2002-09-16 19:13:10 +02:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<html>
|
|
|
|
|
|
<head>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
|
content="text/html; charset=windows-1252">
|
|
|
|
|
|
<title>Shorewall News</title>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</head>
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<body>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
|
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
|
|
|
|
|
id="AutoNumber1" bgcolor="#400169" height="90">
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<tbody>
|
|
|
|
|
|
<tr>
|
|
|
|
|
|
<td width="100%">
|
2002-11-24 21:08:19 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</td>
|
|
|
|
|
|
</tr>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</tbody>
|
|
|
|
|
|
</table>
|
|
|
|
|
|
|
|
|
|
|
|
<p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b></p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
|
|
|
|
|
|
the PDF may be downloaded from</p>
|
|
|
|
|
|
<20><><EFBFBD> <a
|
|
|
|
|
|
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
|
|
|
|
|
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
|
|
|
|
|
<20><><EFBFBD> <a
|
|
|
|
|
|
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
|
|
|
|
|
|
<p><b>1/17/2003 - shorewall.net has MOVED</b><b><EFBFBD></b></p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>Thanks to the generosity of Alex Martin and <a
|
|
|
|
|
|
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and
|
|
|
|
|
|
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
|
|
|
|
|
|
big thanks to Alex for making this happen.<br>
|
|
|
|
|
|
</p>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p><b>1/13/2003 - Shorewall 1.3.13<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b></p>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p>Just includes a few things that I had on the burner:<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
|
|
|
|
|
|
file. DNAT- is intended for advanced users who wish to minimize the number
|
|
|
|
|
|
of rules that connection requests must traverse.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
A Shorewall DNAT rule actually generates two iptables rules: a header
|
|
|
|
|
|
rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
|
|
|
|
|
|
A DNAT- rule only generates the first of these rules. This is handy when
|
|
|
|
|
|
you have several DNAT rules that would generate the same ACCEPT rule.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20><> Here are three rules from my previous rules file:<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT<41><54> net<65> dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT<41><54> net<65> dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACCEPT net<65> dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20><> These three rules ended up generating _three_ copies of<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACCEPT net<65> dmz:206.124.146.177 tcp smtp<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20><> By writing the rules this way, I end up with only one copy of the ACCEPT
|
|
|
|
|
|
rule.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT-<2D> net<65> dmz:206.124.146.177 tcp smtp -<2D> 206.124.146.178<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNAT-<2D> net<65> dmz:206.124.146.177 tcp smtp -<2D> 206.124.146.179<br>
|
|
|
|
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACCEPT net<65> dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li>The 'shorewall check' command now prints out the applicable policy
|
|
|
|
|
|
between each pair of zones.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
|
|
|
|
|
|
option is set to 'No' then Shorewall won't clear the current traffic control
|
|
|
|
|
|
rules during [re]start. This setting is intended for use by people that
|
|
|
|
|
|
prefer to configure traffic shaping when the network interfaces come up rather
|
|
|
|
|
|
than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
|
|
|
|
|
|
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
|
|
|
|
|
|
your traffic shaping rules can still use the 'fwmark' classifier based on
|
|
|
|
|
|
packet marking defined in /etc/shorewall/tcrules.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
<li>A new SHARED_DIR variable has been added that allows distribution
|
|
|
|
|
|
packagers to easily move the shared directory (default /usr/lib/shorewall).
|
|
|
|
|
|
Users should never have a need to change the value of this shorewall.conf
|
|
|
|
|
|
setting.<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
</ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>1/6/2003 - <big><big><big>BURNOUT</big></big></big></b><b>
|
|
|
|
|
|
</b></p>
|
|
|
|
|
|
|
|
|
|
|
|
<p><b>Until further notice, I will not be involved in either Shorewall Development
|
|
|
|
|
|
or Shorewall Support</b></p>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p><b>-Tom Eastep</b><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
|
|
|
|
|
|
the PDF may be downloaded from</p>
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p><EFBFBD><EFBFBD><EFBFBD> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
|
|
|
|
|
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<20><><EFBFBD> <a
|
2003-01-14 18:18:42 +01:00
|
|
|
|
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p> Features include:<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
|
|
|
|
|
|
and tcstart).</li>
|
|
|
|
|
|
<li>"shorewall debug [re]start" now turns off debugging after an
|
|
|
|
|
|
error occurs. This places the point of the failure near the end of the
|
|
|
|
|
|
trace rather than up in the middle of it.</li>
|
|
|
|
|
|
<li>"shorewall [re]start" has been speeded up by more than 40% with
|
|
|
|
|
|
my configuration. Your milage may vary.</li>
|
|
|
|
|
|
<li>A "shorewall show classifiers" command has been added which shows
|
|
|
|
|
|
the current packet classification filters. The output from this command
|
|
|
|
|
|
is also added as a separate page in "shorewall monitor"</li>
|
|
|
|
|
|
<li>ULOG (must be all caps) is now accepted as a valid syslog level
|
|
|
|
|
|
and causes the subject packets to be logged using the ULOG target rather
|
|
|
|
|
|
than the LOG target. This allows you to run ulogd (available from <a
|
|
|
|
|
|
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
|
|
|
|
|
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
2003-01-14 18:18:42 +01:00
|
|
|
|
separate log file</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>If you are running a kernel that has a FORWARD chain in the mangle
|
|
|
|
|
|
table ("shorewall show mangle" will show you the chains in the mangle
|
2003-01-14 18:18:42 +01:00
|
|
|
|
table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
|
|
|
|
|
input packets based on their destination even when you are using Masquerading
|
|
|
|
|
|
or SNAT.</li>
|
|
|
|
|
|
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
|
|
|
|
|
|
'start', 'stop' and 'stopped' files. If you already have a file with
|
|
|
|
|
|
one of these names, don't worry -- the upgrade process won't overwrite
|
2003-01-14 18:18:42 +01:00
|
|
|
|
your file.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
|
|
|
|
|
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
|
|
|
|
|
the syslog level at which packets are logged as a result of entries in
|
|
|
|
|
|
the /etc/shorewall/rfc1918 file. Previously, these packets were always
|
|
|
|
|
|
logged at the 'info' level.<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
</ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b></p>
|
|
|
|
|
|
This version corrects a problem with Blacklist logging. In Beta 2,
|
|
|
|
|
|
if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
|
|
|
|
|
|
fail to start and "shorewall refresh" would also fail.<br>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>The first public Beta version of Shorewall 1.3.12 is now available (Beta
|
|
|
|
|
|
1 was made available only to a limited audience).<br>
|
|
|
|
|
|
</p>
|
|
|
|
|
|
Features include:<br>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>"shorewall refresh" now reloads the traffic shaping rules
|
|
|
|
|
|
(tcrules and tcstart).</li>
|
|
|
|
|
|
<li>"shorewall debug [re]start" now turns off debugging after
|
|
|
|
|
|
an error occurs. This places the point of the failure near the end of
|
|
|
|
|
|
the trace rather than up in the middle of it.</li>
|
|
|
|
|
|
<li>"shorewall [re]start" has been speeded up by more than 40%
|
|
|
|
|
|
with my configuration. Your milage may vary.</li>
|
|
|
|
|
|
<li>A "shorewall show classifiers" command has been added which
|
|
|
|
|
|
shows the current packet classification filters. The output from this
|
|
|
|
|
|
command is also added as a separate page in "shorewall monitor"</li>
|
|
|
|
|
|
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
|
|
|
|
|
level and causes the subject packets to be logged using the ULOG target
|
|
|
|
|
|
rather than the LOG target. This allows you to run ulogd (available
|
|
|
|
|
|
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
|
|
|
|
|
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
2003-01-14 18:18:42 +01:00
|
|
|
|
separate log file</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>If you are running a kernel that has a FORWARD chain in
|
|
|
|
|
|
the mangle table ("shorewall show mangle" will show you the chains in
|
|
|
|
|
|
the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
|
|
|
|
|
This allows for marking input packets based on their destination even
|
|
|
|
|
|
when you are using Masquerading or SNAT.</li>
|
|
|
|
|
|
<li>I have cluttered up the /etc/shorewall directory with empty
|
|
|
|
|
|
'init', 'start', 'stop' and 'stopped' files. If you already have a file
|
|
|
|
|
|
with one of these names, don't worry -- the upgrade process won't overwrite
|
|
|
|
|
|
your file.</li>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
</ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
You may download the Beta from:<br>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
2002-12-28 16:38:03 +01:00
|
|
|
|
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
|
|
|
|
|
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
|
|
|
|
|
alt="Powered by Mandrake Linux" width="140" height="21" border="0">
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</a></b></p>
|
|
|
|
|
|
Shorewall is at the center of MandrakeSoft's recently-announced
|
|
|
|
|
|
<a
|
|
|
|
|
|
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
|
|
|
|
|
Network Firewall (MNF)</a> product. Here is the <a
|
|
|
|
|
|
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
|
|
|
|
|
release</a>.<br>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
|
|
|
|
|
|
I have installed 9.0 on one of my systems and I am now in a position
|
|
|
|
|
|
to support Shorewall users who run Mandrake 9.0.</p>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/6/2002 - Debian 1.3.11a Packages Available<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b></p>
|
|
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p>Apt-get sources listed at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<p><b>12/3/2002 - Shorewall 1.3.11a</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
|
|
|
|
|
|
excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
2003-01-14 18:18:42 +01:00
|
|
|
|
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<p><b>11/24/2002 - Shorewall 1.3.11</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<p>In this version:</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A 'tcpflags' option has been added to entries in
|
|
|
|
|
|
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
|
|
|
|
|
This option causes Shorewall to make a set of sanity check on TCP packet
|
|
|
|
|
|
header flags.</li>
|
|
|
|
|
|
<li>It is now allowed to use 'all' in the SOURCE or DEST
|
|
|
|
|
|
column in a <a href="Documentation.htm#Rules">rule</a>. When used,
|
|
|
|
|
|
'all' must appear by itself (in may not be qualified) and it does not
|
|
|
|
|
|
enable intra-zone traffic. For example, the rule <br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
<20> <20> ACCEPT loc all tcp 80<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
does not enable http traffic from 'loc' to 'loc'.</li>
|
|
|
|
|
|
<li>Shorewall's use of the 'echo' command is now compatible
|
|
|
|
|
|
with bash clones such as ash and dash.</li>
|
|
|
|
|
|
<li>fw->fw policies now generate a startup error.
