2006-01-22 03:35:15 +01:00
|
|
|
|
Shorewall 3.1.4
|
2005-11-27 21:59:47 +01:00
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
Note to users upgrading from Shorewall 2.x or 3.0
|
2005-12-01 18:58:24 +01:00
|
|
|
|
|
|
|
|
|
|
Most problems associated with upgrades come from two causes:
|
|
|
|
|
|
|
|
|
|
|
|
- The user didn't read and follow the migration considerations in these
|
|
|
|
|
|
release notes.
|
|
|
|
|
|
|
|
|
|
|
|
- The user mis-handled the /etc/shorewall/shorewall.conf file during
|
|
|
|
|
|
upgrade. Shorewall is designed to allow the default behavior of
|
|
|
|
|
|
the product to evolve over time. To make this possible, the design
|
|
|
|
|
|
assumes that you will not replace your current shorewall.conf file
|
|
|
|
|
|
during upgrades. If you feel absolutely compelled to have the latest
|
|
|
|
|
|
comments and options in your shorewall.conf then you must proceed
|
|
|
|
|
|
carefully.
|
|
|
|
|
|
|
2005-12-10 00:49:54 +01:00
|
|
|
|
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
|
|
|
|
|
|
please check that file. If it has addresses listed that are NOT in one of
|
|
|
|
|
|
these three ranges, then please rename the file to /etc/shorewall/rfc1918.old.
|
|
|
|
|
|
|
|
|
|
|
|
10.0.0.0 - 10.255.255.255
|
|
|
|
|
|
172.16.0.0 - 172.31.255.255
|
|
|
|
|
|
192.168.0.0 - 192.168.255.255
|
|
|
|
|
|
|
2005-12-07 17:35:28 +01:00
|
|
|
|
Please see the "Migration Considerations" below for additional upgrade
|
|
|
|
|
|
information.
|
|
|
|
|
|
|
2006-01-22 03:35:15 +01:00
|
|
|
|
Problems Corrected in 3.1.4
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-22 03:35:15 +01:00
|
|
|
|
1) "shorewall check" generates an error if there are entries in
|
|
|
|
|
|
/etc/shorewall/massq.
|
2006-01-21 17:35:18 +01:00
|
|
|
|
|
2006-01-23 02:41:24 +01:00
|
|
|
|
New Features added in 3.1.4
|
|
|
|
|
|
|
|
|
|
|
|
1) The /etc/shorewall/maclist file has a new column layout. The first column is
|
|
|
|
|
|
now DISPOSITION. This column determines what to do with matching packets and
|
|
|
|
|
|
can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it can also
|
|
|
|
|
|
contain REJECT). This change is upward compatible so your existing maclist
|
|
|
|
|
|
file can still be used.
|
|
|
|
|
|
|
2006-01-23 17:52:59 +01:00
|
|
|
|
ACCEPT, DROP and REJECT may be optionally followed by a log level to cause the
|
|
|
|
|
|
packet to be logged.
|
|
|
|
|
|
|
2006-01-23 02:41:24 +01:00
|
|
|
|
2) Shorewall has always been very noisy (lots of messages). No more. The default
|
|
|
|
|
|
is now to be very quiet and you get more detail using the -v option (or -vv if
|
|
|
|
|
|
you want the old noisy behavior). The -q option is still supported but only
|
|
|
|
|
|
reverses the effect of -v. So "shorewall start -qqvv" is still completely quiet
|
|
|
|
|
|
while "shorewall start -vv" gives the same amount of output as the old "shorewall
|
|
|
|
|
|
start" did.
|
|
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
Migration Considerations:
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-12 00:30:33 +01:00
|
|
|
|
None.
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
New Features:
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
1) A new 'shorewall generate' command has been added.
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-15 20:27:57 +01:00
|
|
|
|
shorewall generate [ -q ] [ -e ] [ <config directory> ] <script file>
|
2005-12-10 00:40:22 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
where:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 18:33:10 +01:00
|
|
|
|
-q Suppresses many of the progress messages
|
2006-01-13 00:26:37 +01:00
|
|
|
|
-e Generates an error if the configuration used
|
|
|
|
|
|
an option that would prevent the generated
|
|
|
|
|
|
script from running on a system other than
|
|
|
|
|
|
where the 'generate' command is running (see
|
|
|
|
|
|
additional consideration a) below).
|
2006-01-14 02:35:25 +01:00
|
|
|
|
Also allows the generated script to run
|
|
|
|
|
|
on a system without Shorewall installed.
|
2006-01-18 00:27:54 +01:00
|
|
|
|
-p Generate a complete program that can start,
|
|
|
|
|
|
stop, restart, clear and status the firewall
|
2006-01-07 18:33:10 +01:00
|
|
|
|
<config directory> Is an optional directory to be searched for
|
|
|
|
|
|
configuration files prior to those listed
|
|
|
|
|
|
in CONFIG_DIR in /etc/shorewall/shorewall.conf.
