Shorewall Lite 3.2.0 RC 2 Problems Corrected in 3.2.0 RC 2 1) The treatment of IPTABLES and LOGFORMAT have been clarified with respect to Shorewall Lite. If these options are set in the shorewall.conf file used at compile time, then the generated firewall script will use those values. /sbin/shorewall on the firewall system will use the corresponding values from /etc/shorewall/shorewall.conf on that system. If the values are not given in shorewall.conf at compile time then the values in /etc/shorewall/shorewall.conf on the firewall system will be used by the generated firewall script. To take advantage of this change, both the administrative system and the firewall system(s) must be running RC2 or later. Other changes in 3.2.0 RC 2 1) The shorecap program now gets it's version from the /usr/share/shorewall/version file. 2) The output of "shorewall version" on Shorewall Lite systems now includes " Lite" after the version number. Example: wireless:~ # shorewall version 3.2.0-RC1 Lite wireless:~ # 3) It is now possible to have both shorewall and Shorewall Lite installed on the same system if you use RPM. Regardless of whether you use RPM or the installer, Shorewall Lite directory names have been change from 'shorewall' to 'shorewall-lite': /etc/shorewall -> /etc/shorewall-lite /usr/share/shorewall -> /usr/share/shorewall-lite /var/lib/shorewall -> /var/lib/shorewall-lite If you use the RPMs, whichever package is installed first will determine which package /sbin/shorewall invokes. /sbin/shorewall is now a symbolic link created by 'rpm': Shorewall: /sbin/shorewall points to /usr/share/shorewall/shorewall Shorewall Lite: /sbin/shorewall points to /usr/share/shorewall/shorewall-lite You may use the 'ln -sf' command to change from one to the other: To use 'Shorewall' rather than 'Shorewall Lite' ln -sf /usr/share/shorewall/shorewall /sbin/shorewall To use 'Shorewall Lite' rather than 'Shorewall' ln -sf /usr/share/shorewall-lite/shorewall /sbin/shorewall New Features: Shorewall Lite is a companion product to Shorewall and is designed to allow you to maintain all Shorewall configuration information on a single system within your network. a) You install the full Shorewall release on one system within your network. You need not configure Shorewall there and you may totally disable startup of Shorewall in your init scripts. For ease of reference, we call this system the 'administrative system'. b) On each system where you wish to run a Shorewall-generated firewall, you install Shorewall Lite. For ease of reference, we will call these systems the 'firewall systems'. c) On the administrative system you create a separete 'configuration directory' for each firewall system. You copy the contents of /usr/share/shorewall/configfiles into each configuration directory. d) On each firewall system, you run: /usr/share/shorewall/shorecap > capabilities scp capabilities : e) On the administrative system, for each firewall system you: 1) modify the files in the corresponding configuration directory appropriately. 2) (this may be done as a non-root user) cd /sbin/shorewall compile -e . firewall scp firewall root@:/usr/share/shorewall/ 3) On the firewall system, 'shorewall start'.