|
|
|
|
|
|
fw->fw rules generate a warning and are ignored</li>
|
|
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
|
|
|
|
|
|
the PDF may be downloaded from</p>
|
|
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<p><EFBFBD><EFBFBD><EFBFBD> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
|
|
|
|
|
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<20><><EFBFBD> <a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
|
|
|
|
|
|
</b></p>
|
|
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<p>The main Shorewall 1.3 web site is now back at SourceForge at <a
|
|
|
|
|
|
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>11/09/2002 - Shorewall 1.3.10</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>In this version:</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>You may now <a href="IPSEC.htm#Dynamic">define
|
|
|
|
|
|
the contents of a zone dynamically</a> with the <a
|
|
|
|
|
|
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
|
|
|
|
|
|
delete" commands</a>. These commands are expected to be used
|
|
|
|
|
|
primarily within <a
|
|
|
|
|
|
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
|
|
|
|
|
|
scripts.</li>
|
|
|
|
|
|
<li>Shorewall can now do<a
|
|
|
|
|
|
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
|
|
|
|
|
You can specify the set of allowed MAC addresses on the segment
|
|
|
|
|
|
and you can optionally tie each MAC address to one or more IP addresses.</li>
|
|
|
|
|
|
<li>PPTP Servers and Clients running on the firewall
|
|
|
|
|
|
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
|
|
|
|
|
file.</li>
|
|
|
|
|
|
<li>A new 'ipsecnat' tunnel type is supported for
|
|
|
|
|
|
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
|
|
|
|
|
|
behind a NAT gateway</a>.</li>
|
|
|
|
|
|
<li>The PATH used by Shorewall may now be specified
|
|
|
|
|
|
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
|
|
|
|
|
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
|
|
|
|
|
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
|
|
|
|
|
to do the real work. This change makes custom distributions such
|
|
|
|
|
|
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
|
|
|
|
|
that tends to have distribution-dependent code</li>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><b> </b><a
|
|
|
|
|
|
href="http://www.gentoo.org"><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</a></p>
|
|
|
|
|
|
Alexandru Hartmann reports that his Shorewall package
|
|
|
|
|
|
is now a part of <a href="http://www.gentoo.org">the Gentoo Linux
|
|
|
|
|
|
distribution</a>. Thanks Alex!<br>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
In this version:<br>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>You may now <a href="IPSEC.htm#Dynamic">define
|
|
|
|
|
|
the contents of a zone dynamically</a> with the <a
|
|
|
|
|
|
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
|
|
|
|
|
|
delete" commands</a>. These commands are expected to be used primarily
|
|
|
|
|
|
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
|
|
|
|
|
|
updown scripts.</li>
|
|
|
|
|
|
<li>Shorewall can now do<a
|
|
|
|
|
|
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
|
|
|
|
|
|
You can specify the set of allowed MAC addresses on the segment
|
|
|
|
|
|
and you can optionally tie each MAC address to one or more IP addresses.</li>
|
|
|
|
|
|
<li>PPTP Servers and Clients running on the firewall
|
|
|
|
|
|
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
|
|
|
|
|
|
file.</li>
|
|
|
|
|
|
<li>A new 'ipsecnat' tunnel type is supported for
|
|
|
|
|
|
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
|
|
|
|
|
|
behind a NAT gateway</a>.</li>
|
|
|
|
|
|
<li>The PATH used by Shorewall may now be specified
|
|
|
|
|
|
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
|
|
|
|
|
<li>The main firewall script is now /usr/lib/shorewall/firewall.
|
|
|
|
|
|
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
|
|
|
|
|
|
to do the real work. This change makes custom distributions such
|
|
|
|
|
|
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
|
|
|
|
|
|
that tends to have distribution-dependent code.</li>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
You may download the Beta from:<br>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a></li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>10/10/2002 - <20>Debian 1.3.9b Packages Available<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b></p>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>Apt-get sources listed at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>10/9/2002 - Shorewall 1.3.9b</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
This release rolls up fixes to the installer and
|
|
|
|
|
|
to the firewall script.<br>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>10/6/2002 - Shorewall.net now running on RH8.0<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b><br>
|
|
|
|
|
|
The firewall and server here at shorewall.net are
|
|
|
|
|
|
now running RedHat release 8.0.<br>
|
|
|
|
|
|
<b><br>
|
|
|
|
|
|
9/30/2002 - Shorewall 1.3.9a</b></p>
|
|
|
|
|
|
Roles up the fix for broken tunnels.<br>
|
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
There is an updated firewall script at <a
|
2002-11-09 19:06:34 +01:00
|
|
|
|
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
2003-01-22 01:37:23 +01:00
|
|
|
|
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
|
|
|
|
|
-- copy that file to /usr/lib/shorewall/firewall.<br>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<p><b>9/28/2002 - Shorewall 1.3.9</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<p>In this version:<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
|
|
|
|
|
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are
|
|
|
|
|
|
now allowed in Shorewall config files (although I recommend against
|
|
|
|
|
|
using them).</li>
|
|
|
|
|
|
<li>The connection SOURCE may now be qualified
|
|
|
|
|
|
by both interface and IP address in a <a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="Documentation.htm#Rules">Shorewall rule</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Shorewall startup is now disabled after
|
|
|
|
|
|
initial installation until the file /etc/shorewall/startup_disabled
|
|
|
|
|
|
is removed. This avoids nasty surprises during reboot for users
|
|
|
|
|
|
who install Shorewall but don't configure it.</li>
|
|
|
|
|
|
<li>The 'functions' and 'version' files and
|
|
|
|
|
|
the 'firewall' symbolic link have been moved from /var/lib/shorewall
|
|
|
|
|
|
to /usr/lib/shorewall to appease the LFS police at Debian.<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
|
|
|
|
|
|
Restored</b><br>
|
|
|
|
|
|
</p>
|
|
|
|
|
|
<img src="images/j0233056.gif"
|
2002-12-28 16:38:03 +01:00
|
|
|
|
alt="Brown Paper Bag" width="50" height="86" align="left">
|
2003-01-22 01:37:23 +01:00
|
|
|
|
A couple of recent configuration changes
|
|
|
|
|
|
at www.shorewall.net broke the Search facility:<br>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Mailing List Archive Search was not
|
|
|
|
|
|
available.</li>
|
|
|
|
|
|
<li>The Site Search index was incomplete</li>
|
|
|
|
|
|
<li>Only one page of matches was presented.</li>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
</ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
Hopefully these problems are now corrected.