|
2006-01-13 18:08:23 +01:00
|
|
|
|
<script file> Is the name of the output file.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
The 'generate' command processes the configuration and writes a script file
|
|
|
|
|
|
which may then be executed (either directly or using the 'shorewall restore'
|
|
|
|
|
|
command) to configure the firewall.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-08 16:59:36 +01:00
|
|
|
|
'compile' is a synonym for 'generate':
|
|
|
|
|
|
|
2006-01-15 20:27:57 +01:00
|
|
|
|
shorewall compile [ -q ] [ -e ] [ <config directory> ] <script file>
|
2006-01-08 16:59:36 +01:00
|
|
|
|
|
2006-01-14 19:35:50 +01:00
|
|
|
|
The generated script contains error checking and will terminate if an
|
|
|
|
|
|
important command fails. Before terminating:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-14 19:35:50 +01:00
|
|
|
|
a) The script will check for the existence of the restore script specified
|
|
|
|
|
|
by the RESTOREFILE variable in shorewall.conf. If that restore script
|
|
|
|
|
|
exists, it is executed.
|
|
|
|
|
|
|
|
|
|
|
|
b) If the restore script doesn't exist but Shorewall appears to be installed
|
|
|
|
|
|
on the system, an "/sbin/shorewall stop" command is executed.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
Some additional considerations:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-13 00:26:37 +01:00
|
|
|
|
a) It is possible to run 'generate' ('compile') on one system and then
|
|
|
|
|
|
run the generated script on another system but there are certain
|
2006-01-14 02:38:50 +01:00
|
|
|
|
limitations.
|
2006-01-13 00:26:37 +01:00
|
|
|
|
|
|
|
|
|
|
1) The same version of Shorewall must be running on the remote system
|
2006-01-14 19:35:50 +01:00
|
|
|
|
unless you use the "-e" option when you compile the script.
|
2006-01-13 00:26:37 +01:00
|
|
|
|
2) The 'detectnets' interface option is not allowed.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
b) If you have extension scripts, they may need modification. The scripts
|
|
|
|
|
|
will be run at generation time, rather than when the generated script
|
|
|
|
|
|
is executed. The standard functions like 'run_iptables' and
|
|
|
|
|
|
'log_rule_limit' will write the iptables command to the script file
|
|
|
|
|
|
rather than executing the command. As always, you can check $COMMAND
|
|
|
|
|
|
to determine which shorewall command is being executed.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
In addition to 'generate', a 'shorewall reload' command has been added.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-13 00:26:37 +01:00
|
|
|
|
shorewall [ -q ] reload [ <config directory> ]
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
where -q and <config directory> are as above.
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-07 20:22:58 +01:00
|
|
|
|
The 'reload' command creates a script using 'generate' and if there are
|
|
|
|
|
|
no errors, it then restores that script. It is equivalent to:
|
2005-12-14 17:18:38 +01:00
|
|
|
|
|
2006-01-13 18:08:23 +01:00
|
|
|
|
if shorewall generate /var/lib/shorewall/.reload; then restore .reload; fi
|
2006-01-07 20:22:58 +01:00
|
|
|
|
|
|
|
|
|
|
The advantage of using reload over restart is that reload results in new
|
|
|
|
|
|
connections being dropped for a much shorter time. Here are the results of
|
|
|
|
|
|
tests that I conducted on my own firewall:
|
|
|
|
|
|
|
|
|
|
|
|
A) shorewall -q restart
|
|
|
|
|
|
|
|
|
|
|
|
real 0m17.540s
|
|
|
|
|
|
user 0m5.956s
|
|
|
|
|
|
sys 0m10.737s
|
|
|
|
|
|
|
|
|
|
|
|
B) shorewall -q restore foo # foo created using "shorewall generate"
|
|
|
|
|
|
|
|
|
|
|
|
real 0m3.505s
|
|
|
|
|
|
user 0m1.332s
|
|
|
|
|
|
sys 0m2.164s
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C) shorewall -q restore # Restores from file generated by "shorewall save"
|
|
|
|
|
|
|
|
|
|
|
|
real 0m1.164s
|
|
|
|
|
|
user 0m0.556s
|
|
|
|
|
|
sys 0m0.608s
|
|
|
|
|
|
|
|
|
|
|
|
The time difference from B to C reflects the difference between
|
|
|
|
|
|
"iptables-restore" and multiple executions of "iptables". The system is a
|
|
|
|
|
|
1.4Ghz Celeron with 512MB RAM.
|
2006-01-09 18:11:30 +01:00
|
|
|
|
|
2006-01-18 00:27:54 +01:00
|
|
|
|
The "-p' option creates a complete program. This program is suitable for
|
|
|
|
|
|
installation into /etc/init.d and, when generated with the "-e" option
|
|
|
|
|
|
can serve as your firewall on a system that doesn't even have Shorewall
|
|
|
|
|
|
installed.
|
|
|
|
|
|
|
2006-01-09 18:11:30 +01:00
|
|
|
|
2) You may now repeat the -q option to cause Shorewall to be extra quiet.
|
|
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
|
|
gateway:~ # shorewall -qq reload
|
|
|
|
|
|
Shorewall configuration compiled to /var/lib/shorewall/.reload
|
|
|
|
|
|
Restoring Shorewall...
|
|
|
|
|
|
Shorewall restored from /var/lib/shorewall/.reload
|
|
|
|
|
|
gateway:~ #
|
