From 4eecdd21fe69ce0e4733e3b4209d15a82be33b04 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 16 Sep 2002 17:04:56 +0000 Subject: [PATCH] Additions for 1.3.8 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@241 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/documentation/VPN.htm | 81 +++++++++++++ STABLE/documentation/images/VPN.png | Bin 0 -> 22408 bytes STABLE/documentation/upgrade_issues.htm | 145 ++++++++++++++++++++++++ 3 files changed, 226 insertions(+) create mode 100644 STABLE/documentation/VPN.htm create mode 100644 STABLE/documentation/images/VPN.png create mode 100644 STABLE/documentation/upgrade_issues.htm diff --git a/STABLE/documentation/VPN.htm b/STABLE/documentation/VPN.htm new file mode 100644 index 000000000..d18deab54 --- /dev/null +++ b/STABLE/documentation/VPN.htm @@ -0,0 +1,81 @@ + + + + + + + +VPN + + + + + + + + +
+

VPN

+
+

It is often the case that a system behind the firewall needs to be able to +access a remote network through Virtual Private Networking (VPN). The two most +common means for doing this are IPSEC and PPTP. The basic setup is shown in the +following diagram:

+

+

A system with an RFC 1918 address needs to access a remote +network through a remote gateway. For this example, we will assume that the +local system has IP address 192.168.1.12 and that the remote gateway has IP +address 192.0.2.224.

+

If PPTP is being used, there are no firewall requirements beyond +the default loc->net ACCEPT policy. There is one restriction however: Only one +local system at a time can be connected to a single remote gateway unless you +patch your kernel from the 'Patch-o-matic' patches available at +http://www.netfilter.org.

+

If IPSEC is being used then there are firewall configuration +requirements as follows:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTCLIENT
+ PORT		ORIGINAL
+ DEST
DNATnet:192.0.2.224loc:192.168.1.1250   
DNATnet:192.0.2.224loc:192.168.1.12udp500  
+
+

If you want to be able to give access to all of your local systems to the +remote network, you should consider running a VPN client on your firewall. As +starting points, see + +http://www.shorewall.net/Documentation.htm#Tunnels or +http://www.shorewall.net/PPTP.htm.

+

Last modified 8/27/2002 - Tom +Eastep

+Copyright © 2002 Thomas M. Eastep.

 

