<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Shorewall Installation</title> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> </head> <body> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse;" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <tbody> <tr> <td width="100%"> <h1 align="center"><font color="#ffffff">Shorewall Installation and Upgrade</font></h1> </td> </tr> </tbody> </table> <p align="center"><b>Before upgrading, be sure to review the <a href="upgrade_issues.htm">Upgrade Issues</a></b></p> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <a href="#Install_Tarball">Install using tarball</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_Tarball">Upgrade using tarball</a><br> <a href="#Config_Files">Configuring Shorewall</a><br> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the <a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before attempting to start Shorewall.</b></p> <ul> <li>Install the RPM (rpm -ivh <shorewall rpm>).<br> <br> <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps <shorewall rpm>).</li> <li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li> <li>Start the firewall by typing "shorewall start"</li> </ul> <p><a name="Install_Tarball"></a>To install Shorewall using the tarball and install script: </p> <ul> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>cd to the shorewall directory (the version is encoded in the directory name as in "shorewall-1.1.10").</li> <li>If you are using <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>, <a href="http://www.slackware.com/">Slackware</a> or <a href="http://www.debian.org">Debian</a> then type "./install.sh"</li> <li>If you are using <a href="http://www.suse.com">SuSe</a> then type "./install.sh /etc/init.d"</li> <li>If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"</li> <li>For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory></li> <li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li> <li>Start the firewall by typing "shorewall start"</li> <li>If the install script was unable to configure Shorewall to be started automatically at boot, see <a href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> </ul> <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new version:</p> <p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you have entries in the /etc/shorewall/hosts file then please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and host file for 1.3 compatibility using the "shorewall check" command after installing the latest version of 1.3.</p> <ul> <li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note: </b>If you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). <p> <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall rpm>).<br> � </p> </li> <li>See if there are any incompatibilities between your configuration and the new Shorewall version (type "shorewall check") and correct as necessary.</li> <li>Restart the firewall (shorewall restart).</li> </ul> <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version using the tarball:</p> <p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you have entries in the /etc/shorewall/hosts file then please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file.� Also, there are certain 1.2 rule forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules and host file for 1.3 compatibility using the "shorewall check" command after installing the latest version of 1.3.</p> <ul> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>cd to the shorewall directory (the version is encoded in the directory name as in "shorewall-3.0.1").</li> <li>If you are using <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>, <a href="http://www.slackware.com/">Slackware</a> or <a href="http://www.debian.org">Debian</a> then type "./install.sh"</li> <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type "./install.sh /etc/init.d"</li> <li>If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"</li> <li>For other distributions, determine where your distribution installs init scripts and type "./install.sh <init script directory></li> <li>See if there are any incompatibilities between your configuration and the new Shorewall version (type "shorewall check") and correct as necessary.</li> <li>Restart the firewall by typing "shorewall restart"</li> </ul> <h3><a name="Config_Files"></a>Configuring Shorewall</h3> <p>You will need to edit some or all of these configuration files to match your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a> contain all of the information you need.</p> <ul> <li>/etc/shorewall/shorewall.conf - used to set several firewall parameters.</li> <li>/etc/shorewall/params - use this file to set shell variables that you will expand in other files.</li> <li>/etc/shorewall/zones - partition the firewall's view of the world into <i>zones.</i></li> <li>/etc/shorewall/policy - establishes firewall high-level policy.</li> <li>/etc/shorewall/interfaces - describes the interfaces on the firewall system.</li> <li>/etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks.</li> <li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br> </li> <li>/etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) NAT a.k.a. Masquerading.</li> <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li> <li>/etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is stopped.</li> <li>/etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping.</li> <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet headers.</li> <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on the firewall system.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li> </ul> <p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> </font></p> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> � <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <br> <br> </body> </html>