extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-02 19:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1731 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-30 15:23:18 +00:00
parent c8fd66a65f
commit e5ed72e5f6
6 changed files with 185 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-10-08</pubdate> <pubdate>2004-10-25</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -37,10 +37,10 @@
<warning> <warning>
<para>To use the features described in this article, your kernel and <para>To use the features described in this article, your kernel and
iptables must include the Netfilter+ipsec patches and policy match support iptables must include the Netfilter+ipsec patches and policy match support
and you must be running Shorewall 2.1.5 or later. The Netfilter patches and you must be running Shorewall 2.1.5 or later (with Shorewall 2.2.0
are available from Netfilter Patch-O-Matic-NG and are also included in Beta 1 or later recommended). The Netfilter patches are available from
some commercial distributions (most notably <trademark>SuSE</trademark> Netfilter Patch-O-Matic-NG and are also included in some commercial
9.1).</para> distributions (most notably <trademark>SuSE</trademark> 9.1).</para>
</warning> </warning>
<important> <important>
@ -56,7 +56,7 @@
</warning> </warning>
<section> <section>
<title>Shorewall 2.1 and Kernel 2.6 IPSEC</title> <title>Shorewall 2.2 and Kernel 2.6 IPSEC</title>
<para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6 <para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6
IPSEC -- for that, please see <ulink IPSEC -- for that, please see <ulink
@ -178,6 +178,14 @@
two techniques are equivalent and are used interchangably.</para> two techniques are equivalent and are used interchangably.</para>
</note> </note>
<note>
<para>It is redundent to have <emphasis role="bold">Yes</emphasis> in
the IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
for a zone and to also have the <emphasis role="bold">ipsec</emphasis>
option in <filename>/etc/shorewall/hosts</filename> entries for that
zone.</para>
</note>
<para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in <para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
/etc/shorewall/ipsec can be used to match the zone to a particular (set /etc/shorewall/ipsec can be used to match the zone to a particular (set
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the of) SA(s) used to encrypt and decrypt traffic to/from the zone and the

129
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-09-12</pubdate> <pubdate>2004-10-27</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -398,8 +398,131 @@ INIT="rc.firewall"</programlisting>
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para> url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important> </important>
<para>There appears to be no standard method for upgrading LEAF/Bering <para>The following was contributed by Charles Steinkuehler on the Leaf
packages — Sorry to be so unhelpful.</para> mailing list:</para>
<blockquote>
<para>It's *VERY* simple...just put in a new CD and reboot! &nbsp;:-)
Actually, I'm only slightly kidding...that's exactly how I upgrade my
prodution firewalls. &nbsp;The partial backup feature I added to
Dachstein allows configuration data to be stored seperately from the
rest of the package.</para>
<para>Once the config data is seperated from the rest of the package,
it's an easy matter to upgrade the pacakge while keeping your current
configuration (in my case, just inserting a new CD and
re-booting).</para>
<para>Users who aren't running with multiple package paths and using
partial backups can still upgrade a package, it just takes a bit of
extra work. &nbsp;The general idea is to use a partial backup to save
your configuration, replace the package, and restore your old
configuration files. Step-by-step instructions for one way to do this
(assuming a conventional single-floppy LEAF system) would be:</para>
<itemizedlist>
<listitem>
<para>Make a backup copy of your firewall disk ('NEW'). &nbsp;This
is the disk you will add the upgraded package(s) to.</para>
</listitem>
<listitem>
<para>Format a floppy to use as a temporary location for your
configuration file(s) ('XFER'). &nbsp;This disk should have the same
format as your firewall disk (and could simply be another backup
copy of your current firewall).</para>
</listitem>
<listitem>
<para>Make sure you have a working copy of your existing firewall
('OLD') in a safe place, that you *DO NOT* use durring this process.
That way, if anything goes wrong you can simply reboot off the OLD
disk to get back to a working configuration.</para>
</listitem>
<listitem>
<para>Remove your current firewall configuration disk and replace it
with the XFER disk.</para>
</listitem>
<listitem>
<para>Use the lrcfg backup menu to make a partial backup of the
package(s) you want to upgrade, being sure to backup the files to
the XFER disk. &nbsp;From the backup menu:</para>
<programlisting>t e &lt;enter&gt; p &lt;enter&gt;
b &lt;package1&gt; &lt;enter&gt;
b &lt;package2&gt; &lt;enter&gt;
...</programlisting>
</listitem>
<listitem>
<para>Download and copy the package(s) you want to upgrade onto the
NEW disk.</para>
</listitem>
<listitem>
<para>Reboot your firewall using the NEW disk...at this point your
upgraded packages will have their default configuration.</para>
</listitem>
<listitem>
<para>Mount the XFER disk (mount -t msdos /dev/fd0u1680 /mnt)</para>
</listitem>
<listitem>
<para>CD to the root directory (cd /)</para>
</listitem>
<listitem>
<para>Manually extract configuration data for each package you
upgraded:</para>
<programlisting>tar -xzvf /mnt/package1.lrp
tar -xzvf /mnt/package2.lrp
...</programlisting>
</listitem>
<listitem>
<para>Unmount (umount /mnt) and remove the XFER disk</para>
</listitem>
<listitem>
<para>Using lrcfg, do *FULL* backups of your upgraded
packages.</para>
</listitem>
<listitem>
<para>Reboot, verifying the firewall works as expected. &nbsp;Some
configuration files may need to be 'tweaked' to work properly with
the upgraded package binaries.</para>
</listitem>
</itemizedlist>
<important>
<para>The new package file &lt;package&gt;.local can be used to
fine-tune which files are included (and excluded) from the partial
backup (see the Dachstein-CD README for details). &nbsp;If this file
doesn't exist, the backup scripts assume anything from the
&lt;package&gt;.list file that resides in /etc or /var/lib/lrpkg is
part of the configuration data and is used to create the partial
backup. &nbsp;If shorewall puts anything in /etc that isn't a user
modified configuration file, a proper shorwall.local file should be
created prior to making the partial backup [<emphasis
role="bold">Editor's note</emphasis>: Shorewall places only
user-modifiable files in /etc].</para>
</important>
<note>
<para>It's obviously possible to do the above 'in-place', without
using multiple disks, and even without making a partial backup (ie:
copy current config files to /tmp, manually extract new package on top
of current running firewall, then copy or merge config data from /tmp
and backup...or similar), but anyone capable of that level of command
line gymnastics is probably doing it already, without needing detailed
instructions! :-)</para>
</note>
</blockquote>
</section> </section>
<section id="Config_Files"> <section id="Config_Files">

