extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
183c4287ae
shorewall_code/Shorewall/releasenotes.txt
teastep 183c4287ae Update release documentation for 3.1.0 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3247 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-01-07 17:33:10 +00:00

92 lines
3.7 KiB
Plaintext
Executable File
Raw Blame History

Shorewall 3.1.0
Note to users upgrading from Shorewall 2.x or 3.0
Most problems associated with upgrades come from two causes:
- The user didn't read and follow the migration considerations in these
release notes.
- The user mis-handled the /etc/shorewall/shorewall.conf file during
upgrade. Shorewall is designed to allow the default behavior of
the product to evolve over time. To make this possible, the design
assumes that you will not replace your current shorewall.conf file
during upgrades. If you feel absolutely compelled to have the latest
comments and options in your shorewall.conf then you must proceed
carefully.
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
please check that file. If it has addresses listed that are NOT in one of
these three ranges, then please rename the file to /etc/shorewall/rfc1918.old.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Please see the "Migration Considerations" below for additional upgrade
information.
Problems corrected in 3.1.0
1) If /etc/shorewall/ipsets exists, it is processed during [re]start but not
during 'shorewall restore'.
Migration Considerations:
1) The dynamic zone capability has been removed from Shorewall. Based on when
ipsets are made a standard part of the Linux kernels from kernel.org, dynamic
zones may be restored prior to the release of Shorewall 3.2.
New Features:
1) A new 'shorewall generate' command has been added.
shorewall [ -q ] generate [ <config directory> ] <script file>
where:
-q Suppresses many of the progress messages
<config directory> Is an optional directory to be searched for
configuration files prior to those listed
in CONFIG_DIR in /etc/shorewall/shorewall.conf.
<script file> Is the name of the output file. If a simple
filename is given, the file will be created in
/var/lib/shorewall.
The 'generate' command processes the configuration and writes a script file
which may then be executed (either directly or using the 'shorewall restore'
command) to configure the firewall.
WARNING: The generated script HAS ABSOLUTELY NO ERROR CHECKING so if there
are errors in your configuration files that result in errors when
the script is run then you may not be able to access your firewall
or your firewall may have security holes.
Given the above warning, I recommend that you use 'generate' when making
simple changes to your configuration but that you continue to use 'restart'
for complex changes.
Some additional considerations:
a) All 'detect' operations are done at the time that the 'generate' command
is run. So it is generally not possible to run 'generate' on one system
then move the generated script to another system.
b) If you have extension scripts, they may need modification. The scripts
will be run at generation time, rather than when the generated script
is executed. The standard functions like 'run_iptables' and
'log_rule_limit' will write the iptables command to the script file
rather than executing the command. As always, you can check $COMMAND
to determine which shorewall command is being executed.
In addition to 'generate', a 'shorewall reload' command has been added.
shorewall [ -q ] reload [ <config directory>
where -q and <config directory> are as above.
The 'reload' command creates a script using 'generate' and if there are
no errors, it then restores that script. It is equivalent to:
if shorewall generate <temp file>; then restore <tempfile>; fi
Reference in New Issue View Git Blame Copy Permalink