Tom Eastep
2004-Dec-26 16:41 UTC
Preparing for Shorewall 2.2 -- End of Support for Shorewall 1.4 is near!
Shorewall 2.2.0 is expected to be released in the February/March
timeframe so it is now time to begin thinking about preparing to
upgrade. This is particularly important for those of you still running
Shorewall 1.4 since support for that version will end with the release
of 2.2.
For those of you still running Shorewall 1.4, here are some things that
you can do ahead of time to ease the upgrade to 2.2.
---------------------------------------------------------------------------
a) Shorewall 2.0 and 2.2 don''t allow you to specify rate limiting in
the ACTION column (e.g., ACCEPT<10/sec:40>) so you will need to
move all rate limiting specifications over to the RATE LIMIT column.
b) The "dropunclean" and "logunclean" interface options are
no
longer supported on 2.0 and 2.2 so you should remove them from the
OPTIONS column in /etc/shorewall/interfaces.
c) The Default value for the ALL INTERFACES column
in /etc/shorewall/nat switches from "Yes" to "No". So if
that column
is empty in any of your entries, you will want to change it to
"Yes".
d) The NAT_BEFORE_RULES option is removed and Shorewall will behave as
if NAT_BEFORE_RULES=No had been specified. This will only affect
people using one-to-one NAT. If you use one-to-one NAT and you also
have DNAT rules, it would be a good idea to switch to
NAT_BEFORE_RULES=No now if you haven''t already done so to be sure
that none of your DNAT rules have been hiding behind entries in
your /etc/shorewall/nat file.
If you take these steps ahead of time, you should be able to upgrade
easily from Shorewall 1.4.x to Shorewall 2.2.0. You will only have to
make changes after the upgrade if:
a) You have created an /etc/shorewall/common file for reasons other than
dropping SMB traffic rather than rejecting it. In that case, you will
need to rename your /etc/shorewall/common file
to /etc/shorewall/initdone and remove all references to the
''common'' chain.
b) You have defined User Sets in /etc/shorewall/usersets. You will need
to convert to using User-defined actions that control connections
based on the effective user-id and/or group-id of the
firewall-resident application making the connection.
IF YOU ARE RUNNING SHOREWALL 1.4, PLEASE READ THE NEXT SECTION!
---------------------------------------------------------------------------
For those of you running Shorewall 1.4 or Shorewall 2.0:
1) Shorewall configuration files except shorewall.conf are now empty
(they contain only comments). In particular:
/etc/shorewall/zones
/etc/shorewall/policy
/etc/shorewall/tos
If you are using the RPM, it would be a good idea to modify those
files (just add a comment) so that you won''t end up with empty
files
after the upgrade.
2) If you have not changed /etc/shorewall/shorewall.conf since it was
originally installed and you are using the RPM, you will need to
modify that file prior to upgrade (again, just add a comment).
Otherwise, the new shorewall.conf file will be installed which will
disable "shorewall [re]start" and may change your firewall
behavior
after you have re-enabled [re]start.
3) The ORIGINAL DEST column of the /etc/shorewall/rules file may no
longer contain a second (SNAT) address. You must use an entry in
/etc/shorewall/masq instead.
Example from Shorewall FAQ #1:
Prior to Shorewall 2.1:
/etc/shorewall/interfaces
loc eth1 detect routeback,...
/etc/shorewall/rules
DNAT loc loc:192.168.1.12 tcp 80 \
- 130.252.100.69:192.168.1.254
Shorewall 2.1 and Later:
/etc/shorewall/interfaces
loc eth1 detect routeback,...
/etc/shorewall/masq:
eth1 eth1 192.168.1.254 tcp 80
/etc/shorewall/rules:
DNAT loc loc:192.168.1.12 tcp 80 \
- 130.252.100.69
Note that Shorewall 2.0 users can make this change before
upgrading to 2.2 while 1.4 users must wait until after the upgrade.
4) A new IPTABLES variable has been added to shorewall.conf. This
variable names the iptables executable that Shorewall will use. The
variable is set to "/sbin/iptables". If you use the new
shorewall.conf, you may need to change this setting to maintain
compabibility with your current setup (if you use your existing
shorewall.conf that does not set IPTABLES then you should
experience no change in behavior).
5) The default port for OpenVPN tunnels has been changed from 5000 to
1194 to reflect the recent IANA allocation of that port for
OpenVPN. If you do not currently specify the port number
in /etc/shorewall/tunnels ''openvpn'' entries, you should do
so in
order to maintain compatibility after the upgrade.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Graham Dodd
2004-Dec-29 11:37 UTC
RE: Preparing for Shorewall 2.2 -- End of Support forShorewall 1.4 is near!
> -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On > Behalf Of Tom Eastep > Sent: Sunday, December 26, 2004 5:41 PM > To: Shorewall Announcements; Shorewall Users > Subject: [Shorewall-users] Preparing for Shorewall 2.2 -- End > of Support forShorewall 1.4 is near! > > Shorewall 2.2.0 is expected to be released in the > February/March timeframe so it is now time to begin thinking > about preparing to upgrade. This is particularly important > for those of you still running Shorewall 1.4 since support > for that version will end with the release of 2.2. >Tom, Why don''t you take a few months off, you work way too hard on Shorewall, we really don''t need 2.2 ;-) Ok, I admit I''m running 1.4, so I guess it''s time to start planning Thank you for all your hard work. Looking forward to your enlightening and "very" direct replies to our sometimes stupid questions Wishing you and your family all the best for 2005 Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0