Tom Eastep 2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

Debian Lenny includes Shorewall version 4.0.15 while Squeeze will include Shorewall 4.4. Because there are significant differences between the two product versions, some users may experience upgrade issues. This article outlines those issues along with the means for dealing with them.

The first key difference between Shorewall 4.0 and Shorewall 4.4 is in the packaging. In Lenny, there are six Shorewall packages: shorewall-common — Contains the basic components needed to create an IPv4 firewall. shorewall-shell — The legacy Shorewall configuration compiler written in Bourne shell. shorewall — A transitional package that depends on shorewall-common and shorewall-shell. Installing this package installs both shorewall-common and shorewall-shell. shorewall-perl — A re-implementation of the Shorewall configuration compiler in Perl. This compiler has many advantages over the shell-based compiler: The compiler is very much faster The compiler does a much better job of validating the configuration, thus avoiding run-time errors. The compiler produces a script that runs much faster and that does not reject/drop connections during start/restart. shorewall-lite — A small package that can run scripts generated by shorewall-shell or shorewall-perl. Allows centralized firewall administration. shorewall-doc — Documentation. In Squeeze, there are five packages: shorewall — Contains everything needed to create an IPv4 firewall. It combines the former shorewall-common and shorewall-perl packages. shorewall6 — Depends on shorewall. Adds those components needed to create an IPv6 firewall. shorewall-lite — Same as in Lenny; only runs IPv4 firewall scripts. shorewall6-lite — Similar to shorewall-lite, except that it only runs IPv6 firewall scripts. shorewall-doc — Documentation. The key change in Squeeze that may produce upgrade issues is that Squeeze does not include the shell-based configuration compiler. As a consequence, unless you have migrated to using Shorewall-perl on Lenny, an upgrade from Lenny to Squeeze will mean that you will be switching from the old shell-based compiler to the new Perl-based compiler. While the two compilers are highly-compatible, there are some differences. Those are detailed in the following sections.

As always, when upgrading from one major release of Shorewall to another, the installer will prompt you about replacing your existing shorewall.conf with the updated one from the package. Shorewall is designed with the assumption that users will never replace shorewall.conf and retaining your existing file will always produce upward-compatible behavior. That having been said, there are a few settings in shorewall.conf that cause compilation warning or error messages after the upgrade. BRIDGING If you have set this option to Yes, you will receive the following error: ERROR: BRIDGING=Yes is not supported by Shorewall 4.4.x You should not be receiving this error if you are upgrading from Lenny since BRIDGING=Yes did not work in that release. DELAYBLACKLISTLOAD If you have set this option to Yes, you will receive the following warning: WARNING: DELAYBLACKLIST=Yes is not supported by Shorewall 4.4.x To eliminate the warning, set DELAYBLACKLISTLOAD=No or remove the setting altogether. FW If a setting for FW appears in your shorewall.conf file, you will receive this warning: WARNING: Unknown configuration option (FW) ignored. Remove the setting from the file and modify your /etc/shorewall/zones file as described below. IPSECFILE If you have specified IPSECFILE=ipsec, then you will receive the following error: ERROR: IPSECFILE=ipsec is not supported by Shorewall 4.4.x To eliminate the warning, you will need to: Set IPSECFILE=zones Modify your /etc/shorewall/zones file as described below. MAPOLDACTIONS If you have set this option to Yes, you will receive the following error. ERROR: MAPOLDACTIONS=Yes is not supported by Shorewall 4.4.x Only the very oldest of configurations should receive this error. If your configuration is that old, this might be a good time to reconfigure from scratch. The alternative is to change your /etc/shorewall/rules file as described in the Shorewall 3.0.0 upgrade issues from 2005. RFC1918_LOG_LEVEL If you have specified any setting for this option, you will receive the following warning: WARNING: RFC1918_LOG_LEVEL=value ignored. The 'norfc1918' interface/host option is no longer supported. To eliminate the warning, set RFC1918_LOG_LEVEL= or simply remove the setting altogether. RFC1918_STRICT If you have set this option to Yes, you will receive the following warning: WARNING: RFC1918_STRICT=Yes is not supported by Shorewall 4.4.x To eliminate the warning, set RFC1918_STRICT=No or remove the setting altogether. SAVE_IPSETS If you have SAVE_IPSETS=Yes, you will receive the following warning: WARNING SAVE_IPSETS=Yes is not supported by Shorewall 4.4.x To eliminate this message, you will need to set SAVE_IPSETS=No or remove the setting altogether. For more information, see this article. SHOREWALL_COMPILER If you have specified SHOREWALL_COMPILER=shell, you will receive the following warning message: WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release To eliminate the warning, set SHOREWALL_COMPILER=perl or simply remove the setting altogether. USE_ACTIONS If you have set this option to No, you will receive the following warning: WARNING: USE_ACTIONS=No is not supported by Shorewall 4.4.x To eliminate the warning, set USE_ACTIONS=Yes or remove the setting altogether.

If the column headings in your /etc/shorewall/zones file look like this: #ZONE DISPLAY COMMENTS net Net The big bad net loc Local The local LAN then you are using the original zones file format that has been deprecated since Shorewall 3.0. You will need to convert to the new file which has the following headings: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS You will need to add an entry for your firewall zone. The default name for the firewall zone is 'fw' but may have been overriden using the FW option in shorewall.conf. #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall The remainder of your zones will have type 'ipv4' unless they are mentioned in your /etc/shorewall/ipsec file (see below). #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 # The big bad net loc ipv4 # The local LAN

This file is no longer used -- its specifications are now included in /etc/shorewall/zones. Take this example: #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS ipsec1 Yes ipsec2 No This would translate to the following entries in /etc/shorewall/zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS ipsec1 ipsec4 ipsec2 ipv4 Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied from /etc/shorewall/ipsec to /etc/shorewall/zones.

The 'norfc1918' option has been removed. If you specify the option, you will receive the following warning: WARNING: Support for the norfc1918 interface option has been removed from Shorewall To suppress the warning, remove 'norfc1918' from the OPTIONS list. As a replacement, consider setting NULL_ROUTE_RFC1919=Yes in shorewall.conf (5).

The 'norfc1918' option has been removed. If you specify the option, you will receive the following warning: WARNING: The 'norfc1918' option is no longer supported To suppress the warning, remove 'norfc1918' from the OPTIONS list. As a replacement, consider setting NULL_ROUTE_RFC1919=Yes in shorewall.conf (5).

There is a long tradition of specifying an interface name in the SOURCE column of this file. Given that masquerading/SNAT occurs in the Netfilter POSTROUTING chain where an incoming interface may not be specified, Shorewall must examine the main routing table to determine those networks routed out of the named interface and add MASQUERADE/SNAT rules for traffic from those networks. This requires that the named interface be up and configured when Shorewall starts or restarts. This continues to be an issue with VPN configurations where the named interface isn't configured during boot. To emphasize this restriction, if an interface is named in the SOURCE column of one or more entries, a single warning as follows is issued: WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts To suppress this warning, replace the interface name with the list of networks that are routed out of the interface. Example. Existing entry: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP eth0 eth1 Current routing configuration: gateway:~# ip route ls dev eth1 172.20.1.0/24 proto kernel scope link src 172.20.1.254 224.0.0.0/4 scope link gateway:~# Replacement entry: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP eth0 172.20.1.0/24 Note that no entry is included for 224.0.0.0/4 since that is the multicast IP range and there should never be any packets with a SOURCE IP address in that network.