2005-07-16 13:36:42 +02:00
|
|
|
Template: shorewall/upgrade_to_14
|
|
|
|
|
Type: boolean
|
2005-07-16 14:25:14 +02:00
|
|
|
Description: Did you check your configuration and do you want to restart Shorewall right now?
|
2005-07-16 13:36:42 +02:00
|
|
|
This is a major release of Shorewall that introduces some changes in the
|
|
|
|
|
configuration files. The major changes are listed below.
|
|
|
|
|
.
|
|
|
|
|
You _must_ review your firewall configuration in order to get Shorewall to
|
|
|
|
|
work properly.
|
|
|
|
|
.
|
|
|
|
|
* The MERGE_HOSTS variable in shorewall.conf is no longer
|
|
|
|
|
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
|
|
|
|
MERGE_HOSTS=Yes.
|
|
|
|
|
.
|
|
|
|
|
* Interface names of the form <device>:<integer> in
|
|
|
|
|
/etc/shorewall/interfaces now generate an error.
|
|
|
|
|
.
|
|
|
|
|
* OLD_PING_HANDLING=Yes will generate an error at startup as will
|
|
|
|
|
specification of the 'noping' or 'filterping' interface options.
|
|
|
|
|
.
|
|
|
|
|
* In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
|
|
|
|
|
longer unconditionally accepts outbound ICMP packets. So if you want
|
|
|
|
|
to 'ping' from the firewall, you will need the appropriate rule or
|
|
|
|
|
policy.
|
|
|
|
|
.
|
|
|
|
|
* The 'routestopped' option in the /etc/shorewall/interfaces and
|
|
|
|
|
/etc/shorewall/hosts files is no longer supported and will generate
|
|
|
|
|
an error at startup if specified.
|
|
|
|
|
.
|
|
|
|
|
* The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
|
|
|
|
accepted.
|
|
|
|
|
.
|
|
|
|
|
* The ALLOWRELATED variable in shorewall.conf is no longer
|
|
|
|
|
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
|
|
|
|
ALLOWRELATED=Yes.
|
|
|
|
|
.
|
|
|
|
|
* The 'multi' interface option is no longer supported.
|
|
|
|
|
.
|
|
|
|
|
* The SHARED_DIR variable has been removed from shorewall.conf. This
|
|
|
|
|
variable was for use by package maintainers and was not documented
|
|
|
|
|
for general use.
|
|
|
|
|
|
|
|
|
|
Template: shorewall/dont_restart
|
|
|
|
|
Type: note
|
2005-07-16 14:25:14 +02:00
|
|
|
Description: Shorewall won't be restarted automatically
|
2005-07-16 13:36:42 +02:00
|
|
|
This will prevent network blackout due to changes in configuration files.
|
|
|
|
|
.
|
|
|
|
|
Check your configuration and then restart Shorewall issuing:
|
|
|
|
|
.
|
|
|
|
|
invoke-rc.d shorewall restart
|
|
|
|
|
.
|
|
|
|
|
or
|
|
|
|
|
.
|
|
|
|
|
/etc/init.d/shorewall restart
|
|
|
|
|
|
|
|
|
|
Template: shorewall/upgrade_14_20
|
|
|
|
|
Type: boolean
|
2005-07-16 14:25:14 +02:00
|
|
|
Description: Did you check your configuration and do you want to restart Shorewall right now?
|
2005-07-16 13:36:42 +02:00
|
|
|
This is a major release of Shorewall that introduces some changes in the
|
|
|
|
|
configuration files. You have to check carefully your configuration before
|
|
|
|
|
restarting your firewall to avoid failures and network blackout. The changes
|
|
|
|
|
are listed below (or in /usr/share/doc/shorewall/upgrade_14-20.txt.gz):
|
|
|
|
|
.
|
|
|
|
|
* The 'dropunclean' and 'logunclean' interface options are no longer
|
|
|
|
|
supported. If either option is specified in /etc/shorewall/interfaces, an
|
|
|
|
|
threatening message will be generated.
|
|
|
|
|
.
