2003-02-08 21:58:44 +01:00
|
|
|
This is a major release of Shorewall.
|
2002-05-01 01:13:15 +02:00
|
|
|
|
2003-02-20 00:52:03 +01:00
|
|
|
Function from 1.3 that has been omitted from this version includes:
|
2002-05-01 01:13:15 +02:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
1) The MERGE_HOSTS variable in shorewall.conf is no longer
|
2003-02-15 01:09:44 +01:00
|
|
|
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
2003-02-08 21:58:44 +01:00
|
|
|
MERGE_HOSTS=Yes.
|
2002-12-31 02:10:28 +01:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
2) Interface names of the form <device>:<integer> in
|
2003-02-08 21:58:44 +01:00
|
|
|
/etc/shorewall/interfaces now generate an error.
|
2002-12-31 02:10:28 +01:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
3) Shorewall 1.4 implements behavior consistent with
|
2003-02-08 21:58:44 +01:00
|
|
|
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
|
|
|
|
at startup as will specification of the 'noping' or 'filterping'
|
|
|
|
interface options.
|
2002-12-31 02:10:28 +01:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
4) The 'routestopped' option in the /etc/shorewall/interfaces and
|
2003-02-08 21:58:44 +01:00
|
|
|
/etc/shorewall/hosts files is no longer supported and will generate
|
|
|
|
an error at startup if specified.
|
2003-01-25 01:15:55 +01:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
2003-02-08 21:58:44 +01:00
|
|
|
accepted.
|
2003-01-27 18:03:43 +01:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
6) The ALLOWRELATED variable in shorewall.conf is no longer
|
2003-02-15 01:09:44 +01:00
|
|
|
supported. Shorewall 1.4 behavior is the same as 1.3 with
|
2003-02-08 21:58:44 +01:00
|
|
|
ALLOWRELATED=Yes.
|
2003-01-31 20:10:22 +01:00
|
|
|
|
2003-03-05 19:13:04 +01:00
|
|
|
7) The 'multi' interface option is no longer supported. Shorewall will
|
2003-02-20 00:52:03 +01:00
|
|
|
generate rules for sending packets back out the same interface
|
|
|
|
that they arrived on in two cases:
|
|
|
|
|
|
|
|
a) There is an _explicit_ policy for the source zone to the
|
|
|
|
destination zone. An explicit policy names both zones and does not
|
|
|
|
use the 'all' reserved word.
|
|
|
|
|
|
|
|
b) There are one or more rules for traffic for the source zone to
|
|
|
|
or from the destination zone including rules that use the 'all'
|
|
|
|
reserved word. Exception: If the source and the destination are
|
|
|
|
the same zone then the rule must be explicit - it must name the zone
|
|
|
|
in both the SOURCE and DESTINATION columns.
|
|
|
|
|
2003-02-15 01:09:44 +01:00
|
|
|
Changes for 1.4 include:
|
2003-01-25 01:15:55 +01:00
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
1) shorewall.conf has been completely reorganized into logical
|
2003-02-08 21:58:44 +01:00
|
|
|
sections.
|
2003-01-25 01:15:55 +01:00
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
|
2003-01-25 01:15:55 +01:00
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
3) The firewall script and version file are now installed in
|
2003-02-08 21:58:44 +01:00
|
|
|
/usr/share/shorewall.
|
2003-01-25 01:15:55 +01:00
|
|
|
|
2003-02-08 21:58:44 +01:00
|
|
|
4. Late arriving DNS replies are now silently dropped in the common
|
|
|
|
chain by default.
|
2003-01-25 01:15:55 +01:00
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
|
2003-02-11 02:34:52 +01:00
|
|
|
longer unconditionally accepts outbound ICMP packets. So if you want
|
|
|
|
to 'ping' from the firewall, you will need the appropriate rule or
|
2003-02-20 00:52:03 +01:00
|
|
|
policy.
|
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
|
2003-02-20 00:52:03 +01:00
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
7) 802.11b devices with names of the form wlan<n> now support the
|
2003-02-20 00:52:03 +01:00
|
|
|
'maclist' option.
|
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
|
2003-02-21 23:55:36 +01:00
|
|
|
utility).
|
|
|
|
|
2003-02-27 23:28:06 +01:00
|
|
|
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
|
2003-02-24 16:24:55 +01:00
|
|
|
off on a host or network basis using the new /etc/shorewall/ecn
|
|
|
|
file. To use this facility:
|
|
|
|
|
|
|
|
a) You must be running kernel 2.4.20
|
|
|
|
b) You must have applied the patch in
|
|
|
|
http://www.shorewall/net/pub/shorewall/ecn/patch.
|
|
|
|
c) You must have iptables 1.2.7a installed.
|
|
|
|
|
2003-03-05 23:48:36 +01:00
|
|
|
10) The /etc/shorewall/params file is now processed first so that
|
|
|
|
variables may be used in the /etc/shorewall/shorewall.conf file.
|
2003-02-21 23:55:36 +01:00
|
|
|
|
2003-02-20 00:52:03 +01:00
|
|
|
|
2003-02-11 02:34:52 +01:00
|
|
|
|
2003-02-23 15:10:37 +01:00
|
|
|
|