|
|
|
|
|
|
|
|
|
|
|
|
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
|
|
|
|
|
|
Restored<br>
|
|
|
|
|
|
</b></p>
|
|
|
|
|
|
A couple of recent configuration changes
|
|
|
|
|
|
at www.shorewall.net had the negative effect of breaking the
|
|
|
|
|
|
Search facility:<br>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Mailing List Archive Search was not
|
|
|
|
|
|
available.</li>
|
|
|
|
|
|
<li>The Site Search index was incomplete</li>
|
|
|
|
|
|
<li>Only one page of matches was presented.</li>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
</ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
Hopefully these problems are now corrected.<br>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<p><b>9/18/2002 - <20>Debian 1.3.8 Packages Available<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b></p>
|
|
|
|
|
|
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<p>Apt-get sources listed at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>9/16/2002 - Shorewall 1.3.8</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A <a
|
|
|
|
|
|
href="Documentation.htm#Conf">NEWNOTSYN</a> option has been
|
|
|
|
|
|
added to shorewall.conf. This option determines whether Shorewall
|
|
|
|
|
|
accepts TCP packets which are not part of an established connection
|
|
|
|
|
|
and that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
|
|
|
|
|
|
<li>The need for the 'multi' option
|
|
|
|
|
|
to communicate between zones za and zb on the same interface
|
|
|
|
|
|
is removed in the case where the chain 'za2zb' and/or 'zb2za'
|
2003-01-14 18:18:42 +01:00
|
|
|
|
exists. 'za2zb' will exist if:</li>
|
|
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li> There is a policy for za
|
|
|
|
|
|
to zb; or </li>
|
|
|
|
|
|
<li>There is at least one rule
|
|
|
|
|
|
for za to zb.</li>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The /etc/shorewall/blacklist file
|
|
|
|
|
|
now contains three columns. In addition to the SUBNET/ADDRESS
|
|
|
|
|
|
column, there are optional PROTOCOL and PORT columns to block
|
|
|
|
|
|
only certain applications from the blacklisted addresses.<br>
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>9/11/2002 - Debian 1.3.7c Packages Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Apt-get sources listed at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>This is a role up of a fix for "DNAT" rules where the source zone is $FW
|
|
|
|
|
|
(fw).</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/31/2002 - I'm not available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>I'm currently on vacation<6F> -- please respect my need for a couple of
|
|
|
|
|
|
weeks free of Shorewall problem reports.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>-Tom</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>This is a role up of the "shorewall refresh" bug fix and the change which
|
|
|
|
|
|
reverses the order of "dhcp" and "norfc1918" checking.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><a target="_blank"
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
|
|
|
|
|
|
is now available.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/25/2002 - Shorewall Mirror in France</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
|
|
|
|
|
|
at <a target="_top"
|
|
|
|
|
|
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a are available
|
|
|
|
|
|
at <a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
|
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
|
|
|
|
|
|
-- Shorewall 1.3.7a released<img border="0"
|
2002-09-29 23:42:38 +02:00
|
|
|
|
src="images/j0233056.gif" width="50" height="80" align="middle">
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>1.3.7a corrects problems occurring in rules file processing when starting
|
|
|
|
|
|
Shorewall 1.3.7.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Features in this release include:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The 'icmp.def' file is now empty!
|
|
|
|
|
|
The rules in that file were required in ipchains firewalls
|
|
|
|
|
|
but are not required in Shorewall. Users who have ALLOWRELATED=No
|
|
|
|
|
|
in <a href="Documentation.htm#Conf">shorewall.conf</a> should
|
|
|
|
|
|
see the <a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
|
|
|
|
|
|
<li>A 'FORWARDPING' option has been
|
|
|
|
|
|
added to <a href="Documentation.htm#Conf"> shorewall.conf</a>.
|
|
|
|
|
|
The effect of setting this variable to Yes is the same as
|
|
|
|
|
|
the effect of adding an ACCEPT rule for ICMP echo-request
|
|
|
|
|
|
in <a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
|
|
|
|
|
|
Users who have such a rule in icmpdef are encouraged
|
|
|
|
|
|
to switch to FORWARDPING=Yes.</li>
|
|
|
|
|
|
<li>The loopback CLASS A Network (127.0.0.0/8)
|
|
|
|
|
|
has been added to the rfc1918 file.</li>
|
|
|
|
|
|
<li>Shorewall now works with iptables
|
|
|
|
|
|
1.2.7</li>
|
|
|
|
|
|
<li>The documentation and web site
|
|
|
|
|
|
no longer uses FrontPage themes.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>I would like to thank John Distler for his valuable input regarding TCP
|
|
|
|
|
|
SYN and ICMP treatment in Shorewall. That input has led
|
|
|
|
|
|
to marked improvement in Shorewall in the last two releases.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/13/2002 - Documentation in the <a target="_top"
|
|
|
|
|
|
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>The Shorewall-docs project now contains just the HTML and image files -
|
|
|
|
|
|
the Frontpage files have been removed.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top"
|
|
|
|
|
|
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>This branch will only be updated after I release a new version of Shorewall
|
|
|
|
|
|
so you can always update from this branch to get the latest
|
|
|
|
|
|
stable tree.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
|
|
|
|
|
|
to the <a href="errata.htm">Errata Page</a></b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Now there is one place to go to look for issues involved with upgrading
|
|
|
|
|
|
to recent versions of Shorewall.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The latest <a
|
|
|
|
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
|
|
|
|
|
|
including the <a href="shorewall_setup_guide.htm">Shorewall Setup
|
|
|
|
|
|
Guide.</a></li>
|
|
|
|
|
|
<li>Shorewall will now DROP TCP packets
|
|
|
|
|
|
that are not part of or related to an existing connection
|
|
|
|
|
|
and that are not SYN packets. These "New not SYN" packets
|
|
|
|
|
|
may be optionally logged by setting the LOGNEWNOTSYN option
|
|
|
|
|
|
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
|
|
|
|
|
<li>The processing of "New not SYN"
|
|
|
|
|
|
packets may be extended by commands in the new <a
|
2002-11-09 19:06:34 +01:00
|
|
|
|
href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/30/2002 - Shorewall 1.3.5b Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>This interim release:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Causes the firewall script to
|
|
|
|
|
|
remove the lock file if it is killed.</li>
|
|
|
|
|
|
<li>Once again allows lists in the
|
|
|
|
|
|
second column of the <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
|
|
|
|
|
|
file.</li>
|
|
|
|
|
|
<li>Includes the latest <a
|
2002-09-29 23:42:38 +02:00
|
|
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/29/2002 - New Shorewall Setup Guide Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>The first draft of this guide is available at <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm</a>.
