2004-12-02 16:48:37 +01:00
|
|
|
Shorewall 2.0.13
|
2004-03-15 19:47:21 +01:00
|
|
|
|
|
|
|
|
----------------------------------------------------------------------
|
2004-07-07 16:16:55 +02:00
|
|
|
Problems Corrected in version 2.0.4
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-07-06 16:13:52 +02:00
|
|
|
1) A DNAT rule with 'fw' as the source that specified logging caused
|
|
|
|
|
"shorewall start" to fail.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2004-07-07 16:16:55 +02:00
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
Problems Corrected in version 2.0.5
|
|
|
|
|
|
|
|
|
|
1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during
|
|
|
|
|
"shorewll stop" in the case where DISABLE_IPV6=Yes in
|
|
|
|
|
shorewall.conf.
|
|
|
|
|
|
2004-07-10 04:08:03 +02:00
|
|
|
2) An anachronistic reference to the mangle option was removed from
|
|
|
|
|
shorewall.conf.
|
2004-07-11 18:17:29 +02:00
|
|
|
|
|
|
|
|
----------------------------------------------------------------------
|
|
|
|
|
Problems Corrected in version 2.0.6
|
|
|
|
|
|
2004-07-11 20:33:02 +02:00
|
|
|
1) Some users have reported the pkttype match option in iptables/
|
2004-07-11 18:17:29 +02:00
|
|
|
Netfilter failing to match certain broadcast packets. The result
|
2004-07-11 20:33:02 +02:00
|
|
|
is that the firewall log shows a lot of broadcast packets.
|
2004-07-11 18:17:29 +02:00
|
|
|
|
2004-07-14 22:08:12 +02:00
|
|
|
Other users have complained of the following message when
|
|
|
|
|
starting Shorewall:
|
|
|
|
|
|
|
|
|
|
modprobe: cant locate module ipt_pkttype
|
|
|
|
|
|
|
|
|
|
Users experiencing either of these problems can use PKTTYPE=No in
|
2004-07-11 18:17:29 +02:00
|
|
|
shorewall.conf to cause Shorewall to use IP address filtering of
|
2004-07-13 15:15:11 +02:00
|
|
|
broadcasts rather than packet type.
|
|
|
|
|
|
|
|
|
|
2) The shorewall.conf and zones file are no longer given execute
|
|
|
|
|
permission by the installer script.
|
2004-07-14 22:08:12 +02:00
|
|
|
|
|
|
|
|
3) ICMP packets that are in the INVALID state are now dropped by the
|
|
|
|
|
Reject and Drop default actions. They do so using the new
|
|
|
|
|
'dropInvalid' builtin action.
|
2004-07-18 03:20:50 +02:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems Corrected in version 2.0.7
|
|
|
|
|
|
2004-07-21 20:57:45 +02:00
|
|
|
1) The PKTTYPE option introduced in version 2.0.6 is now used when
|
2004-07-20 20:01:45 +02:00
|
|
|
generating rules to REJECT packets. Broadcast packets are silently
|
|
|
|
|
dropped rather than being rejected with an ICMP (which is a protocol
|
|
|
|
|
violation) and users whose kernels have broken packet type match
|
|
|
|
|
support are likely to see messages reporting this violation.
|
|
|
|
|
Setting PKTTYPE=No should cause these messages to cease.
|
|
|
|
|
|
2004-07-25 19:55:29 +02:00
|
|
|
2) Multiple interfaces with the 'blacklist' option no longer result in
|
|
|
|
|
an error message at startup.
|
|
|
|
|
|
2004-07-29 23:21:15 +02:00
|
|
|
3) The following has been added to /etc/shorewall/bogons:
|
|
|
|
|
|
|
|
|
|
0.0.0.0 RETURN
|
|
|
|
|
|
|
|
|
|
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
|
|
|
|
|
broadcasts.