28
Shorewall-docs2/Shorewall_Doesnt.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2004-06-08</pubdate> <pubdate>2004-10-26</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -43,7 +44,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Work with an Operating System other than Linux (version &#62;= <para>Work with an Operating System other than Linux (version &gt;=
2.4.0)</para> 2.4.0)</para>
</listitem> </listitem>
@ -52,22 +53,23 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>HTTP - better to use <ulink url="Shorewall_Squid_Usage.html">Squid</ulink> <para>HTTP - better to use <ulink
for that.</para> url="Shorewall_Squid_Usage.html">Squid</ulink> for that.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Email -- Install something like <ulink <para>Email -- Install something like <ulink
url="http://www.postfix.org">Postfix</ulink> on your firewall and url="http://www.postfix.org">Postfix</ulink> on your firewall and
integrate it with <ulink url="http://www.spamassassin.org/">SpamAssassin</ulink> integrate it with <ulink
and <ulink url="http://www.ijs.si/software/amavisd/">Amavisd-new</ulink>.</para> url="http://www.spamassassin.org/">SpamAssassin</ulink> and <ulink
url="http://www.ijs.si/software/amavisd/">Amavisd-new</ulink>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>Set up Routing (except to support <ulink url="ProxyARP.htm">Proxy <para>Set up Routing (except to support <ulink
ARP</ulink>)</para> url="ProxyARP.htm">Proxy ARP</ulink>)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -88,10 +90,12 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Shorewall does not contain any support for Netfilter <ulink <para>Shorewall generally does not contain any support for Netfilter
url="http://www.netfilter.org/documentation/pomlist/pom-summary.html">Patch-O-Matic</ulink> <ulink
url="http://www.netfilter.org/documentation/pomlist/pom-summary.html">Patch-O-Matic-ng</ulink>
features or any other features that require kernel patching -- features or any other features that require kernel patching --
Shorewall only supports features from released kernels.</para> Shorewall only supports features from released kernels except in
unusual cases.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

4
Shorewall-docs2/VPN.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-10-21</pubdate> <pubdate>2004-10-27</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
@ -135,6 +135,6 @@
HP Intranet and it works flawlessly without anything in Shorewall other HP Intranet and it works flawlessly without anything in Shorewall other
than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch than my ACCEPT loc-&gt;net policy. NAT traversal is available as a patch
for Windows 2K and is a standard feature of Windows XP -- simply select for Windows 2K and is a standard feature of Windows XP -- simply select
"</para> "L2TP IPSec VPN" from the "Type of VPN" pulldown.</para>
</section> </section>
</article> </article>

25
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-09-02</pubdate> <pubdate>2004-10-25</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -89,6 +89,29 @@
<section> <section>
<title>Problems in Version 2.0</title> <title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.10</title>
<para>The initial packages uploaded to the FTP and HTTP servers were
incorrect. Here are the MD5 sums of the incorrect packages.</para>
<programlisting>14e8f2bfa08cc5ca2715c8b1179d5eb2 &nbsp;shorewall-2.0.10-1.noarch.rpm
54bcbb2216ad3db9870507cd9716fd99 &nbsp;shorewall-2.0.10.tgz
c2fe0acc7f056acb56d089cf8dafa39a &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>These incorrect packages have been replaced with correct ones
having the following MD5 sums:</para>
<programlisting>d5af452d38538b4b994c3c4abab8e012 &nbsp;shorewall-2.0.10-1.noarch.rpm
985ce9215ea9cc0299f0b5450fdbe05e &nbsp;shorewall-2.0.10.tgz
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>If you have installed an incorrect package, please replace
<filename>/sbin/shorewall</filename> with <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/shorewall">this
file</ulink>.</para>
</section>
<section> <section>
<title>Shorewall 2.0.3 through 2.0.8</title> <title>Shorewall 2.0.3 through 2.0.8</title>

5
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-09-12</pubdate> <pubdate>2004-10-27</pubdate>
<copyright> <copyright>
<year>2002-2004</year> <year>2002-2004</year>
@ -55,7 +55,8 @@
<listitem> <listitem>
<para>Connection through Cable Modem, DSL, ISDN, Frame Relay, <para>Connection through Cable Modem, DSL, ISDN, Frame Relay,
dial-up...</para> dial-up... or connected to a LAN and you simply wish to protect your
Linux system from other systems on that LAN.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>