mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
8e49c10488
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1741 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
547 lines
20 KiB
XML
547 lines
20 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article id="Install">
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall Installation and Upgrade</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2004-10-31</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001</year>
|
|
|
|
<year>2002</year>
|
|
|
|
<year>2003</year>
|
|
|
|
<year>2004</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<warning>
|
|
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
|
|
|
<para>If you install using the .deb, you will find that your <filename
|
|
class="directory">/etc/shorewall</filename> directory is empty. This is
|
|
intentional. The released configuration file skeletons may be found on
|
|
your system in the directory <filename
|
|
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
|
Simply copy the files you need from that directory to <filename
|
|
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
|
|
|
<para>Note that you must copy <filename
|
|
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
|
and /usr/share/doc/shorewall/default-config/modules to <filename
|
|
class="directory">/etc/shorewall</filename> even if you do not modify
|
|
those files.</para>
|
|
</warning>
|
|
|
|
<section id="Install_RPM">
|
|
<title>Install using RPM</title>
|
|
|
|
<important>
|
|
<para>Before attempting installation, I strongly urge you to read and
|
|
print a copy of the <ulink
|
|
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
|
|
for the configuration that most closely matches your own.</para>
|
|
</important>
|
|
|
|
<para>To install Shorewall using the RPM:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Install the RPM</para>
|
|
|
|
<programlisting><command>rpm -ivh <shorewall rpm></command></programlisting>
|
|
|
|
<note>
|
|
<para>Some SuSE users have encountered a problem whereby rpm reports
|
|
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
|
installed. If this happens, simply use the --nodeps option to
|
|
rpm.</para>
|
|
|
|
<programlisting><filename><command>rpm -ivh --nodeps <shorewall rpm></command></filename></programlisting>
|
|
</note>
|
|
|
|
<note>
|
|
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
|
|
iproute package. Unfortunately, some distributions call this package
|
|
iproute2 which will cause the installation of Shorewall to fail with
|
|
the diagnostic:</para>
|
|
|
|
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
|
|
|
|
<para>This may be worked around by using the --nodeps option of
|
|
rpm.</para>
|
|
|
|
<programlisting><command>rpm -ivh --nodeps <shorewall rpm></command></programlisting>
|
|
</note>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Edit the <link linkend="Config_Files">configuration files</link>
|
|
to match your configuration.</para>
|
|
|
|
<warning>
|
|
<para>YOU CAN <emphasis role="bold">NOT</emphasis> SIMPLY INSTALL
|
|
THE RPM AND ISSUE A <quote>shorewall start</quote> COMMAND. SOME
|
|
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
|
|
ISSUE A <quote>start</quote> COMMAND AND THE FIREWALL FAILS TO
|
|
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF
|
|
THIS HAPPENS, ISSUE A <quote>shorewall clear</quote> COMMAND TO
|
|
RESTORE NETWORK CONNECTIVITY.</para>
|
|
</warning>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Enable startup by removing
|
|
<filename>/etc/shorewall/startup_disabled</filename> (If you are
|
|
running Shorewall 2.1.3 or later, edit
|
|
/<filename>etc/shorewall/shorewall.conf</filename> and set
|
|
STARTUP_ENABLED to Yes).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Start the firewall by typing</para>
|
|
|
|
<programlisting><command>shorewall start</command></programlisting>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="Install_Tarball">
|
|
<title>Install using tarball</title>
|
|
|
|
<important>
|
|
<para>Before attempting installation, I strongly urge you to read and
|
|
print a copy of the <ulink
|
|
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
|
|
for the configuration that most closely matches your own.</para>
|
|
</important>
|
|
|
|
<para>To install Shorewall using the tarball and install script:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cd to the shorewall directory (the version is encoded in the
|
|
directory name as in <quote>shorewall-1.1.10</quote>).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are running <ulink
|
|
url="http://www.slackware.com">Slackware</ulink>, you need Shorewall
|
|