|
|
|
|
|
|
The guide is intended for use by people who are setting
|
|
|
|
|
|
up Shorewall to manage multiple public IP addresses and by
|
|
|
|
|
|
people who want to learn more about Shorewall than is described
|
|
|
|
|
|
in the single-address guides. Feedback on the new guide is welcome.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Lorenzo Martignoni reports that the packages are version 1.3.5a and are
|
|
|
|
|
|
available at <a
|
2002-09-16 19:13:10 +02:00
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/27/2002 - Shorewall 1.3.5a Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>This interim release restores correct handling of REDIRECT rules. </p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/26/2002 - Shorewall 1.3.5 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>This will be the last Shorewall release for a while. I'm going to be
|
|
|
|
|
|
focusing on rewriting a lot of the documentation.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b><EFBFBD></b>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Empty and invalid source and destination
|
|
|
|
|
|
qualifiers are now detected in the rules file. It is a
|
|
|
|
|
|
good idea to use the 'shorewall check' command before you
|
|
|
|
|
|
issue a 'shorewall restart' command be be sure that you don't
|
|
|
|
|
|
have any configuration problems that will prevent a successful
|
2003-01-14 18:18:42 +01:00
|
|
|
|
restart.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Added <b>MERGE_HOSTS</b> variable
|
|
|
|
|
|
in <a href="Documentation.htm#Conf"> shorewall.conf</a> to provide
|
|
|
|
|
|
saner behavior of the /etc/shorewall/hosts file.</li>
|
|
|
|
|
|
<li>The time that the counters were
|
|
|
|
|
|
last reset is now displayed in the heading of the 'status'
|
|
|
|
|
|
and 'show' commands.</li>
|
|
|
|
|
|
<li>A <b>proxyarp </b>option has been
|
|
|
|
|
|
added for entries in <a
|
|
|
|
|
|
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
|
|
|
|
|
This option facilitates Proxy ARP sub-netting as described in
|
|
|
|
|
|
the Proxy ARP subnetting mini-HOWTO (<a
|
|
|
|
|
|
href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
|
|
|
|
|
|
Specifying the proxyarp option for an interface causes
|
|
|
|
|
|
Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.</li>
|
|
|
|
|
|
<li>The Samples have been updated
|
|
|
|
|
|
to reflect the new capabilities in this release. </li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/16/2002 - New Mirror in Argentina</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
|
|
|
|
|
|
Argentina. Thanks Buanzo!!!</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/16/2002 - Shorewall 1.3.4 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A new <a
|
|
|
|
|
|
href="Documentation.htm#Routestopped"> /etc/shorewall/routestopped</a>
|
|
|
|
|
|
file has been added. This file is intended to eventually
|
|
|
|
|
|
replace the <b>routestopped</b> option in the /etc/shorewall/interface
|
|
|
|
|
|
and /etc/shorewall/hosts files. This new file makes remote
|
|
|
|
|
|
firewall administration easier by allowing any IP or subnet to
|
|
|
|
|
|
be enabled while Shorewall is stopped.</li>
|
|
|
|
|
|
<li>An /etc/shorewall/stopped <a
|
|
|
|
|
|
href="Documentation.htm#Scripts">extension script</a> has been added.
|
|
|
|
|
|
This script is invoked after Shorewall has stopped.</li>
|
|
|
|
|
|
<li>A <b>DETECT_DNAT_ADDRS </b>option
|
|
|
|
|
|
has been added to <a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>.
|
|
|
|
|
|
When this option is selected, DNAT rules only apply when
|
|
|
|
|
|
the destination address is the external interface's primary
|
|
|
|
|
|
IP address.</li>
|
|
|
|
|
|
<li>The <a
|
|
|
|
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> has
|
|
|
|
|
|
been broken into three guides and has been almost entirely
|
|
|
|
|
|
rewritten.</li>
|
|
|
|
|
|
<li>The Samples have been updated
|
|
|
|
|
|
to reflect the new capabilities in this release. </li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/8/2002 - Shorewall 1.3.3 Debian Package Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Lorenzo Marignoni reports that the packages are available at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>7/6/2002 - Shorewall 1.3.3 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Entries in /etc/shorewall/interface
|
|
|
|
|
|
that use the wildcard character ("+") now have the "multi"
|
|
|
|
|
|
option assumed.</li>
|
|
|
|
|
|
<li>The 'rfc1918' chain in the mangle
|
|
|
|
|
|
table has been renamed 'man1918' to make log messages
|
|
|
|
|
|
generated from that chain distinguishable from those generated
|
|
|
|
|
|
by the 'rfc1918' chain in the filter table.</li>
|
|
|
|
|
|
<li>Interface names appearing in the
|
|
|
|
|
|
hosts file are now validated against the interfaces file.</li>
|
|
|
|
|
|
<li>The TARGET column in the rfc1918
|
|
|
|
|
|
file is now checked for correctness.</li>
|
|
|
|
|
|
<li>The chain structure in the nat
|
|
|
|
|
|
table has been changed to reduce the number of rules that
|
|
|
|
|
|
a packet must traverse and to correct problems with NAT_BEFORE_RULES=No</li>
|
|
|
|
|
|
<li>The "hits" command has been enhanced.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/25/2002 - Samples Updated for 1.3.2</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>The comments in the sample configuration files have been updated to reflect
|
|
|
|
|
|
new features introduced in Shorewall 1.3.2.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/25/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Lorenzo Marignoni reports that the package is available at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
|
|
|
|
|
|
<a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
|
|
|
|
|
|
PDF format.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A <a
|
|
|
|
|
|
href="Documentation.htm#Starting">logwatch command</a> has
|
|
|
|
|
|
been added to /sbin/shorewall.</li>
|
|
|
|
|
|
<li>A <a
|
|
|
|
|
|
href="blacklisting_support.htm">dynamic blacklist facility</a>
|
|
|
|
|
|
has been added.</li>
|
|
|
|
|
|
<li>Support for the <a
|
|
|
|
|
|
href="Documentation.htm#Conf">Netfilter multiport match function</a>
|
|
|
|
|
|
has been added.</li>
|
|
|
|
|
|
<li>The files <b>firewall, functions
|
|
|
|
|
|
</b>and <b>version</b> have been moved from /etc/shorewall
|
|
|
|
|
|
to /var/lib/shorewall.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Last weekend, I installed the CVS Web package to provide brower-based access
|
|
|
|
|
|
to the Shorewall CVS repository. Since then, I have had several instances
|
|
|
|
|
|
where my server was almost unusable due to the high load generated by website
|
|
|
|
|
|
copying tools like HTTrack and WebStripper. These mindless tools:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Ignore robot.txt files.</li>
|
|
|
|
|
|
<li>Recursively copy everything that
|
|
|
|
|
|
they find.</li>
|
|
|
|
|
|
<li>Should be classified as weapons
|
|
|
|
|
|
rather than tools.</li>
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>These tools/weapons are particularly damaging when combined with CVS Web
|
|
|
|
|
|
because they doggedly follow every link in the cgi-generated
|
|
|
|
|
|
HTML resulting in 1000s of executions of the cvsweb.cgi script.
|
|
|
|
|
|
Yesterday, I spend several hours implementing measures to
|
|
|
|
|
|
block these tools but unfortunately, these measures resulted
|
2003-01-14 18:18:42 +01:00
|
|
|
|
in my server OOM-ing under even moderate load.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Until I have the time to understand the cause of the OOM (or until I buy
|
|
|
|
|
|
more RAM if that is what is required), CVS Web access will
|
|
|
|
|
|
remain Password Protected. </p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/5/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Lorenzo Marignoni reports that the package is available at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/2/2002 - Samples Corrected</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>The 1.3.0 samples configurations had several serious problems that prevented
|
|
|
|
|
|
DNS and SSH from working properly. These problems have
|
2003-01-14 18:18:42 +01:00
|
|
|
|
been corrected in the <a
|
|
|
|
|
|
href="/pub/shorewall/samples-1.3.1">1.3.1 samples.</a></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>6/1/2002 - Shorewall 1.3.1 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Hot on the heels of 1.3.0, this release:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Corrects a serious problem with
|
|
|
|
|
|
"all <i><zone></i> CONTINUE" policies. This
|
|
|
|
|
|
problem is present in all versions of Shorewall that support
|
|
|
|
|
|
the CONTINUE policy. These previous versions optimized away
|
|
|
|
|
|
the "all2<i><zone></i>" chain and replaced it with the
|
|
|
|
|
|
"all2all" chain with the usual result that a policy of REJECT was
|
|
|
|
|
|
enforced rather than the intended CONTINUE policy.</li>
|
|
|
|
|
|
<li>Adds an <a
|
|
|
|
|
|
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
|
|
|
|
|
|
file for defining the exact behavior of the<a
|
2002-09-16 19:13:10 +02:00
|
|
|
|
href="Documentation.htm#Interfaces"> 'norfc1918' interface option</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>5/29/2002 - Shorewall 1.3.0 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
|
|
|
|
|
|
includes:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A 'filterping' interface option
|
|
|
|
|
|
that allows ICMP echo-request (ping) requests addressed
|
|
|
