2009-02-22 18:43:56 +01:00
|
|
|
Shorewall 4.3.5
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-17 22:06:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
2009-02-22 18:43:56 +01:00
|
|
|
R E L E A S E 4 . 4 H I G H L I G H T S
|
2008-12-17 22:06:30 +01:00
|
|
|
----------------------------------------------------------------------------
|
2008-12-13 21:45:23 +01:00
|
|
|
|
2009-02-24 00:39:46 +01:00
|
|
|
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
|
|
|
|
|
has been combined with Shorewall-common to produce a single
|
|
|
|
|
Shorewall package.
|
|
|
|
|
|
|
|
|
|
2) The interfaces file OPTIONs have been extended to largely remove the
|
|
|
|
|
need for the hosts file.
|
|
|
|
|
|
2009-02-22 18:43:56 +01:00
|
|
|
Problems corrected in 4.3.5
|
2008-12-28 18:52:28 +01:00
|
|
|
|
2009-02-21 18:21:51 +01:00
|
|
|
None.
|
2008-12-28 18:52:28 +01:00
|
|
|
|
|
|
|
|
Known Problems Remaiining:
|
|
|
|
|
|
2009-02-22 18:43:56 +01:00
|
|
|
None.
|
2009-02-21 18:21:51 +01:00
|
|
|
|
2009-02-22 18:43:56 +01:00
|
|
|
New Features in Shorewall 4.3.5
|
2009-02-21 18:21:51 +01:00
|
|
|
|
2009-02-24 00:39:46 +01:00
|
|
|
New Features in Shorewall 4.4
|
|
|
|
|
|
|
|
|
|
1) The Shorewall packaging has been completely revamped in Shorewall
|
|
|
|
|
4.4.
|
|
|
|
|
|
|
|
|
|
The new packages are:
|
|
|
|
|
|
|
|
|
|
- Shorewall. Includes the former Shorewall-common and
|
|
|
|
|
Shorewall-perl packages. Includes everything needed
|
|
|
|
|
to create an IPv4 firewall.
|
|
|
|
|
|
|
|
|
|
- Shorewall6. Requires Shorewall. Adds the components necessary to
|
|
|
|
|
create an IPv6 firewall.
|
|
|
|
|
|
|
|
|
|
- Shorewall-lite
|
|
|
|
|
|
|
|
|
|
May be installed on a firewall system to run
|
|
|
|
|
IPv4 firewall scripts generated by Shorewall.
|
|
|
|
|
|
|
|
|
|
- Shorewall6-lite
|
|
|
|
|
|
|
|
|
|
May be installed on a firewall system to run
|
|
|
|
|
IPv6 firewall scripts generated by Shorewall.
|
|
|
|
|
|
|
|
|
|
2) The interfaces file supports a new 'nets=' option. This option
|
|
|
|
|
allows users to restrict a zone's definition to particular networks
|
|
|
|
|
through an interface without having to use the hosts file.
|
|
|
|
|
|
|
|
|
|
Example interfaces file:
|
|
|
|
|
|
|
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
|
|
|
|
|
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
|
|
|
|
|
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
|
|
|
|
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
|
|
|
|
loc tun+ detect nets=172.20.0.0/24
|
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
|
|
|
|
|
|
|
|
Note that when more than one network address is listed, the list
|
|
|
|
|
must be enclosed in parentheses. Notice also that exclusion may be
|
|
|
|
|
used.
|
|
|
|
|
|
|
|
|
|
The first entry in the above interfaces file is equivalent to the
|
|
|
|
|
following:
|
|
|
|
|
|
|
|
|
|
interfaces:
|
|
|
|
|
|
|
|
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
- eth0 detect dhcp,logmartians=1,routefilter=1
|
|
|
|
|
|
|
|
|
|
hosts:
|
|
|
|
|
|
|
|
|
|
#ZONE HOST(S) OPTIONS
|
|
|
|
|
loc $INT_IF:192.20.1.0/24 broadcast
|
|
|
|
|
|
|
|
|
|
Note that the 'broadcast' option is automatically assumed and need
|
|
|
|
|
not be explicitly specified.
|
2009-02-25 18:39:32 +01:00
|
|
|
|
|
|
|
|
3) Some websites run applications that require multiple connections
|
|
|
|
|
from a client browser. Where multiple 'balanced' providers are
|
|
|
|
|
configured, this can lead to problems when some of the connections
|
|
|
|
|
are routed through one provider and some through another.
|
|
|
|
|
|
|
|
|
|
To work around this issue, the SAME target has been added to
|
|
|
|
|
/etc/shorewall/tcrules. SAME may currently be used only in the
|
|
|
|
|
PREROUTING chain and causes matching connections from an individual
|
|
|
|
|
local system to all use the same provider.
|
|
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
|
|
SAME:P 192.168.1.0/24 - tcp 80,443
|
|
|
|
|
|
|
|
|
|
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
|
|
|
|
|
443 and it has sent a packet on either of those ports in the last
|
|
|
|
|
two minutes then the new connection will use the same provider as
|
|
|
|
|
the connection over which that last packet was sent.
|