2.0.2 RC1 or later. If you are installing a Shorewall version earlier
|
|
than 2.0.3 Beta 1 then you must also edit the install.sh file and
|
|
change the lines</para>
|
|
|
|
<programlisting>DEST="/etc/init.d"
|
|
INIT="shorewall"</programlisting>
|
|
|
|
<para>to</para>
|
|
|
|
<programlisting>DEST="/etc/rc.d"
|
|
INIT="rc.firewall"</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are running Slackware and are installing Shorewall 2.0.3
|
|
Beta 1 or later, then type:</para>
|
|
|
|
<programlisting><emphasis role="bold">DEST=/etc/rc.d INIT=rc.firewall ./install.sh</emphasis></programlisting>
|
|
|
|
<para>Otherwise, type:</para>
|
|
|
|
<programlisting><command>./install.sh</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Edit the <link linkend="Config_Files">configuration files</link>
|
|
to match your configuration.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Enable Startup:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users running Shorewall 2.1.3 or later, edit
|
|
<filename>/etc/shorewall/shorewall.conf</filename> and set
|
|
STARTUP_ENABLED=Yes.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Users running Shorewall 2.1.2 or earlier and using the .deb
|
|
should edit <filename>/etc/default/shorewall</filename> and set
|
|
startup=1.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>All other users, remove the file
|
|
<filename>/etc/shorewall/startup_disabled</filename></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Start the firewall by typing</para>
|
|
|
|
<programlisting><command>shorewall start</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the install script was unable to configure Shorewall to be
|
|
started automatically at boot, see <ulink
|
|
url="starting_and_stopping_shorewall.htm">these
|
|
instructions</ulink>.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="LRP">
|
|
<title>Install the .lrp</title>
|
|
|
|
<important>
|
|
<para>Before attempting installation, I strongly urge you to read and
|
|
print a copy of the <ulink
|
|
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
|
|
for the configuration that most closely matches your own.</para>
|
|
</important>
|
|
|
|
<para>To install my version of Shorewall on a fresh Bering disk, simply
|
|
replace the <quote>shorwall.lrp</quote> file on the image with the file
|
|
that you downloaded. See the <ulink url="two-interface.htm">two-interface
|
|
QuickStart Guide</ulink> for information about further steps
|
|
required.</para>
|
|
</section>
|
|
|
|
<section id="Upgrade_RPM">
|
|
<title>Upgrade using RPM</title>
|
|
|
|
<important>
|
|
<para>Before upgrading, be sure to review the <ulink
|
|
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
|
|
</important>
|
|
|
|
<para>If you already have the Shorewall RPM installed and are upgrading to
|
|
a new version:</para>
|
|
|
|
<important>
|
|
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
|
version or and you have entries in the /etc/shorewall/hosts file then
|
|
please check your /etc/shorewall/interfaces file to be sure that it
|
|
contains an entry for each interface mentioned in the hosts file. Also,
|
|
there are certain 1.2 rule forms that are no longer supported under 1.4
|
|
(you must use the new 1.4 syntax). See <ulink
|
|
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
|
|
</important>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Upgrade the RPM</para>
|
|
|
|
<programlisting><command>rpm -Uvh <shorewall rpm file></command></programlisting>
|
|
|
|
<note>
|
|
<para>Some SuSE users have encountered a problem whereby rpm reports
|
|
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
|
installed. If this happens, simply use the --nodeps option to
|
|
rpm.</para>
|
|
|
|
<programlisting><command>rpm -Uvh --nodeps <shorewall rpm></command></programlisting>
|
|
</note>
|
|
|
|
<note>
|
|
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
|
|
iproute package. Unfortunately, some distributions call this package
|
|
iproute2 which will cause the upgrade of Shorewall to fail with the
|
|
diagnostic:</para>
|
|
|
|
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
|
|
|
|
<para>This may be worked around by using the --nodeps option of
|
|
rpm.</para>
|
|
|
|
<programlisting><command>rpm -Uvh --nodeps <shorewall rpm></command></programlisting>
|
|
</note>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>See if there are any incompatibilities between your
|
|
configuration and the new Shorewall version and correct as
|
|
necessary.</para>
|
|
|
|
<programlisting><command>shorewall check</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Restart the firewall.</para>
|
|
|
|