|
|
|
to the firewall to be handled by entries in /etc/shorewall/rules
|
|
|
|
|
|
and /etc/shorewall/policy.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>5/23/2002 - Shorewall 1.3 RC1 Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
|
|
|
|
|
|
incorporates the following:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Support for the /etc/shorewall/whitelist
|
|
|
|
|
|
file has been withdrawn. If you need whitelisting, see
|
|
|
|
|
|
<a href="/1.3/whitelisting_under_shorewall.htm">these instructions</a>.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>5/19/2002 - Shorewall 1.3 Beta 2 Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>In addition to the changes in Beta 1, this release which carries the
|
|
|
|
|
|
designation 1.2.91 adds:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The structure of the firewall
|
|
|
|
|
|
is changed markedly. There is now an INPUT and a FORWARD
|
|
|
|
|
|
chain for each interface; this reduces the number of rules that
|
2003-01-14 18:18:42 +01:00
|
|
|
|
a packet must traverse, especially in complicated setups.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#Exclude">Sub-zones may now be excluded
|
|
|
|
|
|
from DNAT and REDIRECT rules.</a></li>
|
|
|
|
|
|
<li>The names of the columns in a
|
|
|
|
|
|
number of the configuration files have been changed to
|
|
|
|
|
|
be more consistent and self-explanatory and the documentation
|
|
|
|
|
|
has been updated accordingly.</li>
|
|
|
|
|
|
<li>The sample configurations have
|
|
|
|
|
|
been updated for 1.3.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>5/17/2002 - Shorewall 1.3 Beta 1 Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Beta 1 carries the version designation 1.2.90 and implements the following
|
|
|
|
|
|
features:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Simplified rule syntax which makes
|
|
|
|
|
|
the intent of each rule clearer and hopefully makes Shorewall
|
|
|
|
|
|
easier to learn.</li>
|
|
|
|
|
|
<li>Upward compatibility with 1.2
|
|
|
|
|
|
configuration files has been maintained so that current
|
|
|
|
|
|
users can migrate to the new syntax at their convenience.</li>
|
|
|
|
|
|
<li><b><font color="#cc6666">WARNING:<3A>
|
|
|
|
|
|
Compatibility with the old parameterized sample configurations
|
|
|
|
|
|
has NOT been maintained. Users still running those configurations
|
|
|
|
|
|
should migrate to the new sample configurations before upgrading
|
|
|
|
|
|
to 1.3 Beta 1.</font></b></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>5/4/2002 - Shorewall 1.2.13 is Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="Documentation.htm#Whitelist">White-listing</a> is supported.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#Policy">SYN-flood protection </a>is
|
|
|
|
|
|
added.</li>
|
|
|
|
|
|
<li>IP addresses added under <a
|
|
|
|
|
|
href="Documentation.htm#Conf">ADD_IP_ALIASES and ADD_SNAT_ALIASES</a>
|
|
|
|
|
|
now inherit the VLSM and Broadcast Address of the interface's
|
|
|
|
|
|
primary IP address.</li>
|
|
|
|
|
|
<li>The order in which port forwarding
|
|
|
|
|
|
DNAT and Static DNAT <a href="Documentation.htm#Conf">can
|
|
|
|
|
|
now be reversed</a> so that port forwarding rules can override
|
|
|
|
|
|
the contents of <a href="Documentation.htm#NAT"> /etc/shorewall/nat</a>.
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/30/2002 - Shorewall Debian News</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the <a
|
|
|
|
|
|
href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
|
|
|
|
|
Testing Branch</a> and the <a
|
|
|
|
|
|
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
|
|
|
|
|
Unstable Branch</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/20/2002 - Shorewall 1.2.12 is Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The 'try' command works again</li>
|
|
|
|
|
|
<li>There is now a single RPM that
|
|
|
|
|
|
also works with SuSE.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/17/2002 - Shorewall Debian News</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Lorenzo Marignoni reports that:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Shorewall 1.2.10 is in the
|
|
|
|
|
|
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
|
|
|
|
|
Testing Branch</a></li>
|
|
|
|
|
|
<li>Shorewall 1.2.11 is in the
|
|
|
|
|
|
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
|
|
|
|
|
Unstable Branch</a></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Thanks, Lorenzo!</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there
|
|
|
|
|
|
is now a Shorewall 1.2.11 <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm">
|
|
|
|
|
|
SuSE RPM</a> available. </p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/13/2002 - Shorewall 1.2.11 Available </b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The 'try' command now accepts
|
|
|
|
|
|
an optional timeout. If the timeout is given in the command,
|
|
|
|
|
|
the standard configuration will automatically be restarted
|
|
|
|
|
|
after the new configuration has been running for that length of
|
|
|
|
|
|
time. This prevents a remote admin from being locked out of the
|
|
|
|
|
|
firewall in the case where the new configuration starts but prevents
|
|
|
|
|
|
access.</li>
|
|
|
|
|
|
<li>Kernel route filtering may now
|
|
|
|
|
|
be enabled globally using the new ROUTE_FILTER parameter
|
|
|
|
|
|
in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
|
|
|
|
|
<li>Individual IP source addresses
|
|
|
|
|
|
and/or subnets may now be excluded from masquerading/SNAT.</li>
|
|
|
|
|
|
<li>Simple "Yes/No" and "On/Off" values
|
|
|
|
|
|
are now case-insensitive in /etc/shorewall/shorewall.conf.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/13/2002 - Hamburg Mirror now has FTP </b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Stefan now has an FTP mirror at <a target="_blank"
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>.<2E>
|
|
|
|
|
|
Thanks Stefan!</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/12/2002 - New Mirror in Hamburg</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there
|
|
|
|
|
|
is now a mirror of the Shorewall website at <a
|
|
|
|
|
|
target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>.
|
|
|
|
|
|
</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><a href="shorewall_quickstart_guide.htm">Version 1.1 of the QuickStart
|
|
|
|
|
|
Guide</a> is now available. Thanks to those who have read
|
|
|
|
|
|
version 1.0 and offered their suggestions. Corrections have
|
|
|
|
|
|
also been made to the sample scripts.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart
|
|
|
|
|
|
Guide</a> is now available. This Guide and its accompanying
|
|
|
|
|
|
sample configurations are expected to provide a replacement
|
|
|
|
|
|
for the recently withdrawn parameterized samples. </p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Although the <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized
|
|
|
|
|
|
samples</a> have allowed people to get a firewall up and
|
|
|
|
|
|
running quickly, they have unfortunately set the wrong level
|
|
|
|
|
|
of expectation among those who have used them. I am therefore
|
|
|
|
|
|
withdrawing support for the samples and I am recommending that
|
|
|
|
|
|
they not be used in new Shorewall installations.</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/2/2002 - Updated Log Parser</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated
|
|
|
|
|
|
version of his <a href="pub/shorewall/parsefw/">CGI-based
|
|
|
|
|
|
log parser</a> with corrected date handling. </p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>The quick search on the home page now excludes the mailing list archives.
|
|
|
|
|
|
The <a href="htdig/search.html">Extended Search</a> allows
|
|
|
|
|
|
excluding the archives or restricting the search to just
|
|
|
|
|
|
the archives. An archive search form is also available on the
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<a href="mailing_list.htm">mailing list information page</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The 1.2.10 Debian Package is
|
|
|
|
|
|
available at <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
|
|
|
|
|
|
<li>Shorewall 1.2.9 is now in the
|
|
|
|
|
|
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
|
|
|
|
|
Unstable Distribution</a>.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/25/2002 - Log Parser Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided a <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="pub/shorewall/parsefw/">CGI-based log parser</a> for Shorewall. Thanks
|
|
|
|
|
|
John.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/20/2002 - Shorewall 1.2.10 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A "shorewall try" command has
|
|
|
|
|
|
been added (syntax: shorewall try <i> <configuration
|
|
|
|
|
|
directory></i>). This command attempts "shorewall -c <i>
|
|
|
|
|
|
<configuration directory></i> start" and if that results
|
|
|
|
|
|
in the firewall being stopped due to an error, a "shorewall start"
|
|
|
|
|
|
command is executed. The 'try' command allows you to create
|
|
|
|
|
|
a new <a href="Documentation.htm#Configs"> configuration</a> and attempt
|
|
|
|
|
|
to start it; if there is an error that leaves your firewall
|
|
|
|
|
|
in the stopped state, it will automatically be restarted using
|
|
|
|
|
|
the default configuration (in /etc/shorewall).</li>
|
|
|
|
|
|
<li>A new variable ADD_SNAT_ALIASES
|
|
|
|
|
|
has been added to <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.
