[Shorewall-newbies] [Shorewall-announce] Preparing for Shorewall
2.0 -- Take 2
teastep at shorewall.net
Sat Feb 14 17:47:59 PST 2004
Shorewall 2.0.0 is now in Beta so this is a good time to begin thinking about
preparing to migrate to the 2.0 Shorewall series.
Shorewall 2.0 makes a number of incompatible changes in the configuration
files. Luckily, you will be able to make changes ahead of time to your 1.4
configuration that will ease the migration when the time comes.
a) Shorewall 2.0 doesn't allow you to specify rate limiting in the ACTION
column (e.g., ACCEPT<10/sec:40>) so you will need to move all rate limiting
specifications over to the RATE LIMIT column.
b) The "dropunclean" and "logunclean" interface options are no longer
supported on 2.0 so you should remove them from the OPTIONS column in
c) The Default value for the ALL INTERFACES column in /etc/shorewall/nat
switches from "Yes" to "No". So if that column is empty in any of your
entries, you will want to change it to "Yes".
d) The NAT_BEFORE_RULES option is removed and Shorewall will behave as if
NAT_BEFORE_RULES=No had been specified. This will only affect people using
one-to-one NAT. If you use one-to-one NAT and you also have DNAT rules, it
would be a good idea to switch to NAT_BEFORE_RULES=No now if you haven't
already done so to be sure that none of your DNAT rules have been hiding
behind entries in your /etc/shorewall/nat file.
WARNING: If you followed the advice in the first version of this note, and
added an INCLUDE to /etc/shorewall/actions, please remove it. I have changed
my approach to handling standard actions so that the INCLUDE is no longer
If you take these steps ahead of time, you should be able to upgrade easily
from Shorewall 1.4.x to Shorewall 2.0.0. You will only have to make changes
after the upgrade if:
a) You have created an /etc/shorewall/common file for reasons other than
dropping SMB traffic rather than rejecting it; or
b) You have defined User Sets in /etc/shorewall/usersets. You will need to
convert to using User-defined actions that control connections based on the
effective user-id and/or group-id of the firewall-resident application making
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
Shorewall-announce mailing list
Shorewall-announce at lists.shorewall.net
More information about the Shorewall-newbies