+ + + + diff --git a/STABLE/documentation/images/VPN.png b/STABLE/documentation/images/VPN.png new file mode 100644 index 0000000000000000000000000000000000000000..2f3177ca246aae25bf8de18852c8eaa17527d3fd GIT binary patch literal 22408 zcmeFZcTiN#zAiirqrzax00M&KC_@xPavpLV7(g;ANKkUlAd(RzOV%NcgCr#=S&)o? zARsviA~}oX+wAw<-`VGUx9Zkcb?Q`oxAtGG)%5CF-TjNt@97n#qooX|g+m|^xT*?D z7XpEbLLh`!iJ+k6Ym8bc_(R~Pt1J&G?W0=;H!vGHO*sgpBA(>r{v~kF^iV}t69Vz& zfIxzuK_Ew!`3j^kmX2 zq&xB=Abb&QAizBUxnrfC$8rRq83JRnOow3KWzjzf1=kP)157V?5Gq&gM$A-yno`M0+dY6`OXH_r6FEBrT!{7KvUii^( z_=k22GYqFgYNXnpz$7BlJ|}N`p`Sd#94!&-Cc>Nd#k{0M&8-TqVWu*LTEd znykyuta8Buzh^~{%V!|M4rGZ@dsS+6}qtzS3%X zoqwO7C0<3+aE1T+kY4>y4cY|5VTJANC%(p{9{Y|lz3^TpWJShVHj$+v#$K4d@H!DI z++*MTlK{)1i9WKQE&Q5p)KWnuD|>56_;yw6hdSP%lyvF*OJ-YkxQgAl)OdBqn^zl= z1SoyVr3cTmBh}0Yck?9YMgCw30tBU7yW#V`EZ0_%4n_`Sj*O!WY3$t=IigE%Ea)1iSf7U$uv|Q8|bk8NhKD_YKbad=)Psj~Nf7OMEx{VEc$a zP>GVS|1+=p{Y6GW%H7ezy#U$7?E&Myv-Jm8uC$h@LeRtcAB|1s+^MF$I-HtoQpu&G zFwhF;#98uIj3Hmgjb8BlXyC?@X+Tb6VYnL zo!3kT-=@YYCq$|R&=spY;Lk}n2~h&uk%=NOufq;(i*7OfCSgYm?sALQ%zi2Eo3<-7 zMQ{B#RuLP$uB$YY$yhSHCz-kC#f}~4&7)sdm3-S!jUBA*3d|mn5^rOK%jL{CLO8JE z7KzCAfk12lLigSmTLKsJC!+dJ_wbIRCN9UH=9NRjmRbw>9&;T;R74OkAxVwi(f-(2 z))?XT)sit9dSYma6!2MyM2d-VVAWEEZ`bE9B;d4KB+lP%RIgeQIvZl{H}NeW=we(R zBNeR~xHa7>>Ri$^iobte!VYRI{}_u%E9tYH7gU3wX*6SF%Hyfnhdsz8jv1CD-ovM`NF=$txS%rU|@U=(5`BU|HN_I0X9HZ0> zdub&_jz5YTn_Y>*nHD)YZ*g);OI>oR`Knc&Gyf^e>69`W`O%uGdbz9m{d~8wmDCBT=1OXgLQypoKg{PVEF4em;ME633p&`Vuni#kUQy^X z5$Mw9K&!(*SIJ}7mC3+0Rqe7ahiemh_I=SSzXG3^eBH}kZ{J%yjXp3xIA-ScQHpL;o2E>;{5IDU{=waJFs(7;4om-9pi%kdphm2wAVX^B z6Nsz1Em$4lHVK~}OW0_UBPdY=yOW=Z*$2@wc69^HoMR;lIoIA|8CHUmPq+HYQRE~Q zpBuz@(zSS7|J(1{zKwv``xUN@`mF{Pzy%4<%;glJV zxJHVGw{6z%x}m#fTP|CAchFC8XN~U_!{-Z>qHrzUs#-IjxL?QoiEA8)si##7kDm!Q zY43L;jdJs5!Iu-foD4=t-=hjT46|q5#@^-IR{vfRx_@YuON&o-(E>`D-YQuHX|0$4zTF?0uU2`2-D9HLWZVdx6n$$T+?TZB7=`SN zhs%0Jl&1xgrKD*X#p+Fu_IzAE*~=d_UP$mS)bDF?4Ii$XvPyaJSA2PKZNMIkGx#F;BOEx$*=G=}YvQezXW+UVn6xVUpEM#Dev=c1NJ&DGaa?#y zec+(+EO1HX+PX6?{vKi>Y3}FAuKor9iO8!n?6IFC6>7r|^IME|3uU zCm!7T6@mv+>I6ejz9)c+5aC{*iEO?ObE?!r0}+acD3k3%p&wy8l$0@74HtI`=wR1? zC>36Yy(5CDvrhz0wCS75TD0jKMF#OE*HrkHeJg?7dh%TM656bf`td^!1|mtOSJ=e! z^SP#Tr;{1aGtM#=d|hR3iK%w=L!UfnkxL`pxlt>FvgybB>FWaNZ#A#Y6T{+oQdAxv zz-! zsEUY8zdzPVG38?=+*PgbVZHjV^hT-xvlygXbTYO2wAAeyxkHdc;ZNiWO^UKD2 zs{vZs`on6!c1sznB4#x976Ew1?HU+Hbwbf1vRg5O$W`el!r)I!Lqa-#%y6tK?6og*{ z4?HQ}{%?9xqo>&K2KbFkh8%FHd$ILm7KISQp$d?1zOLpJ537{sk8NS*2Hyj3S-eY7O^~ojE7U zlu8P^)N|!OG#UmNsUlc_5BrNqginW;IJ%Csnaa7%v!jU~f~3JDXW% zovv1^j@wWa@>^EI>ULzstoV~6&>z!