|
|
|
|
|
|
If this variable is set to "Yes", Shorewall will automatically
|
|
|
|
|
|
add IP addresses listed in the third column of the <a
|
2002-09-29 23:42:38 +02:00
|
|
|
|
href="Documentation.htm#Masq"> /etc/shorewall/masq</a> file.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Copyright notices have been added
|
|
|
|
|
|
to the documenation.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/11/2002 - Shorewall 1.2.9 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Filtering by <a
|
|
|
|
|
|
href="Documentation.htm#MAC">MAC address</a> has been added.
|
|
|
|
|
|
MAC addresses may be used as the source address in:
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Filtering rules (<a
|
2002-11-09 19:06:34 +01:00
|
|
|
|
href="Documentation.htm#Rules">/etc/shorewall/rules</a>)</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Traffic Control Classification
|
|
|
|
|
|
Rules (<a href="traffic_shaping.htm#tcrules">/etc/shorewall/tcrules</a>)</li>
|
|
|
|
|
|
<li>TOS Rules (<a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="Documentation.htm#TOS">/etc/shorewall/tos</a>)</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Blacklist (<a
|
2002-11-24 21:08:19 +01:00
|
|
|
|
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a>)</li>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</li>
|
|
|
|
|
|
<li>Several bugs have been fixed</li>
|
|
|
|
|
|
<li>The 1.2.9 Debian Package is also
|
|
|
|
|
|
available at <a
|
2003-01-14 18:18:42 +01:00
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/1/2002 - 1.2.8 Debian Package is Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>See <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p><b>2/25/2002 - New Two-interface Sample</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>I've enhanced the two interface sample to allow access from the firewall
|
|
|
|
|
|
to servers in the local zone - <a
|
|
|
|
|
|
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">
|
|
|
|
|
|
http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz</a></p>
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>2/23/2002 - Shorewall 1.2.8 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
|
|
|
|
|
|
problems associated with the lock file used to prevent multiple state-changing
|
|
|
|
|
|
operations from occuring simultaneously. My apologies for
|
|
|
|
|
|
any inconvenience my carelessness may have caused.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>UPnP probes (UDP destination port
|
|
|
|
|
|
1900) are now silently dropped in the <i>common</i> chain</li>
|
|
|
|
|
|
<li>RFC 1918 checking in the mangle
|
|
|
|
|
|
table has been streamlined to no longer require packet
|
|
|
|
|
|
marking. RFC 1918 checking in the filter table has been
|
|
|
|
|
|
changed to require half as many rules as previously.</li>
|
|
|
|
|
|
<li>A 'shorewall check' command has
|
|
|
|
|
|
been added that does a cursory validation of the zones,
|
|
|
|
|
|
interfaces, hosts, rules and policy files.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>2/18/2002 - 1.2.6 Debian Package is Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>See <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>2/8/2002 - Shorewall 1.2.6 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>$-variables may now be used anywhere
|
|
|
|
|
|
in the configuration files except /etc/shorewall/zones.</li>
|
|
|
|
|
|
<li>The interfaces and hosts files
|
|
|
|
|
|
now have their contents validated before any changes are
|
|
|
|
|
|
made to the existing Netfilter configuration. The appearance
|
|
|
|
|
|
of a zone name that isn't defined in /etc/shorewall/zones causes
|
|
|
|
|
|
"shorewall start" and "shorewall restart" to abort without changing
|
|
|
|
|
|
the Shorewall state. Unknown options in either file cause a warning
|
|
|
|
|
|
to be issued.</li>
|
|
|
|
|
|
<li>A problem occurring when BLACKLIST_LOGLEVEL
|
|
|
|
|
|
was not set has been corrected.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>2/4/2002 - Shorewall 1.2.5 Debian Package Available</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>see <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>2/1/2002 - Shorewall 1.2.5 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Due to installation problems with Shorewall 1.2.4, I have released Shorewall
|
|
|
|
|
|
1.2.5. Sorry for the rapid-fire development.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In version 1.2.5:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The installation problems have
|
|
|
|
|
|
been corrected.</li>
|
|
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#Masq">SNAT</a> is now supported.</li>
|
|
|
|
|
|
<li>A "shorewall version" command has
|
|
|
|
|
|
been added</li>
|
|
|
|
|
|
<li>The default value of the STATEDIR
|
|
|
|
|
|
variable in /etc/shorewall/shorewall.conf has been changed
|
|
|
|
|
|
to /var/lib/shorewall in order to conform to the GNU/Linux
|
|
|
|
|
|
File Hierarchy Standard, Version 2.2.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The "fw" zone <a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="Documentation.htm#FW">may now be given a different name</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>You may now place end-of-line comments
|
|
|
|
|
|
(preceded by '#') in any of the configuration files</li>
|
|
|
|
|
|
<li>There is now protection against
|
|
|
|
|
|
against two state changing operations occuring concurrently.
|
|
|
|
|
|
This is implemented using the 'lockfile' utility if it is
|
|
|
|
|
|
available (lockfile is part of procmail); otherwise, a less robust
|
|
|
|
|
|
technique is used. The lockfile is created in the STATEDIR defined
|
2003-01-14 18:18:42 +01:00
|
|
|
|
in /etc/shorewall/shorewall.conf and has the name "lock".</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>"shorewall start" no longer fails
|
|
|
|
|
|
if "detect" is specified in <a
|
|
|
|
|
|
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
|
|
|
|
|
for an interface with subnet mask 255.255.255.255.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/27/2002 - Shorewall 1.2.3 Debian Package Available </b>-- see <a
|
|
|
|
|
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/20/2002 - Corrected firewall script available<6C></b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Corrects a problem with BLACKLIST_LOGLEVEL. See <a href="errata.htm">the
|
|
|
|
|
|
errata</a> for details.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/19/2002 - Shorewall 1.2.3 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>This is a minor feature and bugfix release. The single new feature is:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Support for TCP MSS Clamp to PMTU
|
|
|
|
|
|
-- This support is usually required when the internet connection
|
|
|
|
|
|
is via PPPoE or PPTP and may be enabled using the <a
|
2002-11-24 21:08:19 +01:00
|
|
|
|
href="Documentation.htm#ClampMSS">CLAMPMSS</a> option in /etc/shorewall/shorewall.conf.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>The following problems were corrected:</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The "shorewall status" command
|
|
|
|
|
|
no longer hangs.</li>
|
|
|
|
|
|
<li>The "shorewall monitor" command
|
|
|
|
|
|
now displays the icmpdef chain</li>
|
|
|
|
|
|
<li>The CLIENT PORT(S) column in tcrules
|
|
|
|
|
|
is no longer ignored</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/18/2002 - Shorewall 1.2.2 packaged with new </b><a
|
|
|
|
|
|
href="http://leaf.sourceforge.net">LEAF</a><b> release</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
|
|
|
|
|
|
that includes Shorewall 1.2.2. See <a
|
|
|
|
|
|
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a>
|
|
|
|
|
|
for details.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/11/2002 - Debian Package (.deb) Now Available - </b>Thanks to <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni</a>, a 1.2.2
|
|
|
|
|
|
Shorewall Debian package is now available. There is a link
|
|
|
|
|
|
to Lorenzo's site from the <a href="download.htm">Shorewall
|
2003-01-14 18:18:42 +01:00
|
|
|
|
download page</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/9/2002 - Updated 1.2.2 /sbin/shorewall available - </b><a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version </a>restores
|
|
|
|
|
|
the "shorewall status" command to health.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/8/2002 - Shorewall 1.2.2 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>In version 1.2.2</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Support for IP blacklisting has
|
|
|
|
|
|
been added
|
2002-11-24 21:08:19 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>You specify whether you want
|
|
|
|
|
|
packets from blacklisted hosts dropped or rejected
|
|
|
|
|
|
using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION
|
|
|
|
|
|
</a>setting in /etc/shorewall/shorewall.conf</li>
|
|
|
|
|
|
<li>You specify whether you want
|
|
|
|
|
|
packets from blacklisted hosts logged and at what
|
|
|
|
|
|
syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
|
|
|
|
|
|
setting in /etc/shorewall/shorewall.conf</li>
|
|
|
|
|
|
<li>You list the IP addresses/subnets
|
|
|
|
|
|
that you wish to blacklist in <a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>You specify the interfaces you
|
|
|
|
|
|
want checked against the blacklist using the new
|
|
|
|
|
|
"<a href="Documentation.htm#BLInterface">blacklist</a>" option
|
|
|
|
|
|
in /etc/shorewall/interfaces.</li>
|
|
|
|
|
|
<li>The black list is refreshed from
|
|
|
|
|
|
/etc/shorewall/blacklist by the "shorewall refresh"
|
|
|
|
|
|
command.</li>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</li>
|
|
|
|
|
|
<li>Use of TCP RST replies has been
|
|
|
|
|
|
expanded<EFBFBD>
|
2002-11-24 21:08:19 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>TCP connection requests rejected
|
|
|
|
|
|
because of a REJECT policy are now replied with a
|
|
|
|
|
|
TCP RST packet.</li>
|
|
|
|
|
|
<li>TCP connection requests rejected
|
|
|
|
|
|
because of a protocol=all rule in /etc/shorewall/rules
|
|
|
|
|
|
are now replied with a TCP RST packet.</li>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</li>
|
|
|
|
|
|
<li>A <a
|
|
|
|
|
|
href="Documentation.htm#Logfile">LOGFILE</a> specification
|
|
|
|
|
|
has been added to /etc/shorewall/shorewall.conf. LOGFILE is used
|
|
|
|
|
|
to tell the /sbin/shorewall program where to look for Shorewall
|
|
|
|
|
|
messages.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/5/2002 - New Parameterized Samples (<a
|
|
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.2.0/"
|
2003-01-22 01:37:23 +01:00
|
|
|
|
target="_blank">version 1.2.0</a>) released. </b>These are minor updates
|
|
|
|
|
|
to the previously-released samples. There are two new rules
|
|
|
|
|
|
added:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Unless you have explicitly enabled
|
|
|
|
|
|
Auth connections (tcp port 113) to your firewall, these
|
|
|
|
|
|
connections will be REJECTED rather than DROPPED. This
|
|
|
|
|
|
speeds up connection establishment to some servers.</li>
|
|
|
|
|
|
<li>Orphan DNS replies are now silently
|
|
|
|
|
|
dropped.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>See the README file for upgrade instructions.</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>1/1/2002 - <u><font color="#ff6633">Shorewall Mailing List Moving</font></u></b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>The Shorewall mailing list hosted at <a href="http://sourceforge.net">
|
|
|
|
|
|
Sourceforge</a> is moving to Shorewall.net. If you are a
|
|
|
|
|
|
current subscriber to the list at Sourceforge, please <a
|
|
|
|
|
|
href="shorewall_mailing_list_migration.htm">see these instructions</a>.
