From e5ed72e5f61ff711f20ce9610bad8760cd4486da Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 30 Oct 2004 15:23:18 +0000 Subject: [PATCH] Documentation Updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1731 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/IPSEC-2.6.xml | 20 +++-- Shorewall-docs2/Install.xml | 129 ++++++++++++++++++++++++++- Shorewall-docs2/Shorewall_Doesnt.xml | 28 +++--- Shorewall-docs2/VPN.xml | 4 +- Shorewall-docs2/errata.xml | 25 +++++- Shorewall-docs2/standalone.xml | 5 +- 6 files changed, 185 insertions(+), 26 deletions(-) diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml index 87ddd56be..f27227f12 100644 --- a/Shorewall-docs2/IPSEC-2.6.xml +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -15,7 +15,7 @@ - 2004-10-08 + 2004-10-25 2004 @@ -37,10 +37,10 @@ To use the features described in this article, your kernel and iptables must include the Netfilter+ipsec patches and policy match support - and you must be running Shorewall 2.1.5 or later. The Netfilter patches - are available from Netfilter Patch-O-Matic-NG and are also included in - some commercial distributions (most notably SuSE - 9.1). + and you must be running Shorewall 2.1.5 or later (with Shorewall 2.2.0 + Beta 1 or later recommended). The Netfilter patches are available from + Netfilter Patch-O-Matic-NG and are also included in some commercial + distributions (most notably SuSE 9.1). @@ -56,7 +56,7 @@
- Shorewall 2.1 and Kernel 2.6 IPSEC + Shorewall 2.2 and Kernel 2.6 IPSEC This is not a HOWTO for Kernel 2.6 IPSEC -- for that, please see + + It is redundent to have Yes in + the IPSEC column of the /etc/shorewall/ipsec entry + for a zone and to also have the ipsec + option in /etc/shorewall/hosts entries for that + zone. + + Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in /etc/shorewall/ipsec can be used to match the zone to a particular (set of) SA(s) used to encrypt and decrypt traffic to/from the zone and the diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml index f06e26fbf..ed9c027a4 100644 --- a/Shorewall-docs2/Install.xml +++ b/Shorewall-docs2/Install.xml @@ -15,7 +15,7 @@ - 2004-09-12 + 2004-10-27 2001 @@ -398,8 +398,131 @@ INIT="rc.firewall" url="upgrade_issues.htm">Upgrade Issues. - There appears to be no standard method for upgrading LEAF/Bering - packages — Sorry to be so unhelpful. + The following was contributed by Charles Steinkuehler on the Leaf + mailing list: + +
+ It's *VERY* simple...just put in a new CD and reboot!  :-) + Actually, I'm only slightly kidding...that's exactly how I upgrade my + prodution firewalls.  The partial backup feature I added to + Dachstein allows configuration data to be stored seperately from the + rest of the package. + + Once the config data is seperated from the rest of the package, + it's an easy matter to upgrade the pacakge while keeping your current + configuration (in my case, just inserting a new CD and + re-booting). + + Users who aren't running with multiple package paths and using + partial backups can still upgrade a package, it just takes a bit of + extra work.  The general idea is to use a partial backup to save + your configuration, replace the package, and restore your old + configuration files. Step-by-step instructions for one way to do this + (assuming a conventional single-floppy LEAF system) would be: + + + + Make a backup copy of your firewall disk ('NEW').  This + is the disk you will add the upgraded package(s) to. + + + + Format a floppy to use as a temporary location for your + configuration file(s) ('XFER').  This disk should have the same + format as your firewall disk (and could simply be another backup + copy of your current firewall). + + + + Make sure you have a working copy of your existing firewall + ('OLD') in a safe place, that you *DO NOT* use durring this process. + That way, if anything goes wrong you can simply reboot off the OLD + disk to get back to a working configuration. + + + + Remove your current firewall configuration disk and replace it + with the XFER disk. + + + + Use the lrcfg backup menu to make a partial backup of the + package(s) you want to upgrade, being sure to backup the files to + the XFER disk.  From the backup menu: + + t e <enter> p <enter> +b <package1> <enter> +b <package2> <enter> +... + + + + Download and copy the package(s) you want to upgrade onto the + NEW disk. + + + + Reboot your firewall using the NEW disk...at this point your + upgraded packages will have their default configuration. + + + + Mount the XFER disk (mount -t msdos /dev/fd0u1680 /mnt) + + + + CD to the root directory (cd /) + + + + Manually extract configuration data for each package you + upgraded: + + tar -xzvf /mnt/package1.lrp +tar -xzvf /mnt/package2.lrp +... + + + + Unmount (umount /mnt) and remove the XFER disk + + + + Using lrcfg, do *FULL* backups of your upgraded + packages. + + + + Reboot, verifying the firewall works as expected.  