shorewall_code/Shorewall-common/releasenotes.txt

110 lines
3.4 KiB
Plaintext
Raw Normal View History

Shorewall 4.3.1
----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support is included for IPv6.
Problems Corrected in 4.3.1
1) Shorewall6 parsing of the hosts file HOSTS column has been
corrected.
Other changes in 4.3.1
1) It is now permitted to enclose addresses in [] even when an
interface name is not specified.
Example:
ACCEPT net:[2001:1::1] $FW
2) The Socket6 perl module is only required now if DNS names appear in
your Shorewall6 configuration files.
3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
address space (e.g., ::ffff:192.168.1.3).
Migration Issues.
None.
New Features in Shorewall 4.3
1) Two new packages are included:
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
rather than IPv4.
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
rather than IPv4.
The packages store their configurations in /etc/shorewall6/ and
/etc/shorewall6-lite/ respectively.
The fact that the packages are separate from their IPv4 counterparts
means that you control IPv4 and IPv6 traffic separately (the same
way that Netfilter does). Starting/Stopping the firewall for one
address family has no effect on the other address family.
Other features of Shorewall6 are:
a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 'prefix' which is like an IPv4
subnet. A 96-bit prefix allows 4 billion individual hosts (the
size of the current IPv4 address space).
b) The default zone type is ipv6.
c) The currently-supported interface options in Shorewall6 are:
blacklist
bridge
optional
routeback
sourceroute
tcpflags
mss
forward (replaces the IP_FORWARDING .conf option -- forwarding
is enabled on a per-interface basis in IPv6).
d) The currently-supported host options in Shorewall6 are:
blacklist
routeback
tcpflags
e) Traffic Shaping and Multi-ISP support are currently disabled. Packet
marking and connection marking are available to feed your current
traffic shaping defined in Shorewall.
f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
square brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
Note that this includes MAC addresses as well as IPv6 addresses.
The HOSTS column in /etc/shorewall6/hosts also uses this
convention:
#ZONE HOSTS OPTIONS
chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
h) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
i) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:
...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$