|
|
|
|
|
|
If you would like to subscribe to the new list, visit <a
|
2002-09-16 19:13:10 +02:00
|
|
|
|
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>12/31/2001 - Shorewall 1.2.1 Released</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In version 1.2.1:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
|
|
|
|
|
|
Packets</a> is added.<2E></li>
|
|
|
|
|
|
<li>The <a href="IPIP.htm">tunnel script</a>
|
|
|
|
|
|
has been corrected.</li>
|
|
|
|
|
|
<li>'shorewall show tc' now correctly
|
|
|
|
|
|
handles tunnels.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist releasing
|
|
|
|
|
|
1.2 on 12/21/2001</b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Version 1.2 contains the following new features:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Support for <a
|
2002-12-28 16:38:03 +01:00
|
|
|
|
href="traffic_shaping.htm">Traffic Control/Shaping</a></li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Support for <a
|
|
|
|
|
|
href="Documentation.htm#Unclean">Filtering of Mangled/Invalid
|
|
|
|
|
|
Packets</a></li>
|
|
|
|
|
|
<li>Support for <a href="IPIP.htm">GRE
|
|
|
|
|
|
Tunnels</a></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p>For the next month or so, I will continue to provide corrections to version
|
|
|
|
|
|
1.1.18 as necessary so that current version 1.1.x users
|
|
|
|
|
|
will not be forced into a quick upgrade to 1.2.0 just to have
|
|
|
|
|
|
access to bug fixes.</p>
|
|
|
|
|
|
|
|
|
|
|
|
<p>For those of you who have installed one of the Beta RPMS, you will need
|
|
|
|
|
|
to use the "--oldpackage" option when upgrading to 1.2.0:</p>
|
|
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</blockquote>
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
|
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
|
|
|
|
|
|
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This
|
|
|
|
|
|
web site is mirrored at <a
|
|
|
|
|
|
href="http://www.infohiiway.com/shorewall" target="_top">http://www.infohiiway.com/shorewall</a>
|
|
|
|
|
|
and the ftp site is at <a
|
|
|
|
|
|
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b><EFBFBD></b></p>
|
|
|
|
|
|
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>11/30/2001 - A new set of the parameterized <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
|
|
|
|
|
|
Configurations</a> has been released</b>. In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Ping is now allowed between the
|
|
|
|
|
|
zones.</li>
|
|
|
|
|
|
<li>In the three-interface configuration,
|
|
|
|
|
|
it is now possible to configure the internet services that
|
|
|
|
|
|
are to be available to servers in the DMZ.<2E></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>11/20/2001 - The current version of Shorewall is 1.1.18.<2E></b></p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The spelling of ADD_IP_ALIASES
|
|
|
|
|
|
has been corrected in the shorewall.conf file</li>
|
|
|
|
|
|
<li>The logic for deleting user-defined
|
|
|
|
|
|
chains has been simplified so that it avoids a bug in the
|
|
|
|
|
|
LRP version of the 'cut' utility.</li>
|
|
|
|
|
|
<li>The /var/lib/lrpkg/shorwall.conf
|
|
|
|
|
|
file has been corrected to properly display the NAT entry
|
|
|
|
|
|
in that file.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-11-24 21:08:19 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj
|
|
|
|
|
|
Ontkanin</a>, there is now a Shorewall mirror in
|
|
|
|
|
|
the Slovak Republic</b>. The website is now mirrored at <a
|
|
|
|
|
|
href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall</a>
|
|
|
|
|
|
and the FTP site is mirrored at <a
|
2002-09-16 19:13:10 +02:00
|
|
|
|
href="ftp://ftp.nrg.sk/mirror/shorewall">ftp://ftp.nrg.sk/mirror/shorewall</a>.</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.</b>
|
|
|
|
|
|
There are three sample configurations:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>One Interface -- for a standalone
|
|
|
|
|
|
system.</li>
|
|
|
|
|
|
<li>Two Interfaces -- A masquerading
|
|
|
|
|
|
firewall.</li>
|
|
|
|
|
|
<li>Three Interfaces -- A masquerading
|
|
|
|
|
|
firewall with DMZ.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p>Samples may be downloaded from <a
|
2003-01-22 01:37:23 +01:00
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17</a>
|
|
|
|
|
|
. See the README file for instructions.</p>
|
2002-11-24 21:08:19 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>11/1/2001 - The current version of Shorewall is 1.1.17</b>.<2E> I intend
|
|
|
|
|
|
this to be the last of the 1.1 Shorewall releases.</p>
|
2002-11-24 21:08:19 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p> In this version:</p>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The handling of <a
|
|
|
|
|
|
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a> has
|
|
|
|
|
|
been corrected.<2E></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>10/22/2001 - The current version of Shorewall is 1.1.16</b>. In this
|
|
|
|
|
|
version:</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A new "shorewall show connections"
|
|
|
|
|
|
command has been added.</li>
|
|
|
|
|
|
<li>In the "shorewall monitor" output,
|
|
|
|
|
|
the currently tracked connections are now shown on a
|
|
|
|
|
|
separate page.</li>
|
|
|
|
|
|
<li>Prior to this release, Shorewall
|
|
|
|
|
|
unconditionally added the external IP adddress(es) specified
|
|
|
|
|
|
in /etc/shorewall/nat. Beginning with version 1.1.16,
|
|
|
|
|
|
a new parameter (<a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)
|
|
|
|
|
|
may be set to "no" (or "No") to inhibit this behavior.