|
2004-08-23 02:08:47 +02:00
|
|
|
-----------------------------------------------------------------------
|
2004-07-21 20:57:45 +02:00
|
|
|
New Features in version 2.0.7
|
|
|
|
|
|
|
|
|
|
1) To improve supportability, the "shorewall status" command now
|
|
|
|
|
includes IP and Route configuration information.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
IP Configuration
|
|
|
|
|
|
|
|
|
|
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
|
|
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
|
|
|
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
|
|
|
|
|
inet6 ::1/128 scope host
|
|
|
|
|
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
|
|
|
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
|
|
|
|
|
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
|
|
|
|
|
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
|
|
|
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
|
|
|
|
|
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
|
|
|
|
|
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
|
|
|
|
|
link/sit 0.0.0.0 brd 0.0.0.0
|
|
|
|
|
6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
|
|
|
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
|
|
|
|
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
|
|
|
|
7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
|
|
|
|
|
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
|
|
|
|
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
|
|
|
|
|
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
|
|
|
|
|
|
|
|
|
Routing Rules
|
|
|
|
|
|
|
|
|
|
0: from all lookup local
|
|
|
|
|
32765: from all fwmark ca lookup www.out
|
|
|
|
|
32766: from all lookup main
|
|
|
|
|
32767: from all lookup default
|
|
|
|
|
|
|
|
|
|
Table local:
|
|
|
|
|
|
|
|
|
|
broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3
|
|
|
|
|
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
|
|
|
|
|
local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3
|
|
|
|
|
broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3
|
|
|
|
|
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
|
|
|
|
|
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
|
|
|
|
|
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
|
|
|
|
|
|
|
|
|
|
Table www.out:
|
|
|
|
|
|
|
|
|
|
default via 192.168.1.3 dev br0
|
|
|
|
|
|
|
|
|
|
Table main:
|
|
|
|
|
|
|
|
|
|
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
|
|
|
|
|
default via 192.168.1.254 dev br0
|
|
|
|
|
|
|
|
|
|
Table default:
|
2004-07-31 00:33:46 +02:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems Corrected in version 2.0.8
|
|
|
|
|
|
|
|
|
|
1) User/group restricted rules now work in actions.
|
|
|
|
|
|
2004-09-02 18:59:57 +02:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems Corrected in version 2.0.9
|
|
|
|
|
|
|
|
|
|
1) Previously, an empty PROTO column or a value of "all" in that column
|
|
|
|
|
would cause errors when processing the /etc/shorewall/tcrules file.
|
|
|
|
|
|
2004-09-24 00:07:54 +02:00
|
|
|
New Fewatures in version 2.0.9
|
|
|
|
|
|
|
|
|
|
1) The "shorewall status" command now includes the output of "brctl
|
|
|
|
|
show" if the bridge tools are installed.
|
2004-09-24 19:18:04 +02:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems corrected in version 2.0.10
|
|
|
|
|
|
|
|
|
|
1) The GATEWAY column was previously ignored in 'pptpserver' entries in
|
|
|
|
|
/etc/shorewall/tunnels.
|
|
|
|
|
|
2004-09-25 19:16:23 +02:00
|
|
|
2) When log rule numbers are included in the LOGFORMAT, duplicate
|
|
|
|
|
rule numbers could previously be generated.
|
2004-09-30 16:31:35 +02:00
|
|
|
|
|
|
|
|
3) The /etc/shorewall/tcrules file now includes a note to the effect
|
|
|
|
|
that rule evaluation continues after a match.
|
|
|
|
|
|
2004-10-21 00:29:06 +02:00
|
|
|
4) The error message produced if Shorewall couldn't obtain the routes
|
|
|
|
|
through an interface named in the SUBNET column of
|
|
|
|
|
/etc/shorewall/masq was less than helpful since it didn't include
|
|
|
|
|
the interface name.
|
2004-10-25 17:21:03 +02:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
New Features in 2.0.10
|
|
|
|
|
|
|
|
|
|
The "shorewall status" command has been enhanced to include the values
|
|
|
|
|
of key /proc settings:
|
|
|
|
|
|
|
|
|
|
Example from a two-interface firewall:
|
|
|
|
|
|
|
|
|
|
/proc
|
|
|
|
|
|
|
|
|
|
/proc/sys/net/ipv4/ip_forward = 1
|
|
|
|
|
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/all/arp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/all/rp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/default/arp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/default/rp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
|
|
|
|
|
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
|
|
|
|
|
|
2004-11-04 19:18:20 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems corrected in 2.0.11
|
|
|
|
|
|
|
|
|
|
1) The INSTALL file now include special instructions for Slackware
|
|
|
|
|
users.
