<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Upgrade Issues</title> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="Microsoft Theme" content="none"> </head> <body> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse;" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <tbody> <tr> <td width="100%"> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> </td> </tr> </tbody> </table> <p>For upgrade instructions see the <a href="Install.htm">Install/Upgrade page</a>.</p> <h3>Version 1.3.10</h3> If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version 1.3.10, you will need to use the '--force' option:<br> <br> <blockquote> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm�</pre> </blockquote> <h3>Version >= 1.3.9</h3> The 'functions' file has moved to /usr/lib/shorewall/functions. If you have an application that uses functions from that file, your application will need to be changed to reflect this change of location.<br> <h3>Version >= 1.3.8</h3> <p>If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions >= 1.3.8. Beginning with version 1.3.8, you must set NEWNOTSYN=Yes in your /etc/shorewall/shorewall.conf file.</p> <h3>Version >= 1.3.7</h3> <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to include the following rules in their /etc/shorewall/icmpdef file (creating this file if necessary):</p> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" command from that file since the icmp.def file is now empty.</p> <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall >= 1.3.3</b></h3> <p>To properly upgrade with Shorewall version 1.3.3 and later:</p> <ol> <li>Be sure you have a backup -- you will need to transcribe any Shorewall configuration changes that you have made to the new configuration.</li> <li>Replace the shorwall.lrp package provided on the Bering floppy with the later one. If you did not obtain the later version from Jacques's site, see additional instructions below.</li> <li>Edit the /var/lib/lrpkg/root.exclude.list file and remove the /var/lib/shorewall entry if present. Then do not forget to backup root.lrp !</li> </ol> <p>The .lrp that I release isn't set up for a two-interface firewall like Jacques's. You need to follow the <a href="two-interface.htm">instructions for setting up a two-interface firewall</a> plus you also need to add the following two Bering-specific rules to /etc/shorewall/rules:</p> <blockquote> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> </blockquote> <h3 align="left">Version 1.3.6 and 1.3.7</h3> <p align="left">If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7</p> <ol> <li> <p align="left">Create the file /etc/shorewall/newnotsyn and in it add the following rule<br> <br> <font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the connection tracking table can be rebuilt<br> ����������������������������������� # from non-SYN packets after takeover.<br> �</font> </p> </li> <li> <p align="left">Create /etc/shorewall/common (if you don't already have that file) and include the following:<br> <br> <font face="Courier">run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br> ������������������������������������������������������������������� #tracking table. <br> . /etc/shorewall/common.def</font> </p> </li> </ol> <h3 align="left">Versions >= 1.3.5</h3> <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer supported. </p> <p align="left">Example 1:</p> <div align="left"> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> </div> <p align="left">Must be replaced with:</p> <div align="left"> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> </div> <div align="left"> <p align="left">Example 2:</p> </div> <div align="left"> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre> </div> <div align="left"> <p align="left">Must be replaced with:</p> </div> <div align="left"> <pre> REDIRECT loc 3128 tcp 80</pre> </div> <h3 align="left">Version >= 1.3.2</h3> <p align="left">The functions and versions files together with the 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. If you have applications that access these files, those applications should be modified accordingly.</p> <p><font size="2"> Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font> </p> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> � <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> </p> </body> </html>