Hi Timo, On 7/23/2019 11:52 AM, Timo Sigurdsson wrote: > Hi Matt, > > Matt Darfeuille schrieb am 22.07.2019 14:00: > >> On 7/22/2019 12:39 PM, Timo Sigurdsson wrote: >>> Hi, >>> >>> some of you may be aware of the new default firewall backend in Debian 10 >>> alias Buster, i.e. Buster defaults to nftables and all of xtables programs >>> (iptables, ip6tables, etc.) are merely symlinks to iptables-nft, >>> ip6tables-nft, etc. This means you can use the iptables syntax, but will >>> actually get nftables rules. As I am planning to upgrade my router machine >>> to >>> Debian 10 in the near future, I was wondering whether I should take any >>> precautions prior or during the upgrade with regards to shorewall. I use >>> shorewall in a dual-stack setup with one WAN interface and several LAN-side >>> interfaces and zones. >>> >> >> To air on the side of caution, I would test Shorewall and the desired >> configuration using a VM or a chroot when moving away from Iptables and >> report back any issues you might encounter. >> > thanks for the tip. Replicating the exact configuration in a VM would be a > bit tedious > since that machine has about 12 interfaces. What I could start with, though, > is testing > the migration of my small VPN server which only has two interfaces and a much > simpler > shorewall configuration. >
To avoid creating all interfaces in the VM, one approach could be to make them 'optional' (1) in the interfaces file. Whenever possible, I try to take full advantage of the params (2) file. 1) http://shorewall.org/manpages/shorewall-interfaces.html 2) http://shorewall.org/manpages/shorewall-params.html -Matt -- Matt Darfeuille _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
