Shorewall Installation and Upgrade Tom Eastep 2001- 2006 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later. If you are installing or upgrading to a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release. Before attempting installation, I strongly urge you to read and print a copy of the Shorewall QuickStart Guide for the configuration that most closely matches your own. Before upgrading, be sure to review the Upgrade Issues. Shorewall RPMs are signed. To avoid warnings such as the followingwarning: shorewall-3.2.1-1.noarch.rpm: V3 DSA signature: NOKEY, key ID 6c562ac4 download the Shorewall GPG key and run this command: rpm --import shorewall.gpg.key
Install using RPM To install Shorewall using the RPM: Be sure that you have the correct RPM package! The standard RPM package from shorewall.net and the mirrors is known to work with SUSE, Power PPC, Trustix and TurboLinux. There is also an RPM package provided by Simon Matter that is tailored for RedHat/Fedora and another package from Jack Coates that is customized for Mandriva. All of these are available from the download page. If you try to install the wrong package, it probably won't work. If you are installing Shorewall 4.0.0 or later then you need to install at least two packages. Either Shorewall-shell (the classic shell-based configuration compiler) and/or Shorewall-perl (the newer and faster compiler written in Perl). Shorewall-common If you are installing Shorewall for the first time, we strongly suggest that you install Shorewall-perl. Install the RPMs rpm -ivh <compiler rpm> ... <shorewall-common rpm> Some users are in the habit of using the rpm -U command for installing packages as well as for updating them. If you use that command when installing the Shorewall RPM then you will have to manually enable Shorewall startup at boot time by running chkconfig, insserv or whatever utility you use to manipulate you init symbolic links. Some SUSE users have encountered a problem whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm. rpm -ivh --nodeps <rpms> Shorewall is dependent on the iproute package. Unfortunately, some distributions call this package iproute2 which will cause the installation of Shorewall to fail with the diagnostic: error: failed dependencies:iproute is needed by shorewall-3.2.x-1 This problem should not occur if you are using the correct RPM package (see 1., above) but may be worked around by using the --nodeps option of rpm. rpm -ivh --nodeps <rpms> Example:rpm -ivh shorewall-perl-4.0.0-1.noarch.rpm shorewall-common-4.0.0-1.noarch.rpm Simon Matter names his 'common' rpm 'shorewall' rather than 'shorewall-common'. So if you are installing his RPMs, the command would be:rpm -ivh shorewall-perl-4.0.0-1.noarch.rpm shorewall-4.0.0-1.noarch.rpm Edit the configuration files to match your configuration. YOU CAN NOT SIMPLY INSTALL THE RPM AND ISSUE A shorewall start COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A start COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A shorewall clear COMMAND TO RESTORE NETWORK CONNECTIVITY. Enable startup by editing /etc/shorewall/shorewall.conf and set STARTUP_ENABLED to Yes). Start the firewall by typing shorewall start
Install using tarball If you are installing Shorewall 4.0.0 or later then you need to install at least two packages. Either Shorewall-shell (the classic shell-based configuration compiler) and/or Shorewall-perl (the newer and faster compiler written in Perl). Shorewall-common If you are installing Shorewall for the first time, we strongly suggest that you install Shorewall-perl. To install Shorewall-perl and Shorewall-common using the tarball and install scripts: unpack the tarballs:tar -jxf shorewall-common-4.0.0.tar.bz2 tar -jxf shorewall-perl-4.0.0.tar.bz2 cd to the shorewall-perl directory (the version is encoded in the directory name as in shorewall-perl-4.0.0). Type: ./install.sh cd to the shorewall-common directory (the version is encoded in the directory name as in shorewall-common-4.0.0) Type: ./install.sh Edit the configuration files to match your configuration. Enable Startup by editing /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. Start the firewall by typing shorewall start If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions.
Install the .deb Once you have installed the .deb packages and before you attempt to configure Shorewall, please heed the advice of Lorenzo Martignoni, the Shorewall Debian Maintainer: For more information about Shorewall usage on Debian system please look at /usr/share/doc/shorewall-common/README.Debian provided by [the] shorewall-common Debian package. The easiest way to install Shorewall on Debian, is to use apt-get. First, to ensure that you are installing the latest version of Shorewall, please modify your /etc/apt/preferences: Package: shorewall Pin: release o=Debian,a=testing Pin-Priority: 700 Package: shorewall-doc Pin: release o=Debian,a=testing Pin-Priority: 700Then run:# apt-get update # apt-get install shorewall Once you have completed configuring Shorewall, you can enable startup at boot time by setting startup=1 in /etc/default/shorewall.
General Notes about Upgrading Shorewall Most problems associated with upgrades come from two causes: The user didn't read and follow the migration considerations in the release notes (these are also reproduced in the Shorewall Upgrade Issues). The user mis-handled the /etc/shorewall/shorewall.conf file during upgrade. Shorewall is designed to allow the default behavior of the product to evolve over time. To make this possible, the design assumes that you will not replace your current shorewall.conf file during upgrades. It is recommended that after you first install Shorewall that you modify /etc/shorewall/shorewall.conf so as to prevent your package manager from overwriting it during subsequent upgrades (since the addition of STARTUP_ENABLED, such modification is assured since you must manually change the setting of that option). If you feel absolutely compelled to have the latest comments and options in your shorewall.conf then you must proceed carefully. You should determine which new options have been added and you must reset their value (e.g. OPTION=""); otherwise, you will get different behavior from what you expect.
