[Shorewall-newbies] Preparing for Shorewall 2.0

Tom Eastep teastep at shorewall.net
Tue Feb 10 15:57:59 PST 2004


Shorewall 2.0.0 is now in Beta so this is a good time to begin thinking about 
preparing to migrate to the 2.0 Shorewall series.

Shorewall 2.0 makes a number of incompatible changes in the configuration 
files. Luckily, you will be able to make changes ahead of time to your 1.4 
configuration that will ease the migration when the time comes.

a) Shorewall 2.0 doesn't allow you to specify rate limiting in the ACTION 
column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate limiting 
specifications over to the RATE LIMIT column.

b) The "dropunclean" and "logunclean" interface options are no longer 
supported on 2.0 so you should remove them from the OPTIONS column in 
/etc/shorewall/interfaces.

c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat 
switches from "Yes" to "No". So if that column is empty in any of your 
entries, you will want to change it to "Yes".

d) The NAT_BEFORE_RULES option is removed and Shorewall will behave as if 
NAT_BEFORE_RULES=No had been specified. This will only affect people using 
one-to-one NAT. If you use one-to-one NAT and you also have DNAT rules, it 
would be a good idea to switch to NAT_BEFORE_RULES=No now if you haven't 
already done so to be sure that none of your DNAT rules have been hiding 
behind entries in your /etc/shorewall/nat file. 

e) If you are running Shorewall 1.4.9 or later, create the dummy file 
/etc/shorewall/actions.std ("touch /etc/shorewall/actions.std") and add 
"INCLUDE actions.std" as the first entry in your /etc/shorewall/actions file.

If you take these steps ahead of time, you should be able to upgrade easily 
from Shorewall 1.4.x to Shorewall 2.0.0. You will only have to make changes 
after the upgrade if:

a) You have created an /etc/shorewall/common file for reasons other than 
dropping SMB traffic rather than rejecting it; or
b) You have defined User Sets in /etc/shorewall/usersets. You will need to 
convert to using User-defined actions that control connections based on the 
effective user-id and/or group-id of the firewall-resident application making 
the connection.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list