Shorewall 5 Tom Eastep 2015 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction There are currently two principle groups of changes that distinguish Shorewall 5 from Shorewall 4: Cruft Removal - over the years, as new ways to accomplish various tasks are added to Shorewall, support for the old way of doing things has generally been retained but deprecated. Shorewall 5 drops support for those deprecated features. Changes to CLI commands - In order to make command names more accurately reflect what the associated commands do, a number of commands have been renamed or the function that they perform has been changed. Each of these groups is described in more detail in the sections that follow.
Cruft Removal Removal of superseded features makes the code cleaner and easier to extend while also reducing compilation and execution time. The following subsections detail the features that are no longer supported in Shorewall 5.
Scripts Compiled with Shorewall 4.4.7 or Earlier Shorewall 5 cannot correctly run scripts compiled with Shorewall 4.4.7 or earlier releases. Such scripts must be recompiled with 4.4.8 or later prior to upgrading to Shorewall 5.
Workarounds Over the years, a number of workarounds have been added to Shorewall to work around defects in other products. In current distributions, those defects have been corrected, and in 4.6.11, a WORKAROUNDS configuration option was added to disable those workarounds. In Shorewall 5, the WORKAROUNDS setting is still available in the shorewall[6].conf files but: Its default setting has been changed to No. All workarounds for old distributions have been eliminated. If there is a need to add new workarounds in the future, those workarounds will be enabled by WORKAROUNDS=Yes.
Removal of Configuration Options A number of configuration options have been eliminated in Shorewall 5. The following options have been eliminated and the functionality that they enabled is been removed: EXPORTPARAMS IPSECFILE LEGACY_FASTSTART A compilation warning is issued when any of these options are encountered in the .conf file, and the shorewall[6] update command will remove them from the configuration file. These options have been eliminated because they have been superseded by newer options. LOGRATE and LOGBURST (superseded by LOGLIMIT) WIDE_TC_MARKS (superseded by TC_BITS) HIGH_ROUTE_MARKS (superseded by PROVIDER_OFFSET) BLACKLISTNEWONLY (superseded by BLACKLIST) A fatal compilation error is emitted if any of these options are present in the .conf file, and the shorewall[6] update command will replace these options with equivalent setting of the options that supersede them.
Obsolete Configuration Files Support has been removed for the 'blacklist', 'tcrules', 'routestopped', 'notrack' and 'tos' files. The and options of the update command are still available to convert the 'tcrules' and 'tos' files to the equivalent 'mangle' file and to convert the 'blacklist' file into an equivalent 'blrules' file. As in Shorewall 4.6.12, the option is available to convert the 'routestopped' file into the equivalent 'stoppedrules' file and the option is available to convert a 'notrack' file to the equivalent 'conntrack' file.
Macro and Action Formats Originally, macro and action files had formats that were different from that of the rules file, Format-1 action files had the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) RATE USER/GROUP MARK Format-1 macro files were similar but did not support the MARK column. Format-2 macro and action files have these columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST RATE USER/GROUP MARK CONNLIMIT TIME HEADERS (Only valid for IPv6) SWITCH HELPER Notice that the first five columns of both sets are the same. In Shorewall 5, support for format-1 macros and actions has been dropped and all macros and actions will be processed as if ?FORMAT 2 were included before the first entry. Given that the vast majority of actions and macros only use the first five columns, this change will be of no concern to most users, but will cause compilation errors if columns beyold the fifth one are populated.
COMMENT, FORMAT and SECTION Lines COMMENT, FORMAT and SECTION Lines now require the leading question mark ("?"). In earlier releases, the question mark was optional. The shorewall[6] update -D command will insert the question marks for you.
CLI Command Changes A number of commands have been renamed and/or now perform a different function.
restart The restart command now does a true restart and is equivalent to a stop followed by a start.
load The function performed by the Shorewall-4 load command is now performed by the remote-start command.
reload In Shorewall 5, the reload command now performs the same function as the restart command did in Shorewall 4. The action taken by the Shorewall-4 reload command is now performed by the remote-restart command. For those that can't get used to the idea of using reload in place of restart, a RESTART option has been added to shorewall[6].conf. The option defaults to 'restart' but if set to 'reload', then the restart command does what it did in earlier releases. Beginning with Shorewall 5.0.1 and Shorewall 4.6.13.2, the update command will set RESTART=reload to maintain compatibility with earlier releases. Shorewall 5.0.0 created the setting LEGACY_RESTART=No which was equivalent to RESTART=restart. Under Shorewall 5.0.1 and later, update will convert LEGACY_RESTART to the equivalent RESTART setting.
Upgrading to Shorewall 5 It is strongly recommended that you first upgrade your installation to a 4.6 release that supports the option to the update command; 4.6.13 is preferred. Once you are on that release, execute the shorewall update -A command (and shorewall6 update -A if you also have Shorewall6). Finally, add ?FORMAT 2 to each of your macro and action files and be sure that the check command does not produce errors -- if it does, you can shuffle the columns around to make them work on both Shorewall 4 and Shorewall 5. These steps can also be taken after you upgrade, but your firewall likely won't start or work correctly until you do. The update command in Shorewall 5 has many fewer options. The , , and options have been removed -- the updates triggered by those options are now performed unconditionally. The and options have been retained - both enable checking for issues that could result if INLINE_MATCHES were to be set to Yes.