%hnI9-N^Rfq{k`qQ`S%c$IJB@E$ZZqkf7xfz^T zc(k}HCAKzmDakHq)zPjLz4$`L*W^`Em`QW1!>{dt&?RpCIxV-P+XrkSnq4n{X?ml% z)NN2KUxNg#-_$4eOk+vQ4OQTUbsE)=TycD-Wq`@`|2@1Br0kW!TO}8e_C8e^bMS!~ z&s(O1#rtLNnr8&0Dq*B{skE{uYIc>efs!+V$yQ)}{r~DDO|9QY`8Fq$ zLYn5BYCj6MbHX2yAPBkewpc=Y+%{Wdx>Ra}xe?irbx%3{UWeOBu} zxUQd_$<-2QeNxR%_o(DtWtw~Y+P9wHE?si-1$;pNxKP5+JRc+^f==6s^*5zIdOSED ze4fd*Lp|O!rTph{tk)_FKCh%H?|9FV%+X6ht3T8pVdNw5DaGws zQI^^JPVRfHV(!%la3c*cVi88Uf@$1Hu3((~A{0H$l0KwmhF%tb+Yyc5r?Ln<7E4~@ z8+vd}|2(pFl560rS@g<+Amu1-qYr`dNV}(cNX40+MEdyW=Gmg-DZA2`v==ot|q9yF?0OM zep%4zP7i;Q$Y(K+{%$tZ)92)db`---X*xpdr4tB!543P?-`KzWV7^&HnPHiE!0s0j zkIX3xG<`|xO0<1VTKRXpgjP{W7;E*sG9BJx$-Vox!S{mAD?x99iaSzBSdpV+o6N`n zYKwqv_a0~3;8n~p{EUsvv(#;b_U)plyH-vRVcX*Kpwuh2$h#V{T_$ERM2(=adIHXYXzXoge3(pDe9+ zY{P|qku1NrB^wrU?6+se+f2rOv**UQyw}fLQ5xtcYmXphJliXh`Eon8FHaUD6~YP( zd-1`rHipzus_FXhA)J!)=h0ERqdBbSFjrj6@#hNtY@*GBw{LNLoHW>4)aU4x+t_HzcobzFr#X5(5JQO8@9iupoQ$y_ zwMxV460S!hJ%P2z(uiCk{~CpJSD*c){HCR@xuc=X;C7Ir#}0ueO4xq<1NCs%Tk)n} z1)sglD3Nj9(RqPn!#}JpjWOXnuI_UGjEsJaIh2%0bLYXYkK$HMug24%J=&!#ydqaz zv|8P#`0&+wBB@5E+b)~M`d6{F$IN@{BG0!|o}6;VKSZ|~!>`=Mu1H28^oh6biB)7( zAHyaL$I==VrG2O~&mHb7v(E*^1l^wt#MYYrT9|Z8F!k@QU*+d2Jm-Nadw{T8?UB6e zZ^^NaX?;W0(c)o6OsUYc8b)k{#-!b2d<_emm|#?S-L^a$_IjqYN~r4Ol@ z#-v{VsZ%CMMy4;O6wr|>mR{xTQ&e0Pj5D>VFTu5!ruX@IW#5(f#ELim*eQ9>-lN7? zBHi1G(&YJE^Y-2A`m5;ET_9E+GG||FsmEnFgK^_uUdWtn$FI{CEt)}H)ezR?a0&&y%f1^cKhB&wBp-3*rdC5x0%DGE`75x{HJb%o%@D-|r5nJQXU}5N!Q==ZD?OqfF{UuqmT`(4cr47%Cqh<=mQK<+j zJkf@rt86q#R{=P&`ZFiNkS!R8Y{};$Vgs3}9u!JR#Ds??M#?LQxsP5N_m82y7fAeCyu_1woo}`wEjz2n36VBycb_NB{dL{|6UV;5lx( zDd>D^lW|AmlI$IV5GdFr2!lTJ7I%mpYJa|sgr=wHtHSx=@AV1kvDCQ6v!hk%fUhys z0EAO7j2yZXl8$08jW+6uR?8tXJl$#~rFUhbZ}8bIR8V%Giv-A9GLL+fy5$2jvHKWF zG64q({S?!rX4Ea-K(0d@9CjjBmBa*Xw=bPhDbYF-cNJZd9i(It)jWyyJ=n;;DzJ9e z#kf5^TQd__eBGLTZ)dRwRE}8ck(57z!h6hi>PrXr$WnE7yuN#XyIb%{Mj6o-8{rvM}=uXW&&J+5#tm82^ zV;k5P3&x#!l? zh?Zz&Dt&C~pVty0CPHl_uj;UgclC|C6y#lng^8;FffcZ5%32zrRUa*y6Vm`FyV8ub zYfw4OG##5*m`Gp$C%qgyXafJSpR`B52@_l$0m=7BmoTe?%Ej&oe+<9QN4*?p`hieK zxbVF9y1uJ~l4}~uzvG$OZJyWFX&tnWk_&mkoKoM(@i-Fq^5U%sbs7q&h-(fPW7O1E z9LVO#)287#(nFI?owTOm`^LKGv(S_Yh5TF2DE(*g-3T4%P^4P*sAtn8|Dki~iC!sl z7b_o+bd2J=QybHJj^fm2T`W%~%y!TZj6zgz-#s;u9zhIukJ+pZ6KSyG?NPQw(0yR2 ze0l8b?gR97Zb4}8CooNJpWVx$At2u=5zuHS3SkD2Fk;Q!7{zqB0z30Ty^0h}VYUp1 zU=G6|A&1?mRS8Mg(O5_CDX)>!lO z(-+`U$ixWK1wh-wE5XjsaCO7jM2D9 zgaMH!p0(gpHF!A^^s<+1C$(&6g!BGx^-e?