[Shorewall-newbies] [Shorewall-announce] Preparing for Shorewall 2.0 -- Take 2

Tom Eastep teastep at shorewall.net
Sat Feb 14 17:47:59 PST 2004

Shorewall 2.0.0 is now in Beta so this is a good time to begin thinking about 
preparing to migrate to the 2.0 Shorewall series.

Shorewall 2.0 makes a number of incompatible changes in the configuration 
files. Luckily, you will be able to make changes ahead of time to your 1.4 
configuration that will ease the migration when the time comes.

a) Shorewall 2.0 doesn't allow you to specify rate limiting in the ACTION 
column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate limiting 
specifications over to the RATE LIMIT column.

b) The "dropunclean" and "logunclean" interface options are no longer 
supported on 2.0 so you should remove them from the OPTIONS column in 

c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat 
switches from "Yes" to "No". So if that column is empty in any of your 
entries, you will want to change it to "Yes".

d) The NAT_BEFORE_RULES option is removed and Shorewall will behave as if 
NAT_BEFORE_RULES=No had been specified. This will only affect people using 
one-to-one NAT. If you use one-to-one NAT and you also have DNAT rules, it 
would be a good idea to switch to NAT_BEFORE_RULES=No now if you haven't 
already done so to be sure that none of your DNAT rules have been hiding 
behind entries in your /etc/shorewall/nat file. 

WARNING: If you followed the advice in the first version of this note, and 
added an INCLUDE to /etc/shorewall/actions, please remove it. I have changed 
my approach to handling standard actions so that the INCLUDE is no longer 

If you take these steps ahead of time, you should be able to upgrade easily 
from Shorewall 1.4.x to Shorewall 2.0.0. You will only have to make changes 
after the upgrade if:

a) You have created an /etc/shorewall/common file for reasons other than 
dropping SMB traffic rather than rejecting it; or
b) You have defined User Sets in /etc/shorewall/usersets. You will need to 
convert to using User-defined actions that control connections based on the 
effective user-id and/or group-id of the firewall-resident application making 
the connection.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

Shorewall-announce mailing list
Shorewall-announce at lists.shorewall.net

More information about the Shorewall-newbies mailing list