We are about to make the first 3.0.0 Release Candidate available so it is time for those of you who are running 2.0 or 2.2 to make plans to upgrade. For those of you running 2.2, the upgrade to 2.4 is quite painless: ----------------------------------------------------------------------- Upgrade Issues when moving to 2.4.0 1) Shorewall now enforces the restriction that mark values used in /etc/shorewall/tcrules are less than 256. If you are using mark values >= 256, you must change your configuration before you upgrade. 2) The value "ipp2p" is no longer accepted in the PROTO column of the rules file. This support has never worked as intended and filtering P2P applications this way is a bad idea to begin with (you should be using a proxy). ----------------------------------------------------------------------- If you are running 2.0, there are additional considerations: ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.2: 1) Shorewall configuration files except shorewall.conf are now empty (they contain only comments). If you wish to retain the defaults in any of the following files, you should copy these files before upgrading them then restore them after the upgrade: /etc/shorewall/zones /etc/shorewall/policy /etc/shorewall/tos 2) The following builtin actions have been removed and have been replaced by the new action logging implementation described in the new features below. logNotSyn rLogNotSyn dLogNotSyn 3) If shorewall.conf is upgraded to the latest version, it needs to be modified to set STARTUP_ENABLED=Yes 4) The Leaf/Bering version of Shorewall was previously named: shorwall-<version>.lrp Beginning with 2.2, that file will now be named: shorewall-lrp-<version>.tgz Simply rename that file to ''shorwall.lrp'' when installing it on your LEAF/Bering system. 5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no longer contain a second (SNAT) address. You must use an entry in /etc/shorewall/masq instead. Example from Shorewall FAQ #1: Prior to Shorewall 2.2: /etc/shorewall/interfaces loc eth1 detect routeback,... /etc/shorewall/rules DNAT loc loc:192.168.1.12 tcp 80 \ - 130.252.100.69:192.168.1.254 Shorewall 2.2 and Later: /etc/shorewall/interfaces loc eth1 detect routeback,... /etc/shorewall/masq: eth1 eth1 192.168.1.254 tcp 80 /etc/shorewall/rules: DNAT loc loc:192.168.1.12 tcp 80 \ - 130.252.100.69 6) The ''logunclean'' and ''dropunclean'' options that were deprecated in Shorewall 2.0 have now been removed completely. 7) A new IPTABLES variable has been added to shorewall.conf. This variable names the iptables executable that Shorewall will use. The variable is set to "/sbin/iptables". If you use the new shorewall.conf, you may need to change this setting to maintain compabibility with your current setup (if you use your existing shorewall.conf that does not set IPTABLES then you should experience no change in behavior). 8) The default port for OpenVPN tunnels has been changed from 5000 to 1194 to reflect the recent IANA allocation of that port for OpenVPN. ----------------------------------------------------------------------- I have attached the 3.0.0 Release notes which detail the new features in 3.0.0 and the considerations for upgrading from 2.2/2.4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key