<programlisting><command>shorewall restart</command></programlisting>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="Upgrade_Tarball">
|
|
<title>Upgrade using tarball</title>
|
|
|
|
<important>
|
|
<para>Before upgrading, be sure to review the <ulink
|
|
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
|
|
</important>
|
|
|
|
<para>If you already have Shorewall installed and are upgrading to a new
|
|
version using the tarball:</para>
|
|
|
|
<important>
|
|
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
|
version and you have entries in the /etc/shorewall/hosts file then
|
|
please check your /etc/shorewall/interfaces file to be sure that it
|
|
contains an entry for each interface mentioned in the hosts file. Also,
|
|
there are certain 1.2 rule forms that are no longer supported under 1.4
|
|
(you must use the new 1.4 syntax). See <ulink
|
|
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
|
|
</important>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>unpack the tarball.</para>
|
|
|
|
<programlisting><command>tar -zxf shorewall-x.y.z.tgz</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cd to the shorewall directory (the version is encoded in the
|
|
directory name as in <quote>shorewall-3.0.1</quote>).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are running <ulink
|
|
url="http://www.slackware.com">Slackware</ulink>, you should use
|
|
Shorewall 2.0.2 RC1 or later. If you are installing a Shorewall
|
|
version earlier than 2.0.3 Beta 1 then you must also edit the
|
|
install.sh file and change the lines</para>
|
|
|
|
<programlisting>DEST="/etc/init.d"
|
|
INIT="shorewall"</programlisting>
|
|
|
|
<para>to</para>
|
|
|
|
<programlisting>DEST="/etc/rc.d"
|
|
INIT="rc.firewall"</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are running Slackware and are installing Shorewall 2.0.3
|
|
Beta 1 or later, then type:</para>
|
|
|
|
<programlisting><emphasis role="bold">DEST=/etc/rc.d INIT=rc.firewall ./install.sh</emphasis></programlisting>
|
|
|
|
<para>Otherwise, type:</para>
|
|
|
|
<programlisting><command>./install.sh</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>See if there are any incompatibilities between your
|
|
configuration and the new Shorewall version and correct as
|
|
necessary.</para>
|
|
|
|
<programlisting><command>shorewall check</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Start the firewall by typing</para>
|
|
|
|
<programlisting><command>shorewall start</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the install script was unable to configure Shorewall to be
|
|
started automatically at boot, see <ulink
|
|
url="starting_and_stopping_shorewall.htm">these
|
|
instructions</ulink>.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="LRP_Upgrade">
|
|
<title>Upgrade the .lrp</title>
|
|
|
|
<important>
|
|
<para>Before upgrading, be sure to review the <ulink
|
|
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
|
|
</important>
|
|
|
|
<para>The following was contributed by Charles Steinkuehler on the Leaf
|
|
mailing list:</para>
|
|
|
|
<blockquote>
|
|
<para>It's *VERY* simple...just put in a new CD and reboot! :-)
|
|
Actually, I'm only slightly kidding...that's exactly how I upgrade my
|
|
prodution firewalls. The partial backup feature I added to
|
|
Dachstein allows configuration data to be stored seperately from the
|
|
rest of the package.</para>
|
|
|
|
<para>Once the config data is seperated from the rest of the package,
|
|
it's an easy matter to upgrade the pacakge while keeping your current
|
|
configuration (in my case, just inserting a new CD and
|
|
re-booting).</para>
|
|
|
|
<para>Users who aren't running with multiple package paths and using
|
|
partial backups can still upgrade a package, it just takes a bit of
|
|
extra work. The general idea is to use a partial backup to save
|
|
your configuration, replace the package, and restore your old
|
|
configuration files. Step-by-step instructions for one way to do this
|
|
(assuming a conventional single-floppy LEAF system) would be:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Make a backup copy of your firewall disk ('NEW'). This
|
|
is the disk you will add the upgraded package(s) to.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Format a floppy to use as a temporary location for your
|
|
configuration file(s) ('XFER'). This disk should have the same
|
|
format as your firewall disk (and could simply be another backup
|
|
copy of your current firewall).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Make sure you have a working copy of your existing firewall
|
|
('OLD') in a safe place, that you *DO NOT* use durring this process.