|
|
|
|
|
* The NAT_BEFORE_RULES option has been removed from shorewall.conf. The
|
|
|
|
|
behavior of Shorewall is as if NAT_BEFORE_RULES=No had been specified. In
|
|
|
|
|
other words, DNAT rules now always take precidence over one-to-one NAT
|
|
|
|
|
specifications.
|
|
|
|
|
.
|
|
|
|
|
* The default value for the ALL INTERFACES column in /etc/shorewall/nat has
|
|
|
|
|
changed. In Shorewall 1.*, if the column was left empty, a value of "Yes"
|
|
|
|
|
was assumed. This has been changed so that a value of "No" is now assumed.
|
|
|
|
|
.
|
|
|
|
|
* The following files don't exist in Shorewall 2.0:
|
|
|
|
|
.
|
|
|
|
|
/etc/shorewall/common.def
|
|
|
|
|
/etc/shorewall/common
|
|
|
|
|
/etc/shorewall/icmpdef
|
|
|
|
|
/etc/shorewall/action.template (Moved to /usr/share/shorewall)
|
|
|
|
|
/etc/shorewall/rfc1918 (Moved to /usr/share/shorewall).
|
|
|
|
|
.
|
|
|
|
|
* The /etc/shorewall/action file now allows an action to be designated as the
|
|
|
|
|
"common" action for a particular policy type by following the action name
|
|
|
|
|
with ":" and the policy (DROP, REJECT or ACCEPT).
|
|
|
|
|
.
|
|
|
|
|
* The /etc/shorewall directory no longer contains a 'users' file or a
|
|
|
|
|
'usersets' file. Similar functionality is now available using user-defined
|
|
|
|
|
actions.
|
|
|
|
|
.
|
|
|
|
|
* It is no longer possible to specify rate limiting in the ACTION column of
|
|
|
|
|
/etc/shorewall/rules -- you must use the RATE LIMIT column.
|
|
|
|
|
.
|
|
|
|
|
* Depending on which method you use to upgrade, if you have your own version
|
|
|
|
|
of /etc/shorewall/rfc1918, you may have to take special action to restore it
|
|
|
|
|
after the upgrade. Look for /etc/shorewall/rfc1918*, locate the proper file
|
|
|
|
|
and rename it back to /etc/shorewall/rfc1918. The contents of that file will
|
|
|
|
|
supercede the contents of /usr/share/shorewall/rfc1918.
|
|
|
|
|
|
|
|
|
|
Template: shorewall/upgrade_20_22
|
|
|
|
|
Type: boolean
|
2005-07-16 14:25:14 +02:00
|
|
|
Description: Did you check your configuration and do you want to restart Shorewall right now?
|
2005-07-16 13:36:42 +02:00
|
|
|
This is a major release of Shorewall that introduces some changes in the
|
|
|
|
|
configuration files. You have to check carefully your configuration before
|
|
|
|
|
restarting your firewall to avoid failures and network blackout. The changes
|
|
|
|
|
are listed in /usr/share/doc/shorewall/releasenotes.txt.gz.
|
|
|
|
|
|
|
|
|
|
Template: shorewall/warnrfc1918
|
|
|
|
|
Type: note
|
2005-07-16 14:25:14 +02:00
|
|
|
Description: Possible out-of-date rfc1918 configration file
|
2005-07-16 13:36:42 +02:00
|
|
|
The file rfc1918 has been found in your shorewall configuration
|
|
|
|
|
directory. It probably comes from an upgrade from a previous
|
|
|
|
|
version. Note that the file has now been replaced by rfc1918 and
|
|
|
|
|
bogons, the former is only used to list private network
|
|
|
|
|
addresses and the latter is used to list unassigned addresses
|
|
|
|
|
and must be kept up-to-date; previously rfc1918 was used for
|
|
|
|
|
both kind of addresses. It is strongly recommended to remove the file
|
|
|
|
|
from the configuration directory and let shorewall to use its default
|
|
|
|
|
one (located at /usr/share/shorewall/).
|
|
|
|
|
|
