Upgrade Issues |
For upgrade instructions see the Install/Upgrade page.
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, the second entry in /etc/shorewall/masq is no longer required.Example 2-- What if your current configuration is like this?
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, you would want to change the entry in /etc/shorewall/masq to:
#INTERFACE SUBNET ADDRESSVersion 1.3.14 also introduced simplified ICMP echo-request (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used to specify that the old (pre-1.3.14) ping handling is to be used (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the old handling indefinitely so I urge current users to migrate to using the new handling as soon as possible. See the 'Ping' handling documentation for details.
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions >= 1.3.8. Beginning with version 1.3.8, you must set NEWNOTSYN=Yes in your /etc/shorewall/shorewall.conf file.
Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to include the following rules in their /etc/shorewall/icmpdef file (creating this file if necessary):
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" command from that file since the icmp.def file is now empty.
To properly upgrade with Shorewall version 1.3.3 and later:
The .lrp that I release isn't set up for a two-interface firewall like Jacques's. You need to follow the instructions for setting up a two-interface firewall plus you also need to add the following two Bering-specific rules to /etc/shorewall/rules:
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7
Create the file /etc/shorewall/newnotsyn and in it add
the following rule
run_iptables -A newnotsyn -j RETURN
# So that the connection tracking table can be rebuilt
# from non-SYN
packets after takeover.
Create /etc/shorewall/common (if you don't already
have that file) and include the following:
run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
#tracking table.
. /etc/shorewall/common.def
Some forms of pre-1.3.0 rules file syntax are no longer supported.
Example 1:
ACCEPT net loc:192.168.1.12:22 tcp 11111 - all
Must be replaced with:
DNAT net loc:192.168.1.12:22 tcp 11111
Example 2:
ACCEPT loc fw::3128 tcp 80 - all
Must be replaced with:
REDIRECT loc 3128 tcp 80
The functions and versions files together with the 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. If you have applications that access these files, those applications should be modified accordingly.
Last updated 2/14/2003 - Tom Eastep
Copyright
© 2001, 2002, 2003 Thomas M. Eastep.