<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                         
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Upgrade Issues</title>
                                            
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                         
  <meta name="ProgId" content="FrontPage.Editor.Document">
                                 
  <meta name="Microsoft Theme" content="none">
</head>
  <body>
          
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#400169" height="90">
        <tbody>
        <tr>
          <td width="100%">                                  
      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
          </td>
        </tr>
                  
  </tbody>    
</table>
                                                    
<p>For upgrade instructions see the                               <a
 href="Install.htm">Install/Upgrade page</a>.</p>
                                        
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm�</pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
  The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have  an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
   
<h3>Version &gt;= 1.3.8</h3>
                                        
<p>If you have a pair of firewall systems configured for            failover
  or if you have asymmetric routing, you will need to modify            
                   your firewall setup slightly under Shorewall         
                      versions &gt;= 1.3.8. Beginning with version 1.3.8,
                               you must set NEWNOTSYN=Yes in your       
                        /etc/shorewall/shorewall.conf file.</p>
                                        
<h3>Version &gt;= 1.3.7</h3>
                                        
<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf
  will need to include the                                following rules
in  their /etc/shorewall/icmpdef                                file (creating
  this file if necessary):</p>
                                        
<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
          
<p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def"
  command from that file since the icmp.def file is now   empty.</p>
          
<h3><b><a name="Bering">Upgrading </a>Bering to                         
      Shorewall &gt;= 1.3.3</b></h3>
                                        
<p>To properly upgrade with Shorewall version                           
    1.3.3 and later:</p>
                                        
<ol>
                                     <li>Be sure you have a backup -- you 
will  need                                  to transcribe any Shorewall configuration
                                   changes that you have made to the new
                                 configuration.</li>
                                     <li>Replace the shorwall.lrp package 
provided  on                                  the Bering floppy with the later
one.  If you did                                  not obtain the later version
from Jacques's                                  site, see additional instructions
 below.</li>
                                     <li>Edit the /var/lib/lrpkg/root.exclude.list
                                   file and remove the /var/lib/shorewall
entry  if                                  present. Then do not forget to
backup  root.lrp !</li>
             
</ol>
          
<p>The .lrp that I release isn't set up for a two-interface firewall like
    Jacques's. You need to follow the <a href="two-interface.htm">instructions
  for   setting up a two-interface firewall</a> plus you also need to add
the  following   two Bering-specific rules to /etc/shorewall/rules:</p>
          
<blockquote>                
  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
      </blockquote>
                                    
<h3 align="left">Version  1.3.6 and 1.3.7</h3>
                                    
<p align="left">If you have a pair of firewall systems configured for   
        failover or if you have asymmetric routing, you will need to modify
             your firewall setup slightly under Shorewall versions 1.3.6
and   1.3.7</p>
                                    
<ol>
                 <li>                                                
    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
             the following rule<br>
               <br>
               <font face="Courier">run_iptables -A newnotsyn -j RETURN # 
So  that the            connection tracking table can be rebuilt<br>
     �����������������������������������            # from non-SYN packets
 after  takeover.<br>
     �</font>  </p>
      </li>
      <li>                                                
    <p align="left">Create /etc/shorewall/common (if you don't already  
         have that file) and include the following:<br>
               <br>
               <font face="Courier">run_iptables -A common -p tcp --tcp-flags
             ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
     �������������������������������������������������������������������
           #tracking table. <br>
               . /etc/shorewall/common.def</font> </p>
      </li>
       
</ol>
                                    
<h3 align="left">Versions &gt;= 1.3.5</h3>
                                    
<p align="left">Some forms of pre-1.3.0 rules file syntax are no        
   longer supported. </p>
                                    
<p align="left">Example 1:</p>
                                    
<div align="left">                 
<pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
      </div>
                                    
<p align="left">Must be replaced with:</p>
                                    
<div align="left">                 
<pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
      </div>
          
<div align="left">        
<p align="left">Example 2:</p>
    </div>
          
<div align="left">        
<pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
      </div>
          
<div align="left">        
<p align="left">Must be replaced with:</p>
    </div>
          
<div align="left">        
<pre>	REDIRECT	loc	3128	tcp	80</pre>
      </div>
                                    
<h3 align="left">Version &gt;= 1.3.2</h3>
                                    
<p align="left">The functions and versions files together with the      
     'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
             If you have applications that access these files, those applications
             should be modified accordingly.</p>
                           
<p><font size="2">  Last updated 11/09/2002 -                           
   <a href="support.htm">Tom Eastep</a></font> </p>
           
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
    � <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>