diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index 5ca186785..4e6775935 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2004-12-22
+ 2004-12-26
2001-2004
@@ -1590,6 +1590,17 @@ alias ipt_pkttype off
kernel, I also recommend upgrading to Shorewall 2.0.6 or later and then
setting PKTTYPE=No in shorewall.conf.
+
+
+ (FAQ 43) I just installed the Shorewall RPM and Shorewall doesn't
+ start at boot time.
+
+ Answer: When you install using
+ the "rpm -U" command, Shorewall doesn't run your distribution's tool for
+ configuring Shorewall startup. You will need to run that tool (insserv,
+ chkconfig, run-level editor, …) to configure Shorewall to start in the
+ run-levels that you run your firewall system at.
+
@@ -2014,7 +2025,17 @@ Verifying Configuration...
- 1.39
+ 1.41
+
+ 2004-12-26
+
+ TE
+
+ Added FAQ 43.
+
+
+
+ 1.40
2004-12-22
diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index aa1c7ce2a..721967c9c 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -15,7 +15,7 @@
- 2004-12-18
+ 2004-12-26
2004
@@ -347,7 +347,7 @@ remote 134.28.54.2
verify_identifier on ;
lifetime time 24 hour ;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@@ -358,7 +358,7 @@ sainfo address 192.168.1.0/24 any address 10.0.0.0/8 any
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@@ -367,7 +367,7 @@ sainfo address 206.162.148.9/32 any address 10.0.0.0/8 any
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@@ -376,7 +376,7 @@ sainfo address 206.162.148.9/32 any address 134.28.54.2/32 any
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@@ -385,7 +385,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@@ -502,7 +502,7 @@ remote anonymous
verify_identifier on ;
lifetime time 24 hour ;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@@ -513,7 +513,7 @@ sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@@ -609,7 +609,7 @@ remote anonymous
my_identifier address ;
lifetime time 24 hour ;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
@@ -620,7 +620,7 @@ sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
diff --git a/Shorewall-docs2/OPENVPN.xml b/Shorewall-docs2/OPENVPN.xml
index 98649b8e4..44636f0ca 100644
--- a/Shorewall-docs2/OPENVPN.xml
+++ b/Shorewall-docs2/OPENVPN.xml
@@ -21,7 +21,7 @@
- 2004-12-23
+ 2004-12-26
2003
@@ -54,10 +54,10 @@
The default port number for OpenVPN changed from 5000 to 1194 in
- Shorewall version 2.2.0 RC2. This change reflected a change in OpenVPN
- which also changed its default to 1194. In the text that follows, where
- you see Port 5000 this can also refer to port 1194 depending on which
- version of Shorewall and OpenVPN that you are using.
+ Shorewall version 2.2.0 RC2. This change follows OpenVPN 2.0 which also
+ changed its default port to 1194. In the text that follows, where you see
+ Port 1194 this can also refer to port 5000 depending on which version of
+ Shorewall and OpenVPN that you are using.
@@ -117,20 +117,23 @@ openvpn net 134.28.54.2
+ Shorewall versions prior to 2.2.0 Beta 1 enforced use of the same
+ port number for both the source and destination port.
+
Some OpenVPN clients (notabley on Windows)
do not use the same source and destination ports which can cause
problems. If system B is a Windows system or if you find that Shorewall
- is blocking the UDP port 5000 traffic from the remote gateway, then you
- will want the following entry in
- /etc/shorewall/tunnels instead of the one
- above:
+ is blocking the UDP port 1194 traffic from the remote gateway and you
+ are running a version of Shorewall prior to 2.2.0 Beta 1, then you will
+ want the following entry in /etc/shorewall/tunnels
+ instead of the one above:
#TYPE ZONE GATEWAY GATEWAY ZONE
-generic:udp:5000 net 134.28.54.2
+generic:udp:1194 net 134.28.54.2
This entry in /etc/shorewall/tunnels opens the
- firewall so that OpenVPN traffic on the default port 5000/udp will be
+ firewall so that OpenVPN traffic on the default port 1194/udp will be
accepted to/from the remote gateway. If you change the port used by
OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:
@@ -268,6 +271,8 @@ dh dh1024.pem
ca /etc/certs/cacert.pem
+crl-verify /etc/certs/crl.pem
+
cert /etc/certs/SystemA.pem
key /etc/certs/SystemA_key.pem
@@ -337,7 +342,7 @@ tls-client
pull
ca /etc/certs/cacert.pem
-
+
cert /etc/certs/SystemB.pem
key /etc/certs/SystemB_key.pem
@@ -356,5 +361,22 @@ persist-key
verb 3
+
+ If you want multiple remote clients to be able to communicate with
+ each other then you must:
+
+
+
+ Include the client-to-client
+ directive in the server's OpenVPN configuration; and
+
+
+
+ Specify the routeback option on
+ the tun0 device in /etc/shorewall/interfaces.
+
+
+
-
\ No newline at end of file
+