extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 08:44:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1731 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-30 15:23:18 +00:00
parent c8fd66a65f
commit e5ed72e5f6
6 changed files with 185 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-10-08</pubdate>
<pubdate>2004-10-25</pubdate>
<copyright>
<year>2004</year>
@ -37,10 +37,10 @@
<warning>
<para>To use the features described in this article, your kernel and
iptables must include the Netfilter+ipsec patches and policy match support
and you must be running Shorewall 2.1.5 or later. The Netfilter patches
are available from Netfilter Patch-O-Matic-NG and are also included in
some commercial distributions (most notably <trademark>SuSE</trademark>
9.1).</para>
and you must be running Shorewall 2.1.5 or later (with Shorewall 2.2.0
Beta 1 or later recommended). The Netfilter patches are available from
Netfilter Patch-O-Matic-NG and are also included in some commercial
distributions (most notably <trademark>SuSE</trademark> 9.1).</para>
</warning>
<important>
@ -56,7 +56,7 @@
</warning>
<section>
<title>Shorewall 2.1 and Kernel 2.6 IPSEC</title>
<title>Shorewall 2.2 and Kernel 2.6 IPSEC</title>
<para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6
IPSEC -- for that, please see <ulink
@ -178,6 +178,14 @@
two techniques are equivalent and are used interchangably.</para>
</note>
<note>
<para>It is redundent to have <emphasis role="bold">Yes</emphasis> in
the IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
for a zone and to also have the <emphasis role="bold">ipsec</emphasis>
option in <filename>/etc/shorewall/hosts</filename> entries for that
zone.</para>
</note>
<para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
/etc/shorewall/ipsec can be used to match the zone to a particular (set
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the

129
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-12</pubdate>
<pubdate>2004-10-27</pubdate>
<copyright>
<year>2001</year>
@ -398,8 +398,131 @@ INIT="rc.firewall"</programlisting>
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>There appears to be no standard method for upgrading LEAF/Bering
packages — Sorry to be so unhelpful.</para>
<para>The following was contributed by Charles Steinkuehler on the Leaf
mailing list:</para>
<blockquote>
<para>It's *VERY* simple...just put in a new CD and reboot! &nbsp;:-)
Actually, I'm only slightly kidding...that's exactly how I upgrade my
prodution firewalls. &nbsp;The partial backup feature I added to
Dachstein allows configuration data to be stored seperately from the
rest of the package.</para>
<para>Once the config data is seperated from the rest of the package,
it's an easy matter to upgrade the pacakge while keeping your current
configuration (in my case, just inserting a new CD and
re-booting).</para>
<para>Users who aren't running with multiple package paths and using
partial backups can still upgrade a package, it just takes a bit of
extra work. &nbsp;The general idea is to use a partial backup to save
your configuration, replace the package, and restore your old
configuration files. Step-by-step instructions for one way to do this
(assuming a conventional single-floppy LEAF system) would be:</para>
<itemizedlist>
<listitem>
<para>Make a backup copy of your firewall disk ('NEW'). &nbsp;This
is the disk you will add the upgraded package(s) to.</para>
</listitem>
<listitem>
<para>Format a floppy to use as a temporary location for your
configuration file(s) ('XFER'). &nbsp;This disk should have the same
format as your firewall disk (and could simply be another backup
copy of your current firewall).</para>
</listitem>
<listitem>
<para>Make sure you have a working copy of your existing firewall
('OLD') in a safe place, that you *DO NOT* use durring this process.
That way, if anything goes wrong you can simply reboot off the OLD
disk to get back to a working configuration.</para>
</listitem>
<listitem>
<para>Remove your current firewall configuration disk and replace it
with the XFER disk.</para>
</listitem>
<listitem>
<para>Use the lrcfg backup menu to make a partial backup of the
package(s) you want to upgrade, being sure to backup the files to
the XFER disk. &nbsp;From the backup menu:</para>
<programlisting>t e &lt;enter&gt; p &lt;enter&gt;
b &lt;package1&gt; &lt;enter&gt;
b &lt;package2&gt; &lt;enter&gt;
...</programlisting>
</listitem>
<listitem>
<para>Download and copy the package(s) you want to upgrade onto the
NEW disk.</para>
</listitem>
<listitem>
<para>Reboot your firewall using the NEW disk...at this point your
upgraded packages will have their default configuration.</para>
</listitem>
<listitem>
<para>Mount the XFER disk (mount -t msdos /dev/fd0u1680 /mnt)</para>
</listitem>
<listitem>
<para>CD to the root directory (cd /)</para>
</listitem>
<listitem>
<para>Manually extract configuration data for each package you
upgraded:</para>
<programlisting>tar -xzvf /mnt/package1.lrp
tar -xzvf /mnt/package2.lrp
...</programlisting>
</listitem>
<listitem>
<para>Unmount (umount /mnt) and remove the XFER disk</para>
</listitem>
<listitem>
<para>Using lrcfg, do *FULL* backups of your upgraded
packages.</para>
</listitem>
<listitem>
<para>Reboot, verifying the firewall works as expected. &nbsp;Some
configuration files may need to be 'tweaked' to work properly with
the upgraded package binaries.</para>
</listitem>
</itemizedlist>
<important>
<para>The new package file &lt;package&gt;.local can be used to
fine-tune which files are included (and excluded) from the partial
backup (see the Dachstein-CD README for details). &nbsp;If this file
doesn't exist, the backup scripts assume anything from the
&lt;package&gt;.list file that resides in /etc or /var/lib/lrpkg is
part of the configuration data and is used to create the partial
backup. &nbsp;If shorewall puts anything in /etc that isn't a user
modified configuration file, a proper shorwall.local file should be
created prior to making the partial backup [<emphasis
role="bold">Editor's note</emphasis>: Shorewall places only
user-modifiable files in /etc].</para>
</important>
<note>
<para>It's obviously possible to do the above 'in-place', without
using multiple disks, and even without making a partial backup (ie:
copy current config files to /tmp, manually extract new package on top
of current running firewall, then copy or merge config data from /tmp
and backup...or similar), but anyone capable of that level of command
line gymnastics is probably doing it already, without needing detailed
instructions! :-)</para>
</note>
</blockquote>
</section>
<section id="Config_Files">