}BdRa0Ih_C3<4iwei@z{o$BySX<4F5s z{r7@$d!yIf0*e8JA(i6~i^KUZMBO3;FpwFhi~mbUl4c_t*VzX4kJnNUnqfOQ{S<)fCt;`#9F z+8Y~v$kQFyuThRyR}^`;Xd2HSFfT_Bi*X=Bujtw1v$D^U$7DDXPw{kENFL zi7QcC1H#X*#~2!JJKnF~=j@MYOT}O~m%YZ-ZkrJ<_YXz{srjV5NRDz~>;EkC=Vo_D z|I*bLg44uI$W0p4+h=)-`cW!7X8yb=<&39{uX;WLu4Jg?8y|jRah7UhRY7^cz^4;t{uGyA{`-c3 zrC45GFAPW*Ox5%;k!fDH#h^7GUTb561gjR9YG|ma%#9q@^@d$qQBxV!-ND0kYl+rv zy|&|x+a3#}Gh$V05Utu*%Y=^&>3J_o0T|Jg6ZL-fA+7A*fS5 zP05B3`2v>n>kiLIFe?IPW?eJBjL#ew?Nl9v8f)Y?tw}|!ZR0-$`F6ZYCiO^K!QSDu zw7N^K#0ab$sg3U&U^RuwQ^r-UzE)>((b!qte8ALTqJ362bLCdpz90AAX8GP%&%NJG zR`FUvhSI&4$+SQya(U7V??@Q71XPz+bg6ziraLbDIvl zW8@_pVFAcZLVmUu(2PQy;AZ}>-*gbBBcB?+^tV(zRiVlYPd)q!SOKjE=-qDvnu2%n?@s8`?Kl{?9L6Z+&Uj0>-TI z#^g$-+`K_jne21lfLk1l!{Q%(HuGn)UgTR#lSz(MMB+HqZ?)1WG>73@HotVl?$sa^ zRgTD}wzvwm*j0~Ir~eedDgr}u1GAq6DzKps*c4VzZ|K!#@(ws~zm`f7MtMI~C0T6Ej%#U9~BVS(W-o?_Q*R@BM+dhN$7Iyznwq z^9Ni@3%ilSlLD+n$i%nh@yCAm?N&3lxEYoXM@#vGPPT9sc9K3^CmAf*jLl93%{0fi9{;$mC@uLb$-}fa;$s~X=8d}XEO>SN z2Am1$#l>nF1Ivn5(^*+3-KM87L1$00Y|CQm4&2u`_VZ^J*o}z7pR1v)w~4r7h|wwA zd3Rxf%(I3V^7?5bKGIXo=l3uylmT3m`U!0Qb^Apo&dR&;qt0nH@wt0-0jd+pfs5=u zzj*g|I?%nnMqa=M)+LjbD?&>ZDG5_D$yyqGYWJd?h9|J2bp${BSmGQDU)1^*%`C>v zs5aH{+r@7y_=?r;x6ZFI7ji=*SE3PR3QVEFdgx^znaQuOM!s@O9fjog6vR6+aMToS z)@t&49J11Lo<0iyJYv!Q%)PprAjSS!J)d8sCQ&yPX(<&DVhpSN|%DY3}c%4S6VY(RD^ z#O}B!M8lbkWR^(>Ipdj%?qO<+ig;BH{|M>7mRPo)$dJraQ%8Ax+w@Vn&*v!P*mh?h z6imlxFo zfAtEIKE(p1S4t?Fxkxf7-}T#mYAshPC0!(R3m(8!geL69e3n+Bff20Y`pcK>g z?LY1z|AS%ie@BYbdkHj0k^GG(-suk}-47Mu)d!VV0o@t1S|rMPQz4 zry2a4c_0pgweLtx&87Gtxh~DOC0RI>!He4Wj!mPyDfh~V=nhy#+K_^=2pFICJL6g0 ze(%a~gKo{I7POT?&`V~#+$#xSR_Mj(84$K!i*H)1vXEGNYMZ*$^ghHdSqR!ASc94x z=Bb^>i>s2bppIU-Ri1+|-c!s(;6U+7|C0(UDY3gAhTLL5P#vW&^)kz95A#qfN??L&36h>|=ImPLw^#Yd1k2tJk|PmivHYEZ%;+@sJ_#skF!lVIwIjMb>-3t_?XN zsOw^TM;Pp&upGG*{L>n7g+RFp7P(ez*7)V}h+}8v+Eb7lBoxv-b$226ukY@n9{$01 zqyfE4cL7#@NY_HbAFE5#Wgz8 zJ;&ZOZ0&^Q?R_}hJN9Esxm^oz4c7deZi?4)*ZiNajo2NTVrnwpDRntrE=gd^=>U&E zbjQ?l2z(Obb0gx!x;ngB_x$BC!bK1=4rJZ|TY118(yLb=U@1m8MmY?NhL3fHSjwcJ zekFsK&JbO_ukC4GN7rY75i*MQNZJ44@cR#9c#VePc4N=bQRFMNV@XB~3;vKNtXPc` zu}=a7AL@;nVihPT;L{$ez;SRe(fwqg@2J!S8uiG$UP<`WXw5b_=y+m=&-$nEo6HYI z{X2KkGafNT+Gk+m7&}>(%6g<^c?F~yd0FqVjq;KW{)R)77_~%HbSh(;b!|%XK0#kU zAxGbY9s^Yt%7ca!XbmWv_{-u1l5C;SI>W|K&=7ejNzSX9QmFhK4^|web>SR+uan*T z4GUPnvt(T3=9ea*d(>;)8QE<;9t-=Tszy!#Bf25RzH%6=2fgH zZCy8buL8sV;=OR|=a;;BkJ>|Vz4d!