Upgrade Issues

For upgrade instructions see the Install/Upgrade page.

Version >= 1.3.8

If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions >= 1.3.8. Beginning with version 1.3.7, you must set NEWNOTSYN=Yes in your /etc/shorewall/shorewall.conf file.

Version >= 1.3.7

Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to include the following rules in their /etc/shorewall/icmpdef file (creating this file if necessary):

	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT

Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" command from that file since the icmp.def file is now empty.

Upgrading Bering to Shorewall >= 1.3.3

To properly upgrade with Shorewall version 1.3.3 and later:

  1. Be sure you have a backup -- you will need to transcribe any Shorewall configuration changes that you have made to the new configuration.
  2. Replace the shorwall.lrp package provided on the Bering floppy with the later one. If you did not obtain the later version from Jacques's site, see additional instructions below.
  3. Edit the /var/lib/lrpkg/root.exclude.list file and remove the /var/lib/shorewall entry if present. Then do not forget to backup root.lrp !

The .lrp that I release isn't set up for a two-interface firewall like Jacques's. You need to follow the instructions for setting up a two-interface firewall plus you also need to add the following two Bering-specific rules to /etc/shorewall/rules:

# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80

Version 1.3.6 and 1.3.7

If you have a pair of firewall systems configured for failover or if you have asymmetric routing, you will need to modify your firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7

  1. Create the file /etc/shorewall/newnotsyn and in it add the following rule

    run_iptables -A newnotsyn -j RETURN # So that the connection tracking table can be rebuilt
                                        # from non-SYN packets after takeover.
     

  2. Create /etc/shorewall/common (if you don't already have that file) and include the following:

    run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
                                                                        #tracking table.
    . /etc/shorewall/common.def

Versions >= 1.3.5

Some forms of pre-1.3.0 rules file syntax are no longer supported.

Example 1:

	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all

Must be replaced with:

	DNAT	net	loc:192.168.1.12:22	tcp	11111

Example 2:

	ACCEPT	loc	fw::3128	tcp	80	-	all

Must be replaced with:

	REDIRECT	loc	3128	tcp	80

Version >= 1.3.2

The functions and versions files together with the 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. If you have applications that access these files, those applications should be modified accordingly.

Last updated 9/28/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.