We are about to make the first 3.0.0 Release Candidate available so it
is time for those of you who are running 2.0 or 2.2 to make plans to
upgrade.
For those of you running 2.2, the upgrade to 2.4 is quite painless:
-----------------------------------------------------------------------
Upgrade Issues when moving to 2.4.0
1) Shorewall now enforces the restriction that mark values used in
/etc/shorewall/tcrules are less than 256. If you are using mark
values >= 256, you must change your configuration before you
upgrade.
2) The value "ipp2p" is no longer accepted in the PROTO column of the
rules file. This support has never worked as intended and filtering
P2P applications this way is a bad idea to begin with (you should be
using a proxy).
-----------------------------------------------------------------------
If you are running 2.0, there are additional considerations:
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
1) Shorewall configuration files except shorewall.conf are now empty
(they contain only comments). If you wish to retain the defaults
in any of the following files, you should copy these files before
upgrading them then restore them after the upgrade:
/etc/shorewall/zones
/etc/shorewall/policy
/etc/shorewall/tos
2) The following builtin actions have been removed and have been
replaced by the new action logging implementation described in the
new features below.
logNotSyn
rLogNotSyn
dLogNotSyn
3) If shorewall.conf is upgraded to the latest version, it needs to be
modified to set STARTUP_ENABLED=Yes
4) The Leaf/Bering version of Shorewall was previously named:
shorwall-<version>.lrp
Beginning with 2.2, that file will now be named:
shorewall-lrp-<version>.tgz
Simply rename that file to ''shorwall.lrp'' when installing
it on your
LEAF/Bering system.
5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no
longer contain a second (SNAT) address. You must use an entry in
/etc/shorewall/masq instead.
Example from Shorewall FAQ #1:
Prior to Shorewall 2.2:
/etc/shorewall/interfaces
loc eth1 detect routeback,...
/etc/shorewall/rules
DNAT loc loc:192.168.1.12 tcp 80 \
- 130.252.100.69:192.168.1.254
Shorewall 2.2 and Later:
/etc/shorewall/interfaces
loc eth1 detect routeback,...
/etc/shorewall/masq:
eth1 eth1 192.168.1.254 tcp 80
/etc/shorewall/rules:
DNAT loc loc:192.168.1.12 tcp 80 \
- 130.252.100.69
6) The ''logunclean'' and ''dropunclean''
options that were deprecated in
Shorewall 2.0 have now been removed completely.
7) A new IPTABLES variable has been added to shorewall.conf. This
variable names the iptables executable that Shorewall will use. The
variable is set to "/sbin/iptables". If you use the new
shorewall.conf, you may need to change this setting to maintain
compabibility with your current setup (if you use your existing
shorewall.conf that does not set IPTABLES then you should
experience no change in behavior).
8) The default port for OpenVPN tunnels has been changed from 5000 to
1194 to reflect the recent IANA allocation of that port for
OpenVPN.
-----------------------------------------------------------------------
I have attached the 3.0.0 Release notes which detail the new features in
3.0.0 and the considerations for upgrading from 2.2/2.4.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key