Tom Eastep
2004-Feb-15 01:47 UTC
[Shorewall-announce] Preparing for Shorewall 2.0 -- Take 2
Shorewall 2.0.0 is now in Beta so this is a good time to begin thinking about preparing to migrate to the 2.0 Shorewall series. Shorewall 2.0 makes a number of incompatible changes in the configuration files. Luckily, you will be able to make changes ahead of time to your 1.4 configuration that will ease the migration when the time comes. a) Shorewall 2.0 doesn''t allow you to specify rate limiting in the ACTION column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate limiting specifications over to the RATE LIMIT column. b) The "dropunclean" and "logunclean" interface options are no longer supported on 2.0 so you should remove them from the OPTIONS column in /etc/shorewall/interfaces. c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat switches from "Yes" to "No". So if that column is empty in any of your entries, you will want to change it to "Yes". d) The NAT_BEFORE_RULES option is removed and Shorewall will behave as if NAT_BEFORE_RULES=No had been specified. This will only affect people using one-to-one NAT. If you use one-to-one NAT and you also have DNAT rules, it would be a good idea to switch to NAT_BEFORE_RULES=No now if you haven''t already done so to be sure that none of your DNAT rules have been hiding behind entries in your /etc/shorewall/nat file. WARNING: If you followed the advice in the first version of this note, and added an INCLUDE to /etc/shorewall/actions, please remove it. I have changed my approach to handling standard actions so that the INCLUDE is no longer necessary. If you take these steps ahead of time, you should be able to upgrade easily from Shorewall 1.4.x to Shorewall 2.0.0. You will only have to make changes after the upgrade if: a) You have created an /etc/shorewall/common file for reasons other than dropping SMB traffic rather than rejecting it; or b) You have defined User Sets in /etc/shorewall/usersets. You will need to convert to using User-defined actions that control connections based on the effective user-id and/or group-id of the firewall-resident application making the connection. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-announce mailing list Shorewall-announce@lists.shorewall.net https://lists.shorewall.net/mailman/listinfo/shorewall-announce