|
|
That way, if anything goes wrong you can simply reboot off the OLD
|
|
disk to get back to a working configuration.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Remove your current firewall configuration disk and replace it
|
|
with the XFER disk.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Use the lrcfg backup menu to make a partial backup of the
|
|
package(s) you want to upgrade, being sure to backup the files to
|
|
the XFER disk. From the backup menu:</para>
|
|
|
|
<programlisting>t e <enter> p <enter>
|
|
b <package1> <enter>
|
|
b <package2> <enter>
|
|
...</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Download and copy the package(s) you want to upgrade onto the
|
|
NEW disk.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Reboot your firewall using the NEW disk...at this point your
|
|
upgraded packages will have their default configuration.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Mount the XFER disk (mount -t msdos /dev/fd0u1680 /mnt)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CD to the root directory (cd /)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Manually extract configuration data for each package you
|
|
upgraded:</para>
|
|
|
|
<programlisting>tar -xzvf /mnt/package1.lrp
|
|
tar -xzvf /mnt/package2.lrp
|
|
...</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Unmount (umount /mnt) and remove the XFER disk</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Using lrcfg, do *FULL* backups of your upgraded
|
|
packages.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Reboot, verifying the firewall works as expected. Some
|
|
configuration files may need to be 'tweaked' to work properly with
|
|
the upgraded package binaries.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<important>
|
|
<para>The new package file <package>.local can be used to
|
|
fine-tune which files are included (and excluded) from the partial
|
|
backup (see the Dachstein-CD README for details). If this file
|
|
doesn't exist, the backup scripts assume anything from the
|
|
<package>.list file that resides in /etc or /var/lib/lrpkg is
|
|
part of the configuration data and is used to create the partial
|
|
backup. If shorewall puts anything in /etc that isn't a user
|
|
modified configuration file, a proper shorwall.local file should be
|
|
created prior to making the partial backup [<emphasis
|
|
role="bold">Editor's note</emphasis>: Shorewall places only
|
|
user-modifiable files in /etc].</para>
|
|
</important>
|
|
|
|
<note>
|
|
<para>It's obviously possible to do the above 'in-place', without
|
|
using multiple disks, and even without making a partial backup (ie:
|
|
copy current config files to /tmp, manually extract new package on top
|
|
of current running firewall, then copy or merge config data from /tmp
|
|
and backup...or similar), but anyone capable of that level of command
|
|
line gymnastics is probably doing it already, without needing detailed
|
|
instructions! :-)</para>
|
|
</note>
|
|
</blockquote>
|
|
|
|
<para>For information on other LEAF/Bering upgrade tools, check out <ulink
|
|
url="http://cvs.sourceforge.net/viewcvs.py/*checkout*/leaf/devel/alexrh/lck/READM">this
|
|
article by Alex Rhomberg</ulink>.</para>
|
|
</section>
|
|
|
|
<section id="Config_Files">
|
|
<title>Configuring Shorewall</title>
|
|
|
|
<para>You will need to edit some or all of the configuration files to
|
|
match your setup. In most cases, the <ulink
|
|
url="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</ulink>
|
|
contain all of the information you need.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Uninstall/Fallback</title>
|
|
|
|
<para>See <quote><ulink url="fallback.htm">Fallback and
|
|
Uninstall</ulink></quote>.</para>
|
|
</section>
|
|
</article> |