<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Installation</title>
         
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
     
  <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
  <body>
   
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#400169" height="90">
    <tbody>
     <tr>
      <td width="100%">            
      <h1 align="center"><font color="#ffffff">Shorewall Installation and 
Upgrade</font></h1>
      </td>
    </tr>
     
  </tbody> 
</table>
    
<p align="center"><b>Before upgrading, be sure to review the <a
 href="upgrade_issues.htm">Upgrade Issues</a></b></p>
    
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
  <a href="#Install_Tarball">Install using tarball</a><br>
  <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
  <a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
  <a href="#Config_Files">Configuring Shorewall</a><br>
  <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
   
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
   
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a 
shell  prompt, type "/sbin/iptables --version"), you must upgrade to version 
1.2.4  either from the <a
 href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update 
 site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before 
 attempting to start Shorewall.</b></p>
   
<ul>
    <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
    <br>
    <b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports 
a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. 
If this    happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps 
&lt;shorewall    rpm&gt;).</li>
    <li>Edit the <a href="#Config_Files"> configuration files</a> to match 
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> 
SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND 
AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK 
TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK 
CONNECTIVITY.</b></font></li>
    <li>Start the firewall by typing "shorewall start"</li>
   
</ul>
       
<p><a name="Install_Tarball"></a>To     install Shorewall using the tarball 
and install     script: </p>
   
<ul>
    <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
    <li>cd to the shorewall directory (the version is encoded in the    
        directory name as in "shorewall-1.1.10").</li>
    <li>If you are using <a
 href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
 href="http://www.redhat.com">RedHat</a>,           <a
 href="http://www.linux-mandrake.com">Mandrake</a>, <a
 href="http://www.corel.com">Corel</a>,           <a
 href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
    <li>If you are using <a href="http://www.suse.com">SuSe</a> then type
    "./install.sh /etc/init.d"</li>
    <li>If your distribution has directory             /etc/rc.d/init.d or 
/etc/init.d then type             "./install.sh"</li>
    <li>For other distributions, determine where your             distribution 
installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
    <li>Edit the <a href="#Config_Files"> configuration files</a> to match 
your configuration.</li>
    <li>Start the firewall by typing "shorewall             start"</li>
    <li>If the install script was unable to configure Shorewall to be started 
automatically at boot,             see <a
 href="starting_and_stopping_shorewall.htm">these             instructions</a>.</li>
   
</ul>
   
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed 
and are upgrading to a new version:</p>
   
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you  have entries in the /etc/shorewall/hosts file then please check your
 /etc/shorewall/interfaces file to be sure that it contains an entry for
each  interface mentioned in the hosts file. Also, there are certain 1.2
rule forms  that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
You can check your rules and  host file for 1.3 compatibility using the "shorewall
check" command after  installing the latest version of 1.3.</p>
   
<ul>
    <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If 
you     are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
    you must use the "--oldpackage" option to rpm (e.g., "rpm     -Uvh --oldpackage
shorewall-1.2-0.noarch.rpm").        
    <p>   <b>Note: </b>Some SuSE users have encountered a problem whereby 
rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this    happens, simply use the --nodeps option to rpm (rpm 
-Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
  �   </p>
   </li>
   <li>See if there are any incompatibilities between your configuration
and the    new Shorewall version (type "shorewall check") and correct as
necessary.</li>
    <li>Restart the firewall (shorewall restart).</li>
   
</ul>
   
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
   
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you  have entries in the /etc/shorewall/hosts file then please check your
 /etc/shorewall/interfaces file to be sure that it contains an entry for
each  interface mentioned in the hosts file.� Also, there are certain 1.2
rule  forms that are no longer supported under 1.3 (you must use the new
1.3 syntax).  See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. You can check your rules  and host file for 1.3 compatibility using
the "shorewall check" command after  installing the latest version of 1.3.</p>
   
<ul>
    <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
    <li>cd to the shorewall directory (the version is encoded in the    
        directory name as in "shorewall-3.0.1").</li>
    <li>If you are using <a
 href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
 href="http://www.redhat.com">RedHat</a>,           <a
 href="http://www.linux-mandrake.com">Mandrake</a>, <a
 href="http://www.corel.com">Corel</a>,           <a
 href="http://www.slackware.com/">Slackware</a> or           <a
 href="http://www.debian.org">Debian</a>             then type "./install.sh"</li>
    <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
    "./install.sh /etc/init.d"</li>
    <li>If your distribution has directory             /etc/rc.d/init.d or 
/etc/init.d then type             "./install.sh"</li>
    <li>For other distributions, determine where your             distribution 
installs init scripts and type             "./install.sh &lt;init script directory&gt;</li>
    <li>See if there are any incompatibilities between your configuration 
and the    new Shorewall version (type "shorewall check") and correct as necessary.</li>
    <li>Restart the firewall by typing "shorewall restart"</li>
   
</ul>
       
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
   
<p>You will need to edit some or all of these configuration files to match 
your  setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
 QuickStart Guides</a> contain all of the information you need.</p>
   
<ul>
    <li>/etc/shorewall/shorewall.conf - used to set several firewall    
    parameters.</li>
    <li>/etc/shorewall/params - use this file to set shell variables that 
you will     expand in other files.</li>
    <li>/etc/shorewall/zones - partition the firewall's view of the world
        into <i>zones.</i></li>
    <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
    <li>/etc/shorewall/interfaces - describes the interfaces on the     
   firewall system.</li>
    <li>/etc/shorewall/hosts - allows defining zones in terms of individual
         hosts and subnetworks.</li>
  <li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
  </li>
    <li>/etc/shorewall/masq - directs the firewall where to use many-to-one
         (dynamic) NAT a.k.a. Masquerading.</li>
    <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
    <li>/etc/shorewall/rules - defines rules that are exceptions to the 
       overall policies established in /etc/shorewall/policy.</li>
    <li>/etc/shorewall/nat - defines static NAT rules.</li>
    <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
    <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines 
hosts    accessible when Shorewall is stopped.</li>
    <li>/etc/shorewall/tcrules - defines marking of packets for later use 
by     traffic control/shaping.</li>
    <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
         headers.</li>
    <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
        the firewall system.</li>
    <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
   
</ul>
   
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> 
</font></p>
   
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
 � <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
 <br>
</body>
</html>