2002-09-16 19:13:39 +02:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
< html >
< head >
2002-09-29 23:42:38 +02:00
< meta http-equiv = "Content-Type"
content="text/html; charset=windows-1252">
2002-09-16 19:13:39 +02:00
< title > Upgrade Issues< / title >
2002-09-29 23:42:38 +02:00
2002-09-16 19:13:39 +02:00
< meta name = "GENERATOR" content = "Microsoft FrontPage 5.0" >
2002-09-29 23:42:38 +02:00
2002-09-16 19:13:39 +02:00
< meta name = "ProgId" content = "FrontPage.Editor.Document" >
2002-09-29 23:42:38 +02:00
2002-09-16 19:13:39 +02:00
< meta name = "Microsoft Theme" content = "none" >
< / head >
2002-09-29 23:42:38 +02:00
< body >
< table border = "0" cellpadding = "0" cellspacing = "0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
< tbody >
< tr >
< td width = "100%" >
< h1 align = "center" > < font color = "#ffffff" > Upgrade Issues< / font > < / h1 >
< / td >
< / tr >
< / tbody >
< / table >
< p > For upgrade instructions see the < a
href="Install.htm">Install/Upgrade page< / a > .< / p >
< h3 > Version > = 1.3.8< / h3 >
< p > If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions > = 1.3.8. Beginning with version 1.3.7,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.< / p >
< h3 > Version > = 1.3.7< / h3 >
< p > Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules in
their /etc/shorewall/icmpdef file (creating
this file if necessary):< / p >
< pre > run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT< br > run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT< br > run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT< br > run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT< br > run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT< / pre >
< p > Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.< / p >
< h3 > < b > < a name = "Bering" > Upgrading < / a > Bering to
Shorewall > = 1.3.3< / b > < / h3 >
< p > To properly upgrade with Shorewall version
1.3.3 and later:< / p >
< ol >
< li > Be sure you have a backup -- you will
need to transcribe any Shorewall configuration
changes that you have made to the new
configuration.< / li >
< li > Replace the shorwall.lrp package provided
on the Bering floppy with the later one.
If you did not obtain the later version from
Jacques's site, see additional instructions
below.< / li >
< li > Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry
if present. Then do not forget to backup
root.lrp !< / li >
2002-09-16 19:13:39 +02:00
< / ol >
2002-09-29 23:42:38 +02:00
< p > The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the < a href = "two-interface.htm" > instructions
for setting up a two-interface firewall< / a > plus you also need to add the
following two Bering-specific rules to /etc/shorewall/rules:< / p >
< blockquote >
< pre > # Bering specific rules:< br > # allow loc to fw udp/53 for dnscache to work< br > # allow loc to fw tcp/80 for weblet to work< br > #< br > ACCEPT loc fw udp 53< br > ACCEPT loc fw tcp 80< / pre >
< / blockquote >
< h3 align = "left" > Version 1.3.6 and 1.3.7< / h3 >
< p align = "left" > If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 and
1.3.7< / p >
< ol >
< li >
< p align = "left" > Create the file /etc/shorewall/newnotsyn and in it add
the following rule< br >
< br >
< font face = "Courier" > run_iptables -A newnotsyn -j RETURN # So
that the connection tracking table can be rebuilt< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> # from non-SYN packets after
takeover.< br >
<20> < / font > < / p >
< / li >
< li >
< p align = "left" > Create /etc/shorewall/common (if you don't already
have that file) and include the following:< br >
< br >
< font face = "Courier" > run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection< br >
<20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
#tracking table. < br >
. /etc/shorewall/common.def< / font > < / p >
< / li >
< / ol >
< h3 align = "left" > Versions > = 1.3.5< / h3 >
< p align = "left" > Some forms of pre-1.3.0 rules file syntax are no
longer supported. < / p >
< p align = "left" > Example 1:< / p >
< div align = "left" >
< pre > ACCEPT net loc:192.168.1.12:22 tcp 11111 - all< / pre >
< / div >
< p align = "left" > Must be replaced with:< / p >
< div align = "left" >
< pre > DNAT net loc:192.168.1.12:22 tcp 11111< / pre >
< / div >
< div align = "left" >
< p align = "left" > Example 2:< / p >
2002-09-16 19:13:39 +02:00
< / div >
2002-09-29 23:42:38 +02:00
< div align = "left" >
< pre > ACCEPT loc fw::3128 tcp 80 - all< / pre >
< / div >
< div align = "left" >
< p align = "left" > Must be replaced with:< / p >
2002-09-16 19:13:39 +02:00
< / div >
2002-09-29 23:42:38 +02:00
< div align = "left" >
< pre > REDIRECT loc 3128 tcp 80< / pre >
< / div >
< h3 align = "left" > Version > = 1.3.2< / h3 >
< p align = "left" > The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.< / p >
< p > < font size = "2" > Last updated 9/28/2002 -
< a href = "support.htm" > Tom Eastep< / a > < / font > < / p >
< p > < font face = "Trebuchet MS" > < a href = "copyright.htm" > < font size = "2" > Copyright< / font >
<20> < font size = "2" > 2001, 2002 Thomas M. Eastep.< / font > < / a > < / font > < / p >
< br >
< br >
2002-09-16 19:13:39 +02:00
< / body >
2002-09-29 23:42:38 +02:00
< / html >