shorewall_code/docs/LennyToSqueeze.xml

610 lines
22 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Issues when Upgrading from Debian Lenny to
Squeeze</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2009</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
include Shorewall 4.4. Because there are significant differences between
the two product versions, some users may experience upgrade issues. This
article outlines those issues along with the means for dealing with
them.</para>
</section>
<section>
<title>Packaging Differences</title>
<para>The first key difference between Shorewall 4.0 and Shorewall 4.4 is
in the packaging. In Lenny, there are six Shorewall packages:</para>
<orderedlist>
<listitem>
<para>shorewall-common — Contains the basic components needed to
create an IPv4 firewall.</para>
</listitem>
<listitem>
<para>shorewall-shell — The legacy Shorewall configuration compiler
written in Bourne shell.</para>
</listitem>
<listitem>
<para>shorewall — A transitional package that depends on
shorewall-common and shorewall-shell. Installing this package installs
both shorewall-common and shorewall-shell.</para>
</listitem>
<listitem>
<para>shorewall-perl — A re-implementation of the Shorewall
configuration compiler in Perl. This compiler has many advantages over
the shell-based compiler:</para>
<itemizedlist>
<listitem>
<para>The compiler is much faster</para>
</listitem>
<listitem>
<para>The compiler does a much better job of validating the
configuration, thus avoiding run-time errors.</para>
</listitem>
<listitem>
<para>The compiler produces better and more consistent diagnostic
messages.</para>
</listitem>
<listitem>
<para>The compiler produces a script that runs much faster and
that does not reject/drop connections during start/restart.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>shorewall-lite — A small package that can run scripts generated
by shorewall-shell or shorewall-perl. Allows centralized firewall
administration.</para>
</listitem>
<listitem>
<para>shorewall-doc — Documentation.</para>
</listitem>
</orderedlist>
<para>In Squeeze, there are five packages:</para>
<orderedlist>
<listitem>
<para>shorewall — Contains everything needed to create an IPv4
firewall. It combines the former shorewall-common and shorewall-perl
packages.</para>
</listitem>
<listitem>
<para>shorewall6 — Depends on shorewall. Adds those components needed
to create an IPv6 firewall.</para>
</listitem>
<listitem>
<para>shorewall-lite — Same as in Lenny; only runs IPv4 firewall
scripts.</para>
</listitem>
<listitem>
<para>shorewall6-lite — Similar to shorewall-lite, except that it only
runs IPv6 firewall scripts.</para>
</listitem>
<listitem>
<para>shorewall-doc — Documentation.</para>
</listitem>
</orderedlist>
<warning>
<para>Do not purge the old packages (shorewall-common, shorewall-shell
and shorewall-perl) until after the new shorewall package has been
installed.</para>
</warning>
<para>The key change in Squeeze that may produce upgrade issues is that
Squeeze does not include the shell-based configuration compiler. As a
consequence, unless you have migrated to using Shorewall-perl on Lenny, an
upgrade from Lenny to Squeeze will mean that you will be switching from
the old shell-based compiler to the new Perl-based compiler. While the two
compilers are highly-compatible, there are some differences. Those are
detailed in the following sections.</para>
</section>
<section>
<title>Issues Most Likely to Cause Problems or Concerns</title>
<section>
<title>shorewall.conf</title>
<para>As always, when upgrading from one major release of Shorewall to
another, the installer will prompt you about replacing your existing
<filename>shorewall.conf</filename> with the updated one from the
package. Shorewall is designed with the assumption that users will never
replace shorewall.conf and retaining your existing file will always
produce upward-compatible behavior.</para>
<para>That having been said, there are a few settings in shorewall.conf
that cause compilation warning or error messages after the
upgrade.</para>
<variablelist>
<varlistentry>
<term>BLACKLISTNEWONLY</term>
<listitem>
<para>If you have BLACKLISTNEWONLY=No together with
FASTACCEPT=Yes, you will receive this error:</para>
<para><emphasis role="bold">ERROR: BLACKLISTNEWONLY=No may not be
specified with FASTACCEPT=Yes</emphasis></para>
<para>To eliminate the error, reverse the setting of one of the
options.</para>
<note>
<para>This combination never worked correctly in earlier
versions -- to duplicate the earlier behavior, you will want to
set BLACKLISTNEWONLY=Yes.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>BRIDGING</term>
<listitem>
<para>If you have set this option to Yes, you will receive the
following error:</para>
<para><emphasis role="bold">ERROR: BRIDGING=Yes is not supported
by Shorewall 4.4.x</emphasis></para>
<para>You should not be receiving this error if you are upgrading
from Lenny since BRIDGING=Yes did not work in that release. If you
have a bridge configuration where you want to control connections
through the bridge, you will want to visit <ulink
url="http://www.shorewall.net/bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DELAYBLACKLISTLOAD</term>
<listitem>
<para>If you have set this option to Yes, you will receive the
following warning:</para>
<para><emphasis role="bold">WARNING: DELAYBLACKLIST=Yes is not