|
2004-10-25 17:21:03 +02:00
|
|
|
|
2004-11-12 16:08:03 +01:00
|
|
|
2) The bogons file has been updated.
|
2004-11-12 22:25:36 +01:00
|
|
|
|
|
|
|
|
3) Service names are replaced by port numbers in /etc/shorewall/tos.
|
2004-11-22 18:52:56 +01:00
|
|
|
|
|
|
|
|
4) A typo in the install.sh file that caused an error during a new
|
|
|
|
|
install has been corrected.
|
2004-11-22 18:33:00 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
New Features in 2.0.11
|
|
|
|
|
|
|
|
|
|
1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
|
2004-11-27 17:50:38 +01:00
|
|
|
|
2004-11-25 21:24:21 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems corrected in 2.0.12
|
2004-11-22 18:33:00 +01:00
|
|
|
|
2004-11-25 21:24:21 +01:00
|
|
|
1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
|
2004-11-27 17:50:38 +01:00
|
|
|
|
|
|
|
|
2) The "shorewall add" and "shorewall delete" commands now work in a
|
|
|
|
|
bridged environment. The syntax is:
|
|
|
|
|
|
|
|
|
|
shorewall add <interface>[:<port>]:<address> <zone>
|
|
|
|
|
shorewall delete <interface>[:<port>]:<address> <zone>
|
|
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
|
|
|
|
|
shorewall add br0:eth2:192.168.1.3 OK
|
|
|
|
|
shorewall delete br0:eth2:192.168.1.3 OK
|
2004-11-30 23:05:15 +01:00
|
|
|
|
|
|
|
|
3) Previously, "shorewall save" created an out-of-sequence restore
|
|
|
|
|
script. The commands saved in the user's /etc/shorewall/start script
|
|
|
|
|
were executed prior to the Netfilter configuration being
|
|
|
|
|
restored. This has been corrected so that "shorewall save" now
|
|
|
|
|
places those commands at the end of the script.
|
|
|
|
|
|
|
|
|
|
To accomplish this change, the "restore base" file
|
|
|
|
|
(/var/lib/shorewall/restore-base) has been split into two files:
|
|
|
|
|
|
|
|
|
|
/var/lib/shorewall/restore-base -- commands to be executed before
|
|
|
|
|
Netfilter the configuration is restored.
|
|
|
|
|
|
|
|
|
|
/var/lib/shorewall/restore-tail -- commands to be executed after the
|
|
|
|
|
Netfilter configuration is restored.
|
|
|
|
|
|
2004-12-01 22:12:01 +01:00
|
|
|
4) Previously, traffic from the firewall to a dynamic zone member host
|
|
|
|
|
did not need to match the interface specified when the host was
|
|
|
|
|
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
|
|
|
|
zone Z then traffic out of any firewall interface to 1.2.3.4 will
|
|
|
|
|
obey the fw->Z policies and rules. This has been corrected.
|
|
|
|
|
|
2004-11-29 16:05:16 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
New Features in 2.0.12
|
|
|
|
|
|
|
|
|
|
1) Variable expansion may now be used with the INCLUDE directive.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/params
|
|
|
|
|
|
|
|
|
|
FILE=/etc/foo/bar
|
|
|
|
|
|
|
|
|
|
Any other config file:
|
|
|
|
|
|
|
|
|
|
INCLUDE $FILE
|
2004-12-02 16:48:37 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems corrected in 2.0.13
|
|
|
|
|
|
|
|
|
|
1) A typo in /usr/share/shorewall/firewall caused the following:
|
|
|
|
|
|
|
|
|
|
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
|
|
|
|
|
not found
|
2004-12-03 23:00:31 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
New Features in 2.0.14
|
|
|
|
|
|
|
|
|
|
1) Previously, when rate-limiting was specified in
|
|
|
|
|
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
|
|
|
|
exceeded the specified rate was silently dropped. Now, if a log
|
|
|
|
|
level is given in the entry (LEVEL column) then drops are logged at
|
|
|
|
|
that level at a rate of 5/min with a burst of 5.
|
2004-12-07 16:56:53 +01:00
|
|
|
-----------------------------------------------------------------------
|
|
|
|
|
Problems corrected in 2.0.14
|
|
|
|
|
|
|
|
|
|
1) A typo in the /etc/shorewall/interfaces file has been fixed.
|