Some + configuration files may need to be 'tweaked' to work properly with + the upgraded package binaries. + + + + + The new package file <package>.local can be used to + fine-tune which files are included (and excluded) from the partial + backup (see the Dachstein-CD README for details).  If this file + doesn't exist, the backup scripts assume anything from the + <package>.list file that resides in /etc or /var/lib/lrpkg is + part of the configuration data and is used to create the partial + backup.  If shorewall puts anything in /etc that isn't a user + modified configuration file, a proper shorwall.local file should be + created prior to making the partial backup [Editor's note: Shorewall places only + user-modifiable files in /etc]. + + + + It's obviously possible to do the above 'in-place', without + using multiple disks, and even without making a partial backup (ie: + copy current config files to /tmp, manually extract new package on top + of current running firewall, then copy or merge config data from /tmp + and backup...or similar), but anyone capable of that level of command + line gymnastics is probably doing it already, without needing detailed + instructions! :-) + +
diff --git a/Shorewall-docs2/Shorewall_Doesnt.xml b/Shorewall-docs2/Shorewall_Doesnt.xml index 940b11ffe..1d87aa5d1 100644 --- a/Shorewall-docs2/Shorewall_Doesnt.xml +++ b/Shorewall-docs2/Shorewall_Doesnt.xml @@ -13,7 +13,7 @@ Eastep - 2004-06-08 + 2004-10-26 2003 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -43,7 +44,7 @@ - Work with an Operating System other than Linux (version >= + Work with an Operating System other than Linux (version >= 2.4.0) @@ -52,22 +53,23 @@ - HTTP - better to use Squid - for that. + HTTP - better to use Squid for that. Email -- Install something like Postfix on your firewall and - integrate it with SpamAssassin - and Amavisd-new. + integrate it with SpamAssassin and Amavisd-new. - Set up Routing (except to support Proxy - ARP) + Set up Routing (except to support Proxy ARP) @@ -88,10 +90,12 @@ - Shorewall does not contain any support for Netfilter Patch-O-Matic + Shorewall generally does not contain any support for Netfilter + Patch-O-Matic-ng features or any other features that require kernel patching -- - Shorewall only supports features from released kernels. + Shorewall only supports features from released kernels except in + unusual cases.
diff --git a/Shorewall-docs2/VPN.xml b/Shorewall-docs2/VPN.xml index 920314b3b..2bcf10c5f 100644 --- a/Shorewall-docs2/VPN.xml +++ b/Shorewall-docs2/VPN.xml @@ -15,7 +15,7 @@ - 2004-10-21 + 2004-10-27 2002 @@ -135,6 +135,6 @@ HP Intranet and it works flawlessly without anything in Shorewall other than my ACCEPT loc->net policy. NAT traversal is available as a patch for Windows 2K and is a standard feature of Windows XP -- simply select - " + "L2TP IPSec VPN" from the "Type of VPN" pulldown. \ No newline at end of file diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 57d98958f..6505e6439 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ - 2004-09-02 + 2004-10-25 2001-2004 @@ -89,6 +89,29 @@
Problems in Version 2.0 +
+ Shorewall 2.0.10 + + The initial packages uploaded to the FTP and HTTP servers were + incorrect. Here are the MD5 sums of the incorrect packages. + + 14e8f2bfa08cc5ca2715c8b1179d5eb2  shorewall-2.0.10-1.noarch.rpm +54bcbb2216ad3db9870507cd9716fd99  shorewall-2.0.10.tgz +c2fe0acc7f056acb56d089cf8dafa39a  shorwall-2.0.10.lrp + + These incorrect packages have been replaced with correct ones + having the following MD5 sums: + + d5af452d38538b4b994c3c4abab8e012  shorewall-2.0.10-1.noarch.rpm +985ce9215ea9cc0299f0b5450fdbe05e  shorewall-2.0.10.tgz +0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf  shorwall-2.0.10.lrp + + If you have installed an incorrect package, please replace + /sbin/shorewall with this + file. +
+
Shorewall 2.0.3 through 2.0.8 diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index 52ab7c493..9af87204b 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -15,7 +15,7 @@ - 2004-09-12 + 2004-10-27 2002-2004 @@ -55,7 +55,8 @@ Connection through Cable Modem, DSL, ISDN, Frame Relay, - dial-up... + dial-up... or connected to a LAN and you simply wish to protect your + Linux system from other systems on that LAN.