supported by Shorewall 4.4.x</emphasis></para>
<para>To eliminate the warning, set DELAYBLACKLISTLOAD=No or
remove the setting altogether.</para>
</listitem>
</varlistentry>
<varlistentry id="FW">
<term>FW</term>
<listitem>
<para>If a setting for FW appears in your shorewall.conf file, you
will receive this warning:</para>
<para><emphasis role="bold">WARNING: Unknown configuration option
(FW) ignored.</emphasis></para>
<para>Remove the setting from the file and modify your
<filename>/etc/shorewall/zones</filename> file as described <link
linkend="zones">below</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IPSECFILE</term>
<listitem>
<para>If you have specified IPSECFILE=ipsec, then you will receive
the following error:</para>
<para><emphasis role="bold">ERROR: IPSECFILE=ipsec is not
supported by Shorewall 4.4.x</emphasis></para>
<para>To eliminate the warning, you will need to:</para>
<orderedlist>
<listitem>
<para>Set IPSECFILE=zones</para>
</listitem>
<listitem>
<para>Modify your <filename>/etc/shorewall/zones</filename>
file as described <link linkend="zones">below</link>.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>RFC1918_LOG_LEVEL</term>
<listitem>
<para>If you have specified any setting for this option, you will
receive the following warning:</para>
<para><emphasis role="bold">WARNING: RFC1918_LOG_LEVEL=value
ignored. The 'norfc1918' interface/host option is no longer
supported.</emphasis></para>
<para>To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
remove the setting altogether.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RFC1918_STRICT</term>
<listitem>
<para>If you have set this option to Yes, you will receive the
following warning:</para>
<para><emphasis role="bold">WARNING: RFC1918_STRICT=Yes is not
supported by Shorewall 4.4.x</emphasis></para>
<para>To eliminate the warning, set RFC1918_STRICT=No or remove
the setting altogether.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAVE_IPSETS</term>
<listitem>
<para>If you have SAVE_IPSETS=Yes, you will receive the following
warning:</para>
<para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
supported by Shorewall 4.4.x</emphasis></para>
<para>To eliminate this message, you will need to set
SAVE_IPSETS=No or remove the setting altogether.</para>
<para>For more information, see <ulink
url="Shorewall-perl.html#SAVE_IPSETS">this article</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SHOREWALL_COMPILER</term>
<listitem>
<para>If you have specified SHOREWALL_COMPILER=shell, you will
receive the following warning message:</para>
<para><emphasis role="bold">WARNING: SHOREWALL_COMPILER=shell
ignored. Shorewall-shell support has been removed in this
release</emphasis></para>
<para>To eliminate the warning, set SHOREWALL_COMPILER=perl or
simply remove the setting altogether.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USE_ACTIONS</term>
<listitem>
<para>If you have set this option to No, you will receive the
following warning:</para>
<para><emphasis role="bold">WARNING: USE_ACTIONS=No is not
supported by Shorewall 4.4.x</emphasis></para>
<para>To eliminate the warning, set USE_ACTIONS=Yes or remove the
setting altogether.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section id="zones">
<title>/etc/shorewall/zones</title>
<para>If the column headings in your /etc/shorewall/zones file look like
this:</para>
<programlisting>#ZONE DISPLAY COMMENTS
net Net The big bad net
loc Local The local LAN</programlisting>
<para>then you are using the original zones file format that has been
deprecated since Shorewall 3.0.</para>
<para>You will need to convert to the new file which has the following
headings:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS</programlisting>
<para>You will need to add an entry for your firewall zone. The default
name for the firewall zone is 'fw' but may have been overriden using
<link linkend="FW">the FW option in
<filename>shorewall.conf</filename></link>.</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall</programlisting>
<para>The remainder of your zones will have type 'ipv4' unless they are
mentioned in your /etc/shorewall/ipsec file (see below).</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4 # The big bad net
loc ipv4 # The local LAN</programlisting>
</section>
<section>
<title>/etc/shorewall/ipsec</title>
<para>This file is no longer used -- its specifications are now included
in <filename>/etc/shorewall/zones</filename>.</para>
<para>Take this example:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
ipsec1 Yes
ipsec2 No</programlisting>
<para>This would translate to the following entries in
<filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
ipsec1 ipsec4
ipsec2 ipv4</programlisting>
<para>Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
from <filename>/etc/shorewall/ipsec</filename> to
<filename>/etc/shorewall/zones</filename>.</para>
</section>
<section>
<title>/etc/shorewall/interfaces</title>
<para>The BROADCAST column is essentially unused in Squeeze. If it
contains anything except 'detect' or '-', then you will receive this
warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: Shorewall no longer uses
broadcast addresses in rule generation when Address Type Match is
available</emphasis></para>
</blockquote>
<para>To eliminate the warning, replace the contents of the BROADCAST
column with '-' or 'detect'.</para>