{Yg^LmM^~r|wqpAdXI9{e`{D~q&A9m@dsra-`T-qJX7U)RTI?n^3z4G^;C746!w;Z2={rn(`bS9_9uMOFoD|9G}KDHxLJ|Apf8jrdQV=tk7)NVOZN?FI; z>mZv|q3LK;?T^G0k5D~#U8{PfmieB1);pc+ePp-h-LWsuNl0jwT(CmB5(5$y0-(LM z0hkl1glu6<7m@QfjU*k^B2x;T)3roYBnPqc+Dna|bxX@ka^^qXgIABBIQqnIss&5$&} zP*HT4$ix^ibDVp)l3&+R;|rj3^;if@zZ49whc% zir_V7lS8Hq8e-?TYD3iA~N$PnUM-z^PS5tV((%2&Fc|A<%s1NcJi|pgHE=U(FxL@ z*?00!WF#q2lsUvf{(x{ko?OXK>X9S8z^<=8nO1qSF;(ZiW_5c4GirKH zGmY>7RaQCmin;2b+})^%k&yfYKG8`!YXq7`jY?T7!io(`uHe7jM!kL6@-f=(7_W3{ zlAi+Tklc9GL*-<|aLHlooF~cX_m)U|p7WXgzJwuW8WVIERk~wF+l0%y0j7dF^t!bR zl@o*oe@!T)wS;iN*o+Bp%*I{WnxIE8uMd(MRrpj~jG-97;fyCHXj;C|`of=>$R3=w zM5`T(Ck~-mC;Zs&q0QKH55j7QXppfu9`+xGdNk2?wK|@P?0Hv7vg-hkwt@V}>qCqj z9mPiIi<`IIr>JIrAP(4TpyBZ5lFI6aCqkh($1eubyMBMaZP4`m{?8ybz$5iG#BdU- zfaE5%!0Yw{T;d+(UC7wcsu1t@)?ck3>#0%tedWd^ba#h!7)0DJ9=OF~=QWy(zcp#~ zAq9(sqdi^{4_;C>W$asQV8R2Mr}1q0oA8|koI9b;`xidXS3a#T*D~UA1*fCcL?GNye@RuQk`J%laQbuKS`!;3Etx4AX8rXK{{+7`ak-V2(&hyUK!8NS`mi zoqSc^C>WxgmBz;U|Dhp08)6tnZ++uJY=H1xl?M$#(653qfS_Lt`ajf=0b#`M{Hs>m zL+Ktj4#wcFF2;oZL#zL#VVy{!iz)dHz)mcd6*1L2ZQBnoEEE^PwL2D3|I)xpP|Y`K zO^F^;qXA}%6q}v^QBJRW%YroF`hoZ_4G;BN45T9;DFMT1W&jLhvdi_q4dcO6hNLK5 zuQeR~Uo7Qz+<&sAZEsz8{*$%+XTu?9vuD`<)=Ct7N zI&ZR+<-Ki&0e4@bK2m~f>@pw6qpqXVwHTcUHH#uI zggk7`w{?jIEIkY`my=w{$U9y)Ws$k?L+R)nRJ_)&pgr2miiP6ZjoIvMIG}XYLe@eI zB-ot{qd3*Fbk>c#Fj1CqXW_3%tYAX8jhwTU^be(yLn3FM-ZVV}%L(8t*V)54Vby{fR-L+js7A(4mCG{UXfOwP5ruc`b-IG0tWamSZtNN@lEJO5FA* z=gTy?p_f=JGk9MtWGJ98!gg8%R55tsL|cEN-rGNj1#d851z#qAV%~Q2a)v(I%ptz( z7rq)#iXOIEX;AEAoffhc3ry8ZegE(-piA8qZiW892wpvf((m524PhH)WWnP5-Jep4 zWoo=Yg(}QSz4(;>fruFWQAKZ)iA>*V{_$Q%y)kS5zH$_9MJW4~;`E``3)Eu;OI@R$ z$UJXEN}iPmJVm6*%!Pk|M#w&dt%jBbYp*!sS66?&pChNYEtIWM&}t?C6t(;4Qg2rQ zDx_SeVvbrZsnxm)T_L;=Jc_RB#;-qI} zB%XJM*m#LYNRIr-h%H^fcQx6ko+2G0kZ{;ikW%=p`r4F}zaoqm^1 zKKDz!q{7(gU2wBMQ9!d2b96FmujxHl*}KL-ho#MeG)=iZfPd7x9;j!;?n*VLFEH52 z7cv~rSExu#V7k9sh}ydqvRuoDFfHm21Zo}_r=i?={Ob>0!_Qi{db%{Ki0B$xGojrj z^xg?u$~}8IG_N#4JH5~2{aD;cw^z(pK0o}pv3*sHeotXzn+qxvoLrzB0$Khg?Ryi< zWtZ<)Z5xPc+0Fw1Z9kcAKTzB9&CtkK%h6}euOT5LAR~I*LQ>V#X?NuRQudy0yU;gt z(8fRbcu(lmPTVF~%-U2tV)@E1aS6T4@wh^b)lNB0f2tlvlu$Zos&w-EuWm5u=d+D(BEIEe0bpYddi%A$CWFdgo1LXtIhUfCg)v(SI01h_##-3%9Sm&T4K@Rj?y^0+yIV z(F7W(Jw(Y`_8l|v#6cT@{*_%CJ7KFoo;I8b zW30irwMDD+NS`{II^AA)?O;@MmJzOMAWboIWQmDNKYH0z;bX!_;Q z8@LO^CK8We8eRpEpoJlqj?9KHuK^8HG(HVsOsfGw!?hq&xd>aA#^0Cf#R)80IgN>K z0jy4AOKx_XYocRI5c^E_GFx;nI6n6!-B4*bsk!NFzihMVywN6p?@~ws*wBK(FP51I z@BNiwks1G?d^_4O2<-dOL%{3EY6f(1_EMx%1Qj?QV+I9;jvI(u>{}o*@0U5RucTZ7 zCtUufixdEH;*wiYm<90IgQv2uz#k;LN&whP!1Kre+oQQXDEc?g1FU%pdA{^tcLSiO zeRNto^IxnFT`=Edrv1O~3c;v)^>?oQMLS6b!xX^Ykp6Xd2h_hZ<_lc@uJHWx2mhj^ z05urC&j0*xO3FW9?k|FhCcqR5z3u2O=0gbP1Ne%>x{QC_{dFWv{m0*Q6)=px+KZ#V z@BXF&MEpfwQ3J#1KK=Ih-M^>!