diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index 87ddd56be..f27227f12 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -15,7 +15,7 @@
- 2004-10-08
+ 2004-10-25
2004
@@ -37,10 +37,10 @@
To use the features described in this article, your kernel and
iptables must include the Netfilter+ipsec patches and policy match support
- and you must be running Shorewall 2.1.5 or later. The Netfilter patches
- are available from Netfilter Patch-O-Matic-NG and are also included in
- some commercial distributions (most notably SuSE
- 9.1).
+ and you must be running Shorewall 2.1.5 or later (with Shorewall 2.2.0
+ Beta 1 or later recommended). The Netfilter patches are available from
+ Netfilter Patch-O-Matic-NG and are also included in some commercial
+ distributions (most notably SuSE 9.1).
@@ -56,7 +56,7 @@
- Shorewall 2.1 and Kernel 2.6 IPSEC
+ Shorewall 2.2 and Kernel 2.6 IPSEC
This is not a HOWTO for Kernel 2.6
IPSEC -- for that, please see
+
+ It is redundent to have Yes in
+ the IPSEC column of the /etc/shorewall/ipsec entry
+ for a zone and to also have the ipsec
+ option in /etc/shorewall/hosts entries for that
+ zone.
+
+
Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
/etc/shorewall/ipsec can be used to match the zone to a particular (set
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml
index f06e26fbf..ed9c027a4 100644
--- a/Shorewall-docs2/Install.xml
+++ b/Shorewall-docs2/Install.xml
@@ -15,7 +15,7 @@
- 2004-09-12
+ 2004-10-27
2001
@@ -398,8 +398,131 @@ INIT="rc.firewall"
url="upgrade_issues.htm">Upgrade Issues.
- There appears to be no standard method for upgrading LEAF/Bering
- packages — Sorry to be so unhelpful.
+ The following was contributed by Charles Steinkuehler on the Leaf
+ mailing list:
+
+
+ It's *VERY* simple...just put in a new CD and reboot! :-)
+ Actually, I'm only slightly kidding...that's exactly how I upgrade my
+ prodution firewalls. The partial backup feature I added to
+ Dachstein allows configuration data to be stored seperately from the
+ rest of the package.
+
+ Once the config data is seperated from the rest of the package,
+ it's an easy matter to upgrade the pacakge while keeping your current
+ configuration (in my case, just inserting a new CD and
+ re-booting).
+
+ Users who aren't running with multiple package paths and using
+ partial backups can still upgrade a package, it just takes a bit of
+ extra work. The general idea is to use a partial backup to save
+ your configuration, replace the package, and restore your old
+ configuration files. Step-by-step instructions for one way to do this
+ (assuming a conventional single-floppy LEAF system) would be:
+
+
+
+ Make a backup copy of your firewall disk ('NEW'). This
+ is the disk you will add the upgraded package(s) to.
+
+
+
+ Format a floppy to use as a temporary location for your
+ configuration file(s) ('XFER'). This disk should have the same
+ format as your firewall disk (and could simply be another backup
+ copy of your current firewall).
+
+
+
+ Make sure you have a working copy of your existing firewall
+ ('OLD') in a safe place, that you *DO NOT* use durring this process.
+ That way, if anything goes wrong you can simply reboot off the OLD
+ disk to get back to a working configuration.
+
+
+
+ Remove your current firewall configuration disk and replace it
+ with the XFER disk.
+
+
+
+ Use the lrcfg backup menu to make a partial backup of the
+ package(s) you want to upgrade, being sure to backup the files to
+ the XFER disk. From the backup menu:
+
+ t e <enter> p <enter>
+b <package1> <enter>
+b <package2> <enter>
+...
+
+
+
+ Download and copy the package(s) you want to upgrade onto the
+ NEW disk.
+
+
+
+ Reboot your firewall using the NEW disk...at this point your
+ upgraded packages will have their default configuration.
+
+
+
+ Mount the XFER disk (mount -t msdos /dev/fd0u1680 /mnt)
+
+
+
+ CD to the root directory (cd /)
+
+
+
+ Manually extract configuration data for each package you
+ upgraded:
+
+ tar -xzvf /mnt/package1.lrp
+tar -xzvf /mnt/package2.lrp
+...
+
+
+
+ Unmount (umount /mnt) and remove the XFER disk
+
+
+
+ Using lrcfg, do *FULL* backups of your upgraded
+ packages.
+
+
+
+ Reboot, verifying the firewall works as expected. Some
+ configuration files may need to be 'tweaked' to work properly with
+ the upgraded package binaries.