<para>The 'norfc1918' option has been removed. If you specify the
option, you will receive the following warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: Support for the norfc1918
interface option has been removed from Shorewall</emphasis></para>
</blockquote>
<para>To eliminate the warning, simply remove the 'norfc1918' option
from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
as a replacement (see <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
</section>
<section>
<title>/etc/shorewall/hosts</title>
<para>The 'norfc1918' option has been removed. If you specify the
option, you will receive the following warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The 'norfc1918' option is no
longer supported</emphasis></para>
</blockquote>
<para>To eliminate the warning, simply remove the 'norfc1918' option
from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
as a replacement (see <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
</section>
<section>
<title>/etc/shorewall/masq</title>
<para>There is a long tradition of specifying an interface name in the
SOURCE column of this file. Given that masquerading/SNAT occurs in the
Netfilter POSTROUTING chain where an incoming interface may not be
specified, Shorewall must examine the main routing table during
<command>shorewall start</command> and <command>shorewall
restart</command> processing to determine those networks routed out of
the named interface and add MASQUERADE/SNAT rules for traffic from those
networks. This requires that the named interface be up and configured
when Shorewall starts or restarts.</para>
<para>This continues to be a frequent issue with VPN configurations
where the named interface isn't configured during boot.</para>
<para>To emphasize this restriction, if an interface is named in the
SOURCE column of one or more entries, a single warning as follows is
issued:</para>
<blockquote>
<para><emphasis role="bold">WARNING: Using an interface as the masq
SOURCE requires the interface to be up and configured when Shorewall
starts/restarts</emphasis></para>
</blockquote>
<para>To suppress this warning, replace the interface name with the list
of networks that are routed out of the interface.</para>
<para>Example.</para>
<para>Existing entry:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 eth1</programlisting>
<para>Current routing configuration:</para>
<programlisting>gateway:~# <command>ip route ls dev eth1</command>
172.20.1.0/24 proto kernel scope link src 172.20.1.254
224.0.0.0/4 scope link
gateway:~#
</programlisting>
<para>Replacement entry:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 172.20.1.0/24</programlisting>
<para>Note that no entry is included for 224.0.0.0/4 since that is the
multicast IP range and there should never be any packets with a SOURCE
IP address in that network.</para>
</section>
<section>
<title>/etc/shorewall/rules</title>
<para>If you include a destination zone in a 'nonat' rule, Shorewall
issues the following warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: Destination zone (zonename)
ignored.</emphasis></para>
</blockquote>
<para>Nonat rules include:</para>
<blockquote>
<simplelist>
<member>DNAT-</member>
<member>REDIRECT-</member>
<member>NONAT</member>
</simplelist>
</blockquote>
<para>To eliminate the warning, remove the DEST zone.</para>
<para>Example.</para>
<para>Before:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
NONAT loc net tcp 80</programlisting>
<para>After:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
NONAT loc - tcp 80</programlisting>
</section>
<section>
<title>/etc/shorewall/routestopped</title>
<para>The 'critical' option is no longer needed and hence is no longer
supported. If you have critical hosts defined, you will receive this
warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The 'critical' option is no
longer supported (or needed)</emphasis></para>
</blockquote>
<para>To suppress the warning, simply remove the option.</para>
<para>Shorewall 4.4 also treats the <filename>routestopped</filename>
file differently from earlier releases. Previously, the
<filename>routestopped</filename> file was parsed during
<command>shorewall stop</command> processing so that changes made to the
file while Shorewall was running would be applied at the next
<command>stop</command>. This is no longer the case -- the
<filename>routestopped</filename> file is processed during compilation
just like the rest of the configuration files so that when
<command>shorewall stop</command> is issued, the firewall will pass
traffic based on the contents of the <filename>routestopped</filename>
file at the last <command>start</command> or
<command>restart</command>.</para>
</section>
<section>
<title>Extension Scripts</title>
<para>If you have entries in Shorewall extension scripts
(<filename>/etc/shorewall/init</filename>,
<filename>/etc/shorewall/start</filename>, etc.), you should review
<ulink url="Shorewall-perl.html#Extensions">this article</ulink>.</para>
</section>
</section>
<section>
<title>Additional Sources of Information</title>
<para>The following articles provide additional information.</para>
<itemizedlist>
<listitem>
<para><ulink url="Shorewall-perl.html#Incompatibilities">Shorewall
Perl Incompatibilities</ulink></para>
</listitem>
<listitem>
<para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
</listitem>
</itemizedlist>
</section>
</article>