28
Shorewall-docs2/Shorewall_Doesnt.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2004-06-08</pubdate>
<pubdate>2004-10-26</pubdate>
<copyright>
<year>2003</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -43,7 +44,7 @@
</listitem>
<listitem>
<para>Work with an Operating System other than Linux (version &#62;=
<para>Work with an Operating System other than Linux (version &gt;=
2.4.0)</para>
</listitem>
@ -52,22 +53,23 @@
<itemizedlist>
<listitem>
<para>HTTP - better to use <ulink url="Shorewall_Squid_Usage.html">Squid</ulink>
for that.</para>
<para>HTTP - better to use <ulink
url="Shorewall_Squid_Usage.html">Squid</ulink> for that.</para>
</listitem>
<listitem>
<para>Email -- Install something like <ulink
url="http://www.postfix.org">Postfix</ulink> on your firewall and
integrate it with <ulink url="http://www.spamassassin.org/">SpamAssassin</ulink>
and <ulink url="http://www.ijs.si/software/amavisd/">Amavisd-new</ulink>.</para>
integrate it with <ulink
url="http://www.spamassassin.org/">SpamAssassin</ulink> and <ulink
url="http://www.ijs.si/software/amavisd/">Amavisd-new</ulink>.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Set up Routing (except to support <ulink url="ProxyARP.htm">Proxy
ARP</ulink>)</para>
<para>Set up Routing (except to support <ulink
url="ProxyARP.htm">Proxy ARP</ulink>)</para>
</listitem>
<listitem>
@ -88,10 +90,12 @@
<itemizedlist>
<listitem>
<para>Shorewall does not contain any support for Netfilter <ulink
url="http://www.netfilter.org/documentation/pomlist/pom-summary.html">Patch-O-Matic</ulink>
<para>Shorewall generally does not contain any support for Netfilter
<ulink
url="http://www.netfilter.org/documentation/pomlist/pom-summary.html">Patch-O-Matic-ng</ulink>
features or any other features that require kernel patching --
Shorewall only supports features from released kernels.</para>
Shorewall only supports features from released kernels except in
unusual cases.</para>
</listitem>
</itemizedlist>
</section>

4
Shorewall-docs2/VPN.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-10-21</pubdate>
<pubdate>2004-10-27</pubdate>
<copyright>
<year>2002</year>
@ -135,6 +135,6 @@
HP Intranet and it works flawlessly without anything in Shorewall other
than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch
for Windows 2K and is a standard feature of Windows XP -- simply select
"</para>
"L2TP IPSec VPN" from the "Type of VPN" pulldown.</para>
</section>
</article>

25
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-09-02</pubdate>
<pubdate>2004-10-25</pubdate>
<copyright>
<year>2001-2004</year>
@ -89,6 +89,29 @@
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.10</title>
<para>The initial packages uploaded to the FTP and HTTP servers were
incorrect. Here are the MD5 sums of the incorrect packages.</para>
<programlisting>14e8f2bfa08cc5ca2715c8b1179d5eb2 &nbsp;shorewall-2.0.10-1.noarch.rpm
54bcbb2216ad3db9870507cd9716fd99 &nbsp;shorewall-2.0.10.tgz
c2fe0acc7f056acb56d089cf8dafa39a &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>These incorrect packages have been replaced with correct ones
having the following MD5 sums:</para>
<programlisting>d5af452d38538b4b994c3c4abab8e012 &nbsp;shorewall-2.0.10-1.noarch.rpm
985ce9215ea9cc0299f0b5450fdbe05e &nbsp;shorewall-2.0.10.tgz
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>If you have installed an incorrect package, please replace
<filename>/sbin/shorewall</filename> with <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/shorewall">this
file</ulink>.</para>
</section>
<section>
<title>Shorewall 2.0.3 through 2.0.8</title>

5
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-12</pubdate>
<pubdate>2004-10-27</pubdate>
<copyright>
<year>2002-2004</year>
@ -55,7 +55,8 @@
<listitem>
<para>Connection through Cable Modem, DSL, ISDN, Frame Relay,
dial-up...</para>
dial-up... or connected to a LAN and you simply wish to protect your
Linux system from other systems on that LAN.</para>
</listitem>
</itemizedlist>