mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-17 05:03:17 +01:00
61299557a9
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9299 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
239 lines
7.8 KiB
XML
239 lines
7.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall Version 4</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2007</year>
|
|
|
|
<year>2009</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section id="Intro">
|
|
<title>Introduction</title>
|
|
|
|
<para>Shorewall version 4 represents a substantial shift in direction for
|
|
Shorewall. Up to now</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Shorewall has been written entirely in Bourne Shell.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shorewall has run the <command>iptables</command> utility to add
|
|
each Netfilter rule.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Shorewall version 4 offers you a choice. You can continue to use the
|
|
existing shell-based implementation or you can use a new implementation of
|
|
the Shorewall compiler written in the Perl programming language. The new
|
|
compiler:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>has a small disk footprint</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>is very fast.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>generates a firewall script that uses
|
|
<command>iptables-restore</command>; so the script is very
|
|
fast.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>generates better and more consistent error messages.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>does a much more thorough job of checking the configuration to
|
|
avoid run-time errors.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>supports creating either Ipv4 or Ipv6 firewalls (Shorewall 4.2.4
|
|
and later).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Both compilers may be installed on your system and you can use
|
|
whichever one suits you in a particular case.</para>
|
|
</section>
|
|
|
|
<section id="Install">
|
|
<title>Installing Shorewall Version 4</title>
|
|
|
|
<para>Shorewall 4 contains six packages:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Shorewall-shell</emphasis> - the old
|
|
shell-based compiler and related components.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Shorewall-perl</emphasis> - the new
|
|
Perl-based compiler.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Shorewall-common</emphasis> - the part of
|
|
Shorewall common to both compilers.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Shorewall-lite</emphasis>- same as the 3.4
|
|
version of Shorewall Lite. Can run scripts generated by either
|
|
Shorewall-perl or Shorewall-shell.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
|
|
creating and operating an Ipv6 firewall. Requires Shorewall-perl and
|
|
Shorewall-common.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
|
|
equivalent of Shorewall Lite. Can run scripts generated by
|
|
Shoreall-perl 4.2.4 and later.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>If you upgrade to Shorewall Version 4, you must install
|
|
Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
|
|
tarball for your installation, you must install Shorewall-shell and/or
|
|
Shorewall-perl <emphasis role="bold">before</emphasis> you upgrade
|
|
Shorewall. See the <ulink url="upgrade_issues.htm">upgrade issues</ulink>
|
|
for details.</para>
|
|
</section>
|
|
|
|
<section id="Prereqs">
|
|
<title>Prerequisites for using the Shorewall Version 4 Perl-based
|
|
Compiler</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Perl (I use Perl 5.8.8 but other 5.8 versions should work fine).
|
|
<note>
|
|
<para>If you want to be able to use DNS names in your Shorewall6
|
|
configuration files, then Perl 5.10 is required together with the
|
|
Perl <emphasis role="bold">Socket6</emphasis> module.</para>
|
|
</note></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">Cwd</emphasis> Module</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">File::Basename</emphasis>
|
|
Module</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">File::Temp</emphasis> Module</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">Getopt::Long</emphasis> Module</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">Carp</emphasis> Module</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">FindBin</emphasis> Module (Shorewall
|
|
4.0.3 and later)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl <emphasis role="bold">Scalar::Util </emphasis>Module
|
|
(Shorewall 4.0.6 and later)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section id="Incompatibilities">
|
|
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
|
|
Compiler</title>
|
|
|
|
<para>The Shorewall-perl compiler is not 100% compatible with the
|
|
Shorewall-shell version. See <ulink url="Shorewall-perl.html">this
|
|
document</ulink> for details.</para>
|
|
</section>
|
|
|
|
<section id="CompilerSelection">
|
|
<title>Compiler Selection</title>
|
|
|
|
<para>If you only install one compiler, then that compiler will be
|
|
used.</para>
|
|
|
|
<para>If you install both compilers, then the compiler actually used for
|
|
IPv4 depends on the SHOREWALL_COMPILER setting in
|
|
<filename>shorewall.conf</filename>.</para>
|
|
|
|
<para>The value of this new option can be either 'perl' or 'shell'.</para>
|
|
|
|
<para>If you add 'SHOREWALL_COMPILER=perl' to
|
|
<filename>/etc/shorewall/shorewall.conf</filename> then by default, the
|
|
new compiler will be used on the system. If you add it to
|
|
<filename>shorewall.conf</filename> in a separate directory (such as a
|
|
Shorewall-lite export directory) then the new compiler will only be used
|
|
when you compile from that directory.</para>
|
|
|
|
<para>If you only install one compiler, it is suggested that you do not
|
|
set SHOREWALL_COMPILER.</para>
|
|
|
|
<para>If both compilers are installed, you can select the compiler to use
|
|
on the command line using the 'C option:<simplelist>
|
|
<member>'-C shell' means use the shell compiler</member>
|
|
|
|
<member>'-C perl' means use the perl compiler</member>
|
|
</simplelist>The -C option overrides the setting in
|
|
shorewall.conf.</para>
|
|
|
|
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting></para>
|
|
|
|
<para>When the Shorewall-perl compiler has been selected, the
|
|
<filename>params</filename> file is processed using the shell
|
|
<option>-a</option> option which causes all variables set within the file
|
|
to be exported automatically by the shell. The Shorewall-perl compiler
|
|
uses the current environmental variables to perform variable expansion
|
|
within the other Shorewall configuration files.</para>
|
|
</section>
|
|
</article>
|