|DRnvKkN@`JU=@wG#e0w8E`a5+b^yOd0w2{x;T1s zMU@40am@{C6x=qs75_NJ1<-Rb5WM~46c;#nZ7g;i8*nv5JJ2U~In$hZ_60;arZt~z zhX_hJyrZu7!5&4mJj4l*aUmy^)Kl5E6htX)g6z>AkbIvnbS?*+FYMCja_#iq79VjY zFh~KpW_YjE+e)s#rw49hB3v%aqreN=P$gmT3SSa$f1l zoIXK_)-s-2p{r5`s>x7`HgLq7f7W!aha^cHJV3V{`>CcR6&rohUpq@z6aVxQC`fN% zc(W4u_h_V~8w>ukNu9_mw{&|e^W}-Z=Qx$v{QGR@PdY1F6(vS4Zogt%RIw;)cM~cN zUX{^@rF#X&Cvs4I)BQ+;1;388H(6U4AO3pn{{HqL6YK;`KhRBiK@nEnQ#derI9#ZX zKCOLs^k<5q>$2q_KNi`|k}?V?XCs|Ld6Njy+n=Lw)v4nRd=4GQFb{yD@JdHU&Ra53GX0<7(;NFmtOcjFc`x}o|Im6orU>LNH&@p&@F>;tDjKB!Q08 zPOnbnID7Jz3mZO*#Eh8HbohSDK$r_iqr9IIZ4!s{Ci%tTw7w0hV0?oty{+OFi8)sO zpCgAp5wbrclEhw9r*wQ>%>542Pj>tG z)yv;xw!?z~o8f6LSPse$!vT-JZ7Ix7>erRgk_~SZluf}kWX70ui6lXNkl|@w1{u_M zRnC=AKGI=SoKr;eWW4XJhEB?aa|%y+r5t`4O_T2N>?_c-m8)4BNQ&>%cgTuYRV2M~ zo7gj>!}$5%6MtFvj;}PMk@_O{iW->um^-I;SP?)G4CIwfe7thYaJe0tZQS@>H0POp zdrmm>KqweYE?xQvaih`Y;Ja)(Wow~zUs$D8!7%5gJ!l9Oa5N`K;~#=3sebVt|N5mt2dO}bdp2fC==}iSv%6O`wD_D#WtxBDh`I*m7uG!PJt!` zEY+1VRq*x_5%%vAKP^*v9IiY$WLb#_4xS5lw)5o)QAC9mv}+0ZZvI`Bdq}k4Pxa^5 z(7Q*u+8b-lx(|O+HT(v8ceGPj(+GR&H0=}k>y{O)idaa18g+w9SqEDf;Rw4?eKxY^6{3HZyz<#XWlYA$Crh z0OgTOBm4y6U5)Lo?0o;A=5sjiNiQqb`EOgiLH=Piaf_^gN^{9 zJZLSWjQXHGyB&?cG+^V^HA4@@+9ybiR{{#`SU(wAP82eTYv{frWo>6vbcxKPyD&kp zGa5SAg_LJET=U~`8;*-pyiR;@7%b#B5DdTey#YWTvu{l?V73G`TER4OXgAx|n&*~M znoo-`K1;Ld12_cG>#q028Z7AI+A+iN56WS)w1u=LYkH8Y=LDf<5`X{_WtQT}I}eoW zCsiBkZZ(?lzbsqmI>CX{^_eBz@$F2r;SjwUO+3*Z=B+1+``f9}7J)phlji8N1>V(X zVTOGO@QQ$`6D>BIB6~KzXr)N$G_r30V~WSie*PUn+kz&~gOT^FLkEBVZIB^&%e% z0_HM}+U3`xK=89T;>sHU56@gsG0PKRS9Kqm-*JIpm20q*DIE9 z0h>4S%q|GnQTuJ;=B>X@R}R8paTkQ4E3khCYRw>;YlDTz{xhhPz4&IzzoW>12g?5) zxj-!WF!-E~d82d5a+0HD7l)sHu9imPnEO&AODl&^S%ZBEZJ}R4o2~;`~ z(X|XBjhXj}@A*b4vZp56ESwJ};6<1%{R$CN3c$28i{j;&%-{N-9WG4;M_SG=s{b;) z&QcwjrnaM95p#WD$K}~hzf}RbIlQOvL$o_S72ft4G5$d^F>N7tKGBS+?zxkC_`U@T z-ingFEx&mYT54kd3r7YVGZD`hKGdt-Xf>}BluDPcJUzmVT4wpF0=y#*U9}dirgc_kg_UWxxxiP-W0Q;rnXtxlDu6s-m43ULeZUA)o5>lk zj$V$N^xUd-xRJYEV@;0klJU?(PiT~)+v=W*O}Lm8aS%Mao%8l2zuU9m``w{RX<&h9 zVL6VREMR~TQ!H%i3JG`7)T%};yz3*J*+upHlVmBWWtB39OT){;y6RyuRs~%7jSgTlJp&{A2ni&xz4C^#lf>)wsyKjdJd3O+6JSApDx@wz5&FuL_Hf-+ z{wHV6=X*nbrAHK8b^IHBo3|eNI7Mrp{ZPU`OWl0joP6SLV1B9S-IRi9w;M8iP1daw z&se4}PysD~3N+tBN7+>$jCKjtzKY_X`=wvJK(;ZKv{X}r?-7~^kZ+jbPc^mVoKh{? zN&E&EN$V-DlXJW|v#xbOsqkcQZ9{f`L(NS!APM9+U6qJrZfG8A5l;R|epU?NURm_Q z%&#uUF9guPb9{ed;1iqUo~;1yyz^4{ zLA4@?5W25?)c~hfG}Cl1f6E458x$Ew0rP64TO`i`@Z2t{=LjP3Gf4!