/shorewall/shorewall.conf since it was
originally installed and you are using the RPM, you will need to modify
that file prior to upgrade (again, just add a comment). Otherwise,
the new shorewall.conf file will be installed which will disable
"shorewall [re]start" and may change your firewall behavior after
you
have re-enabled [re]start.
3) The ORIGINAL DEST column of the /etc/shorewall/rules file may no
longer contain a second (SNAT) address. You must use an entry in
/etc/shorewall/masq instead.
Example from Shorewall FAQ #1:
Prior to Shorewall 2.1:
/etc/shorewall/interfaces
loc eth1 detect routeback,...
/etc/shorewall/rules
DNAT loc loc:192.168.1.12 tcp 80 \
- 130.252.100.69:192.168.1.254
Shorewall 2.1 and Later:
/etc/shorewall/interfaces
loc eth1 detect routeback,...
/etc/shorewall/masq:
eth1 eth1 192.168.1.254 tcp 80
/etc/shorewall/rules:
DNAT loc loc:192.168.1.12 tcp 80 \
- 130.252.100.69
Note that Shorewall 2.0 users can make this change before upgrading to
2.2 while 1.4 users must wait until after the upgrade.
----------------------------------------------------------------------------
Shorewall 2.0 users may still have some changes to make after the upgrade;
these include:
1) The following builtin actions have been removed and have been
replaced by the new action logging implementation described in the
in the Release Notes.
logNotSyn
rLogNotSyn
dLogNotSyn
----------------------------------------------------------------------------
I will update and re-send this notice from time to time until 2.2 is released.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
