2006-06-13 23:07:46 +02:00
|
|
|
Shorewall Lite 3.2.0 RC 4
|
2006-06-03 17:16:21 +02:00
|
|
|
|
2006-06-13 23:07:46 +02:00
|
|
|
Problems Corrected in 3.2.0 RC 4
|
2006-06-03 17:16:21 +02:00
|
|
|
|
2006-06-13 23:07:46 +02:00
|
|
|
1) RESTOREFILE has been added to shorewall.conf.
|
2006-06-08 23:49:34 +02:00
|
|
|
|
2006-06-14 17:06:19 +02:00
|
|
|
2) Many references to incorrect file names and commands have been
|
|
|
|
corrected in shorewall.conf.
|
|
|
|
|
|
|
|
3) /sbin/shorewall-lite still supported the 'refresh' command
|
|
|
|
whereas the firewall script generated by 'compile' did not.
|
|
|
|
This lead to the following:
|
|
|
|
|
|
|
|
gateway:~ # shorewall-lite refresh
|
|
|
|
Usage: /usr/share/shorewall-lite/firewall [ -q ] [ -v ] [ -n ] [ start|stop|clear|restart|status|version ]
|
|
|
|
gateway:~ #
|
2006-06-14 02:11:09 +02:00
|
|
|
|
2006-06-13 23:07:46 +02:00
|
|
|
Other changes in 3.2.0 RC 4
|
2006-06-08 23:49:34 +02:00
|
|
|
|
2006-06-14 18:32:13 +02:00
|
|
|
1) The progress messages produced by Shorewall Lite now correctly
|
|
|
|
identify the product as 'Shorewall Lite' rather than
|
|
|
|
'Shorewall'. In order for this to work, you must have Shorewall RC4
|
|
|
|
installed on your administrative system(s) and Shorewall Lite RC4
|
|
|
|
on the firewall system(s).
|
2006-06-09 20:20:49 +02:00
|
|
|
|
2006-06-17 17:28:51 +02:00
|
|
|
2) /usr/share/shorewall-lite/firewall has been moved to
|
2006-06-16 16:59:41 +02:00
|
|
|
/var/lib/shorewall-lite/firewall. When upgrading to this release of
|
|
|
|
Shorewall Lite, please execute the following command:
|
|
|
|
|
|
|
|
cp -a /usr/share/shorewall-lite/firewall /var/lib/shorewall-lite/
|
|
|
|
|
2006-06-17 17:28:51 +02:00
|
|
|
Note : The 'firewall' script is in /var/lib/shorewall-lite in
|
|
|
|
packages from shorewall.net. The package maintainers for the
|
|
|
|
various distributions are free to choose the directory where the
|
2006-06-17 18:12:48 +02:00
|
|
|
script will be stored under their distribution by altering the
|
|
|
|
value of LITEDIR in /usr/share/shorewall/configpath. You can run
|
|
|
|
the "shorewall show config" command to see how your distribution
|
|
|
|
defines LITEDIR.
|
2006-06-17 17:28:51 +02:00
|
|
|
|
2006-06-03 17:16:21 +02:00
|
|
|
New Features:
|
|
|
|
|
|
|
|
Shorewall Lite is a companion product to Shorewall and is designed to
|
|
|
|
allow you to maintain all Shorewall configuration information on a
|
|
|
|
single system within your network.
|
|
|
|
|
|
|
|
a) You install the full Shorewall release on one system within your
|
|
|
|
network. You need not configure Shorewall there and you may totally
|
|
|
|
disable startup of Shorewall in your init scripts. For ease of
|
|
|
|
reference, we call this system the 'administrative system'.
|
|
|
|
|
|
|
|
b) On each system where you wish to run a Shorewall-generated firewall,
|
|
|
|
you install Shorewall Lite. For ease of reference, we will call these
|
2006-06-14 02:11:09 +02:00
|
|
|
systems the 'firewall systems'
|
2006-06-03 17:16:21 +02:00
|
|
|
|
2006-06-16 22:33:45 +02:00
|
|
|
c) On the administrative system you create a separate 'configuration
|
2006-06-03 17:16:21 +02:00
|
|
|
directory' for each firewall system. You copy the contents of
|
|
|
|
/usr/share/shorewall/configfiles into each configuration directory.