{e*z2t-Kd8& zaGoo}#s8Y1nlRR#Xv~Cm7&b{VV4fJaX{n67*YZbv2ToE0o(DtSJU{;R8taSMH)mhB zJ^t=cV1h||h$vUm)4GQcWok~gw!gtXD~~bZrW12D#3E)>UMe*jpU{DDPWtg$$$gw+-UHJA+;) z9B(DS+R_^*ud6ht;j~JT%k0>7VZ8V1=4V~y8j_qzrAVB3pI+?>Si1dJ8jPewAHX-f zz66S4#m5#Ym{0qEz8)Vku2`sEFUR@{9N->22cPvyC7VA~X|BS_Z+)Uz;>MGs+e+mz zbTWFt^XnCQgv;@=;Cs~dNUP80?;4@MI1BK|Tt-!$TrY=%XIk#gE=I5DV!|#VQih4O zOhrK0aI^f@cv3S9wzmF?ndp-;beGVMKklYgJ2XQB!X}+o$Be)GAAnK$Lk)!$mmczC=jZrY<*&|QS4wre4ziz!tcG>nPsnU zv@`o6OJwf`afo5HF;8KGO)NYRc|te5n6X?BKqJHVIhF?(F-bTY&`(o>MlD`P@D&3B z!)|8z2G~b0TXZ#R$RDBi=_XdnkJEZ`ZG8=xJex zF5N>PO2Hx}F9hIn9)Rq6wg;?fP}c5&6eIM&s9)pl_GClEAZ=Fp8+qI-$qt^xY~rX) zg6N9~&3H8-Xx{9=o=}_BP1mYqJ@C!AMOCdQ=^)tUxD~w*hz72b?nal<`#B%>MuS1{ z21(&~jF_bzE_mh&XTsAaCEUFXQrl1p*#l+RhIyX&;kC%xw8HA#gy^OamgUu*i6J*D zJ>AP_mq<+zu4}&dEEdr`ViA=qZ-x?HnydH@R_FoofzTu+IMMGVl$thIcXrb2%Q6Ly zO}wO0B6fZrO_}objq1HA5Zi5ZE(^p5ca$`(mutpR-G&&bS290r`MC?M{+cN2&Yd~VR4nBWIi%~6$< z8*gh zGoelO9*Y;}vV8)qi2c{k6O7e$;7bOilG}QFzd3J`(Sk|Da@tO9`A69w_@&HWO10S8H=pb9GD0Z`zXyd?FJ$k*@)BDDx^X%C%d53%Q4P=S5Tfj0 zv`Zy$&VK5hh<_aog*jr-*G*`2N|yfZ{(y^1vwG&Nd|12jb&-?%8)}bL{(Y1BD;%44 z4l;UGa6ZECB`=~gx%Nult=mqO5MTZVj>D`(Ct0eKJF_6CR)@3+R)5~B9g{2FJR+Dr zVb-><_1t_rQOg#v9(K9E22tg*BBGc&TX*m&_X!&n_btZEz|_YQWWOOrGV6%pJ+4Pj zf5N88haD?ew4*QQH+G41ET{(jKnCT@+tgsikuIn}@*op7Rjh!crs5oE$}kYFNNFJVt}_vAypCr2PcKi z)Y1o>fgFjtikpIVWA2&W5x|Rm_exEJhz>z>25`ZsKTvD2K*KQDyp~0)9(d=K%&a`*6O$Z3Q={unFwtl{fzYB#gHN8=-t|}c9@V9&a#ta$@e7q62M|D1 z10d7I69S8f>hi6r2U~x6Oe(4;i;rWR5kOSV62fr)OdzzV(l+2_MRh5v#s-LrQ)&VN zh-!i)&N+oeM0NQ&D&eqwk4m1A=hLxCW^Dbn$ zDz6Kiaor$*sBXZb=|}>Is>VZ?Z4lMSMN3~s1Q3-GSi-gv2rVitee$pV+r8`0^eg^S zaK7uWbuDuI+XN8R+Zmw$0|L=SReYn;c&(RV;x{)wh%3UUW*eLzJOXRR?(?*tH)_Y5sN zK16j{E!8xjqFVM0nrY&QYNl*XH5a!2YCLq=22o9QR;)T1M73(>-OoE0Rn694{L1HMRYWRQ?JS zMPHZSo?auHmNtlL;F_f?D*}khiY##(39$9o;-_>hqH0`+9PWVtqVkXh#;`+Rg^H@? zZpQXDeAgc*Sabr2DtZQ|9Y60;QBh61xS7~Z0*LA+Fq)4d5OM2o``37Rk80FCF^ssr0=3{15-|4~Q!CB4qGR2p}paiC`Ed0q0wP=b}<+Au5(N z1iBDFR9!Fvp0ndfQvwl1wf$r<6_x2CA^0K$5Y-}yjyKJ4TYpC%cslxXj?$ir zD&D$e#BUHlRBuqH&k6#uM78_9N_l~$8Y`YbR22(>CJ^`uQLzY|5ka`#b%z#h2NFP3h-%<+qbt`05S8ontUS0CMAiO1el-#JuD_MfqdDe|sOHGygtG`C zs$Ea){#B9fdsIe$eB?5$fSqu;Fr}#puw#YC) literal 0 HcmV?d00001 diff --git a/STABLE/documentation/upgrade_issues.htm b/STABLE/documentation/upgrade_issues.htm new file mode 100644 index 000000000..1e292ef03 --- /dev/null +++ b/STABLE/documentation/upgrade_issues.htm @@ -0,0 +1,145 @@ + + + + + + Upgrade Issues + + + + + + + + + + + + + +
+