Upgrade using RPM If you already have the Shorewall RPM installed and are upgrading to a new version: Be sure that you have the correct RPM package! The standard RPM package from shorewall.net and the mirrors is known to work with SUSE, Power PPC, Trustix and TurboLinux. There is also an RPM package provided by Simon Matter that is tailored for RedHat/Fedora and another package from Jack Coates that is customized for Mandriva. If you try to upgrade using the wrong package, it probably won't work. Simon Matter names his 'common' rpm 'shorewall' rather than 'shorewall-common'. If you are upgrading from a 2.x or 3.x version to a 4.x version or later, please see the upgrade issues for specific instructions. Upgrade the RPM rpm -Uvh <compiler rpm file> ... <shorewall-common rpm file> Some SUSE users have encountered a problem whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm. rpm -Uvh --nodeps <shorewall-common rpm> <compiler rpm> ... Shorewall is dependent on the iproute package. Unfortunately, some distributions call this package iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic: error: failed dependencies:iproute is needed by shorewall-3.2.1-1 This may be worked around by using the --nodeps option of rpm. rpm -Uvh --nodeps <shorewall rpm> <compiler-rpm> ... See if there are any incompatibilities between your configuration and the new Shorewall version and correct as necessary. shorewall check Restart the firewall. shorewall restart
Upgrade using tarball If you are upgrading from a 2.x or 3.x version to a 4.x version or later, please see the upgrade issues for specific instructions. If you already have Shorewall installed and are upgrading to a new version using the tarball: unpack the tarballs:tar -jxf shorewall-common-4.0.0.tar.bz2 tar -jxf shorewall-perl-4.0.0.tar.bz2 tar -jxf shorewall-shell-4.0.0.tar.bz2 (if you use this compiler) cd to the shorewall-perl directory (the version is encoded in the directory name as in shorewall-perl-4.0.0). Type: ./install.sh Perform the above two steps for the shorewall-shell directory if you use that compiler. cd to the shorewall-common directory (the version is encoded in the directory name as in shorewall-perl-4.0.0) Type: ./install.sh See if there are any incompatibilities between your configuration and the new Shorewall version and correct as necessary. shorewall check Start the firewall by typing shorewall start If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions.
Upgrading the .deb When the installer asks if you want to replace /etc/shorewall/shorewall.conf with the new version, we strongly advise you to say No. See above.
Upgrade the .lrp The following was contributed by Charles Steinkuehler on the Leaf mailing list:
It's *VERY* simple...just put in a new CD and reboot!  :-) Actually, I'm only slightly kidding...that's exactly how I upgrade my production firewalls.  The partial backup feature I added to Dachstein allows configuration data to be stored separately from the rest of the package. Once the config data is separated from the rest of the package, it's an easy matter to upgrade the package while keeping your current configuration (in my case, just inserting a new CD and re-booting). Users who aren't running with multiple package paths and using partial backups can still upgrade a package, it just takes a bit of extra work.  The general idea is to use a partial backup to save your configuration, replace the package, and restore your old configuration files. Step-by-step instructions for one way to do this (assuming a conventional single-floppy LEAF system) would be: Make a backup copy of your firewall disk ('NEW').  This is the disk you will add the upgraded package(s) to. Format a floppy to use as a temporary location for your configuration file(s) ('XFER').  This disk should have the same format as your firewall disk (and could simply be another backup copy of your current firewall). Make sure you have a working copy of your existing firewall ('OLD') in a safe place, that you *DO NOT* use during this process. That way, if anything goes wrong you can simply reboot off the OLD disk to get back to a working configuration. Remove your current firewall configuration disk and replace it with the XFER disk. Use the lrcfg backup menu to make a partial backup of the package(s) you want to upgrade, being sure to backup the files to the XFER disk.  From the backup menu: t e <enter> p <enter> b <package1> <enter> b <package2> <enter> ... Download and copy the package(s) you want to upgrade onto the NEW disk. Reboot your firewall using the NEW disk...at this point your upgraded packages will have their default configuration. Mount the XFER disk (mount -t msdos /dev/fd0u1680 /mnt) CD to the root directory (cd /) Manually extract configuration data for each package you upgraded: tar -xzvf /mnt/package1.lrp tar -xzvf /mnt/package2.lrp ... Unmount (umount /mnt) and remove the XFER disk Using lrcfg, do *FULL* backups of your upgraded packages. Reboot, verifying the firewall works as expected.  Some configuration files may need to be 'tweaked' to work properly with the upgraded package binaries. The new package file <package>.local can be used to fine-tune which files are included (and excluded) from the partial backup (see the Dachstein-CD README for details).  If this file doesn't exist, the backup scripts assume anything from the <package>.list file that resides in /etc or /var/lib/lrpkg is part of the configuration data and is used to create the partial backup.  If shorewall puts anything in /etc that isn't a user modified configuration file, a proper shorewall.local file should be created prior to making the partial backup [Editor's note: Shorewall places only user-modifiable files in /etc]. It's obviously possible to do the above 'in-place', without using multiple disks, and even without making a partial backup (ie: copy current config files to /tmp, manually extract new package on top of current running firewall, then copy or merge config data from /tmp and backup...or similar), but anyone capable of that level of command line gymnastics is probably doing it already, without needing detailed instructions! :-)
For information on other LEAF/Bering upgrade tools, check out this article by Alex Rhomberg.
Configuring Shorewall You will need to edit some or all of the configuration files to match your setup. In most cases, the Shorewall QuickStart Guides contain all of the information you need.
Uninstall/Fallback See Fallback and Uninstall.