|
|
|
|
|
2006-06-18 16:48:58 +02:00
|
|
|
d) On each firewall system, you run these two commands:
|
|
|
|
|
|
|
|
/usr/share/shorewall/shorecap > capabilities
|
|
|
|
scp capabilities <admin system>:<this system's config dir>
|
|
|
|
|
|
|
|
If you are running Debian or one of its derivatives like Ubuntu then
|
|
|
|
edit /etc/default/shorewall-lite and set startup=1.
|
|
|
|
|
|
|
|
Shorewall Lite includes a very limited version of shorewall.conf
|
|
|
|
(/etc/shorewall-lite/shorewall.conf). It includes the following
|
|
|
|
options which have the same meaning as in a full Shorewall
|
|
|
|
installation except as noted below:
|
|
|
|
|
|
|
|
VERBOSITY
|
|
|
|
LOGFILE
|
|
|
|
LOGFORMAT - used by /sbin/shorewall for finding 'Shorewall' log
|
|
|
|
messages. If LOGFORMAT was specified in the
|
|
|
|
shorewall.conf file used at compile time on the
|
|
|
|
administrative system, then the format of the
|
|
|
|
messages themselves is defined by that value. If
|
|
|
|
LOGFORMAT was not specified at compile time then
|
|
|
|
the firewall script will use the value from
|
|
|
|
/etc/shorewall-lite/shorewall.conf on the firewall
|
|
|
|
system.
|
|
|
|
IPTABLES - determines the iptables binary to be used by
|
|
|
|
/sbin/shorewall. The compiled firewall script will
|
|
|
|
use the IPTABLES specified in shorewall.conf at
|
|
|
|
compile time on the administrative system, if any;
|
|
|
|
if IPTABLES was not specified at compile time then
|
|
|
|
the IPTABLES value from
|
|
|
|
/etc/shorewall-lite/shorewall.conf on the firewall
|
|
|
|
system will be used by the firewall script.
|
|
|
|
PATH
|
|
|
|
SHOREWALL_SHELL
|
|
|
|
SUBSYSLOCK
|
|
|
|
RESTOREFILE
|
|
|
|
|
|
|
|
Edit the shorewall.conf file as required.
|
2006-06-03 17:16:21 +02:00
|
|
|
|
|
|
|
e) On the administrative system, for each firewall system you:
|
|
|
|
|
|
|
|
1) modify the files in the corresponding configuration
|
|
|
|
directory appropriately.
|
|
|
|
|
2006-06-03 19:04:45 +02:00
|
|
|
2) (this may be done as a non-root user)
|
2006-06-03 17:16:21 +02:00
|
|
|
|
|
|
|
cd <configuration directory>
|
2006-06-17 19:17:45 +02:00
|
|
|
/sbin/shorewall load . <firewall system>
|
2006-06-03 17:16:21 +02:00
|
|
|
|
2006-06-17 19:17:45 +02:00
|
|
|
3) If you need to change the configuration, after you
|
|
|
|
have modified the configuration:
|
|
|
|
|
|
|
|
cd <configuration directory>
|
|
|
|
/sbin/shorewall reload . <firewall system>
|
2006-06-17 17:28:51 +02:00
|
|
|
|
2006-06-13 02:04:15 +02:00
|
|
|
It is possible to have both shorewall and Shorewall Lite
|
2006-06-12 19:48:20 +02:00
|
|
|
installed on the same system.
|
2006-06-11 17:05:10 +02:00
|
|
|
|
2006-06-13 02:04:15 +02:00
|
|
|
For more information, see:
|
|
|
|
|
|
|
|
http://www.shorewall.net/CompiledProgram.html#Lite
|
|
|
|
|