+
+
+
+
+ The new package file <package>.local can be used to
+ fine-tune which files are included (and excluded) from the partial
+ backup (see the Dachstein-CD README for details). If this file
+ doesn't exist, the backup scripts assume anything from the
+ <package>.list file that resides in /etc or /var/lib/lrpkg is
+ part of the configuration data and is used to create the partial
+ backup. If shorewall puts anything in /etc that isn't a user
+ modified configuration file, a proper shorwall.local file should be
+ created prior to making the partial backup [Editor's note: Shorewall places only
+ user-modifiable files in /etc].
+
+
+
+ It's obviously possible to do the above 'in-place', without
+ using multiple disks, and even without making a partial backup (ie:
+ copy current config files to /tmp, manually extract new package on top
+ of current running firewall, then copy or merge config data from /tmp
+ and backup...or similar), but anyone capable of that level of command
+ line gymnastics is probably doing it already, without needing detailed
+ instructions! :-)
+
+
diff --git a/Shorewall-docs2/Shorewall_Doesnt.xml b/Shorewall-docs2/Shorewall_Doesnt.xml
index 940b11ffe..1d87aa5d1 100644
--- a/Shorewall-docs2/Shorewall_Doesnt.xml
+++ b/Shorewall-docs2/Shorewall_Doesnt.xml
@@ -13,7 +13,7 @@
Eastep
- 2004-06-08
+ 2004-10-26
2003
@@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License
.
+ GNU Free Documentation
+ License
.
@@ -43,7 +44,7 @@
- Work with an Operating System other than Linux (version >=
+ Work with an Operating System other than Linux (version >=
2.4.0)
@@ -52,22 +53,23 @@
- HTTP - better to use Squid
- for that.
+ HTTP - better to use Squid for that.
Email -- Install something like Postfix on your firewall and
- integrate it with SpamAssassin
- and Amavisd-new.
+ integrate it with SpamAssassin and Amavisd-new.
- Set up Routing (except to support Proxy
- ARP)
+ Set up Routing (except to support Proxy ARP)
@@ -88,10 +90,12 @@
- Shorewall does not contain any support for Netfilter Patch-O-Matic
+ Shorewall generally does not contain any support for Netfilter
+ Patch-O-Matic-ng
features or any other features that require kernel patching --
- Shorewall only supports features from released kernels.
+ Shorewall only supports features from released kernels except in
+ unusual cases.
diff --git a/Shorewall-docs2/VPN.xml b/Shorewall-docs2/VPN.xml
index 920314b3b..2bcf10c5f 100644
--- a/Shorewall-docs2/VPN.xml
+++ b/Shorewall-docs2/VPN.xml
@@ -15,7 +15,7 @@
- 2004-10-21
+ 2004-10-27
2002
@@ -135,6 +135,6 @@
HP Intranet and it works flawlessly without anything in Shorewall other
than my ACCEPT loc->net policy. NAT traversal is available as a patch
for Windows 2K and is a standard feature of Windows XP -- simply select
- "
+ "L2TP IPSec VPN" from the "Type of VPN" pulldown.
\ No newline at end of file
diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml
index 57d98958f..6505e6439 100644
--- a/Shorewall-docs2/errata.xml
+++ b/Shorewall-docs2/errata.xml
@@ -13,7 +13,7 @@
- 2004-09-02
+ 2004-10-25
2001-2004
@@ -89,6 +89,29 @@
Problems in Version 2.0
+
+ Shorewall 2.0.10
+
+ The initial packages uploaded to the FTP and HTTP servers were
+ incorrect. Here are the MD5 sums of the incorrect packages.
+
+ 14e8f2bfa08cc5ca2715c8b1179d5eb2 shorewall-2.0.10-1.noarch.rpm
+54bcbb2216ad3db9870507cd9716fd99 shorewall-2.0.10.tgz
+c2fe0acc7f056acb56d089cf8dafa39a shorwall-2.0.10.lrp
+
+ These incorrect packages have been replaced with correct ones
+ having the following MD5 sums:
+
+ d5af452d38538b4b994c3c4abab8e012 shorewall-2.0.10-1.noarch.rpm
+985ce9215ea9cc0299f0b5450fdbe05e shorewall-2.0.10.tgz
+0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf shorwall-2.0.10.lrp
+
+ If you have installed an incorrect package, please replace
+ /sbin/shorewall with this
+ file.
+
+
Shorewall 2.0.3 through 2.0.8
diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml
index 52ab7c493..9af87204b 100644
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@@ -15,7 +15,7 @@
- 2004-09-12
+ 2004-10-27
2002-2004
@@ -55,7 +55,8 @@
Connection through Cable Modem, DSL, ISDN, Frame Relay,
- dial-up...
+ dial-up... or connected to a LAN and you simply wish to protect your
+ Linux system from other systems on that LAN.