Upgrade Issues

+
+ +

For upgrade instructions see the + Install/Upgrade page.

+ +

Version >= 1.3.7

+ +

Users specifying ALLOWRELATED=No in + /etc/shorewall.conf will need to include the + following rules in their /etc/shorewall/icmpdef + file (creating this file if necessary):

+ + 
	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
+

Users having an /etc/shorewall/icmpdef file may remove the ". + /etc/shorewall/icmp.def" command from that file since the icmp.def file is now + empty.

+

Upgrading Bering to + Shorewall >= 1.3.3

+ +

To properly upgrade with Shorewall version + 1.3.3 and later:

+ +
    +
  1. Be sure you have a backup -- you will need + to transcribe any Shorewall configuration + changes that you have made to the new + configuration.
    2. +
  2. Replace the shorwall.lrp package provided on + the Bering floppy with the later one. If you did + not obtain the later version from Jacques's + site, see additional instructions below.
    3. +
  3. Edit the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall entry if + present. Then do not forget to backup root.lrp !
    4. +
+

The .lrp that I release isn't set up for a two-interface firewall like + Jacques's. You need to follow the instructions for + setting up a two-interface firewall plus you also need to add the following + two Bering-specific rules to /etc/shorewall/rules:

+
+ 
# Bering specific rules:
+# allow loc to fw udp/53 for dnscache to work
+# allow loc to fw tcp/80 for weblet to work
+#
+ACCEPT loc fw udp 53
+ACCEPT loc fw tcp 80
+
+ +

Version >= 1.3.6

+ +

If you have a pair of firewall systems configured for + failover, you will need to modify your firewall setup slightly under + Shorewall versions >= 1.3.6.

+ +
    +
  1. + +

    Create the file /etc/shorewall/newnotsyn and in it add + the following rule
    +
    + run_iptables -A newnotsyn -j RETURN # So that the + connection tracking table can be rebuilt
    +                                    + # from non-SYN packets after takeover.

    2. +
  2. + +

    Create /etc/shorewall/common (if you don't already + have that file) and include the following:
    +
    + run_iptables -A common -p tcp --tcp-flags + ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
    +                                                                    + #tracking table.
    + . /etc/shorewall/common.def

    3. +
+ +

Versions >= 1.3.5

+ +

Some forms of pre-1.3.0 rules file syntax are no + longer supported.

+ +

Example 1:

+ +
+ 
	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
+
+ +

Must be replaced with:

+ +
+ 
	DNAT	net	loc:192.168.1.12:22	tcp	11111
+
+
+

Example 2:

+
+ 
	ACCEPT	loc	fw::3128	tcp	80	-	all
+
+
+

Must be replaced with:

+
+ 
	REDIRECT	loc	3128	tcp	80
+
+ +

Version >= 1.3.2

+ +

The functions and versions files together with the + 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. + If you have applications that access these files, those applications + should be modified accordingly.

+ +

+ Last updated 9/13/2002 - + Tom Eastep

+ +

Copyright + © 2001, 2002 Thomas M. Eastep.

+ + + \ No newline at end of file