|
|
|
|
|
|
This allows IP aliases created using your distribution's
|
|
|
|
|
|
network configuration tools to be used in static NAT.<2E></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-14 18:18:42 +01:00
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>10/15/2001 - The current version of Shorewall is 1.1.15.</b> In this
|
|
|
|
|
|
version:</p>
|
|
|
|
|
|
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Support for nested zones has been
|
|
|
|
|
|
improved. See <a href="Documentation.htm#Nested"> the documentation</a>
|
|
|
|
|
|
for details</li>
|
|
|
|
|
|
<li>Shorewall now correctly checks
|
|
|
|
|
|
the alternate configuration directory for the 'zones'
|
|
|
|
|
|
file.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>10/4/2001 - The current version of Shorewall is 1.1.14.</b> In this
|
|
|
|
|
|
version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Shorewall now supports alternate
|
|
|
|
|
|
configuration directories. When an alternate directory
|
|
|
|
|
|
is specified when starting or restarting Shorewall (e.g.,
|
|
|
|
|
|
"shorewall -c /etc/testconf restart"), Shorewall will first
|
|
|
|
|
|
look for configuration files in the alternate directory then in
|
|
|
|
|
|
/etc/shorewall. To create an alternate configuration simply:<br>
|
|
|
|
|
|
1. Create a New Directory<br>
|
|
|
|
|
|
2. Copy to that directory any of
|
|
|
|
|
|
your configuration files that you want to change.<br>
|
|
|
|
|
|
3. Modify the copied files as needed.<br>
|
|
|
|
|
|
4. Restart Shorewall specifying the
|
|
|
|
|
|
new directory.</li>
|
|
|
|
|
|
<li>The rules for allowing/disallowing
|
|
|
|
|
|
icmp echo-requests (pings) are now moved after rules
|
|
|
|
|
|
created when processing the rules file. This allows you to
|
|
|
|
|
|
add rules that selectively allow/deny ping based on source or
|
|
|
|
|
|
destination address.</li>
|
|
|
|
|
|
<li>Rules that specify multiple client
|
|
|
|
|
|
ip addresses or subnets no longer cause startup failures.</li>
|
|
|
|
|
|
<li>Zone names in the policy file are
|
|
|
|
|
|
now validated against the zones file.</li>
|
|
|
|
|
|
<li>If you have <a
|
|
|
|
|
|
href="Documentation.htm#MangleEnabled">packet mangling</a> support
|
|
|
|
|
|
enabled, the "<a href="Documentation.htm#Interfaces">norfc1918</a>"
|
|
|
|
|
|
interface option now logs and drops any incoming packets
|
|
|
|
|
|
on the interface that have an RFC 1918 destination address.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>9/12/2001 - The current version of Shorewall is 1.1.13</b>. In this
|
|
|
|
|
|
version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Shell variables can now be used
|
|
|
|
|
|
to parameterize Shorewall rules.</li>
|
|
|
|
|
|
<li>The second column in the hosts
|
|
|
|
|
|
file may now contain a comma-separated list.<br>
|
|
|
|
|
|
<br>
|
|
|
|
|
|
Example:<br>
|
|
|
|
|
|
<20><><EFBFBD> sea<65><61><EFBFBD> eth0:130.252.100.0/24,206.191.149.0/24</li>
|
|
|
|
|
|
<li>Handling of multi-zone interfaces
|
|
|
|
|
|
has been improved. See the <a
|
|
|
|
|
|
href="Documentation.htm#Interfaces">documentation for the /etc/shorewall/interfaces
|
|
|
|
|
|
file</a>.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>8/28/2001 - The current version of Shorewall is 1.1.12</b>. In this
|
|
|
|
|
|
version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Several columns in the rules file
|
|
|
|
|
|
may now contain comma-separated lists.</li>
|
|
|
|
|
|
<li>Shorewall is now more rigorous
|
|
|
|
|
|
in parsing the options in /etc/shorewall/interfaces.</li>
|
|
|
|
|
|
<li>Complementation using "!" is now
|
|
|
|
|
|
supported in rules.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>7/28/2001 - The current version of Shorewall is 1.1.11</b>. In this
|
|
|
|
|
|
version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A "shorewall refresh" command has
|
|
|
|
|
|
been added to allow for refreshing the rules associated
|
|
|
|
|
|
with the broadcast address on a dynamic interface. This
|
|
|
|
|
|
command should be used in place of "shorewall restart" when the
|
2003-01-14 18:18:42 +01:00
|
|
|
|
internet interface's IP address changes.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The /etc/shorewall/start file (if
|
|
|
|
|
|
any) is now processed after all temporary rules have been
|
|
|
|
|
|
deleted. This change prevents the accidental removal of
|
|
|
|
|
|
rules added during the processing of that file.</li>
|
|
|
|
|
|
<li>The "dhcp" interface option is
|
|
|
|
|
|
now applicable to firewall interfaces used by a DHCP server
|
|
|
|
|
|
running on the firewall.</li>
|
|
|
|
|
|
<li>The RPM can now be built from the
|
|
|
|
|
|
.tgz file using "rpm -tb"<22></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Shorewall now enables Ipv4 Packet
|
|
|
|
|
|
Forwarding by default. Packet forwarding may be disabled
|
|
|
|
|
|
by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
|
|
|
|
|
|
If you don't want Shorewall to enable or disable packet forwarding,
|
|
|
|
|
|
add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
|
|
|
|
|
|
file.</li>
|
|
|
|
|
|
<li>The "shorewall hits" command no
|
|
|
|
|
|
longer lists extraneous service names in its last report.</li>
|
|
|
|
|
|
<li>Erroneous instructions in the comments
|
|
|
|
|
|
at the head of the firewall script have been corrected.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The "tunnels" file <u>really</u>
|
|
|
|
|
|
is in the RPM now.</li>
|
|
|
|
|
|
<li>SNAT can now be applied to port-forwarded
|
|
|
|
|
|
connections.</li>
|
|
|
|
|
|
<li>A bug which would cause firewall
|
|
|
|
|
|
start failures in some dhcp configurations has been fixed.</li>
|
|
|
|
|
|
<li>The firewall script now issues
|
|
|
|
|
|
a message if you have the name of an interface in the
|
|
|
|
|
|
second column in an entry in /etc/shorewall/masq and that
|
|
|
|
|
|
interface is not up.</li>
|
|
|
|
|
|
<li>You can now configure Shorewall
|
|
|
|
|
|
so that it<a href="Documentation.htm#NatEnabled"> doesn't require the NAT
|
|
|
|
|
|
and/or mangle netfilter modules</a>.</li>
|
|
|
|
|
|
<li>Thanks to Alex<65> Polishchuk, the
|
|
|
|
|
|
"hits" command from seawall is now in shorewall.</li>
|
|
|
|
|
|
<li>Support for <a href="IPIP.htm">IPIP
|
|
|
|
|
|
tunnels</a> has been added.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>A typo in the sample rules file
|
|
|
|
|
|
has been corrected.</li>
|
|
|
|
|
|
<li>It is now possible to restrict
|
|
|
|
|
|
masquerading by<a href="Documentation.htm#Masq"> destination host
|
|
|
|
|
|
or subnet.</a></li>
|
|
|
|
|
|
<li>It is now possible to have static
|
|
|
|
|
|
<a href="NAT.htm#LocalPackets">NAT rules applied to packets originating
|
|
|
|
|
|
on the firewall itself</a>.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The TOS rules are now deleted when
|
|
|
|
|
|
the firewall is stopped.</li>
|
|
|
|
|
|
<li>The .rpm will now install regardless
|
|
|
|
|
|
of which version of iptables is installed.</li>
|
|
|
|
|
|
<li>The .rpm will now install without
|
|
|
|
|
|
iproute2 being installed.</li>
|
|
|
|
|
|
<li>The documentation has been cleaned
|
|
|
|
|
|
up.</li>
|
|
|
|
|
|
<li>The sample configuration files
|
|
|
|
|
|
included in Shorewall have been formatted to 80 columns
|
|
|
|
|
|
for ease of editing on a VGA console.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#lograte">You may now rate-limit the
|
|
|
|
|
|
packet log.</a></li>
|
|
|
|
|
|
<li> Previous versions of
|
|
|
|
|
|
Shorewall have an implementation of Static NAT which violates the
|
|
|
|
|
|
principle of least surprise.<2E> NAT only occurs for packets
|
|
|
|
|
|
arriving at (DNAT) or send from (SNAT) the interface named
|
|
|
|
|
|
in the INTERFACE column of /etc/shorewall/nat. Beginning with
|
|
|
|
|
|
version 1.1.6, NAT effective regardless of which interface packets
|
|
|
|
|
|
come from or are destined to. To get compatibility with prior versions,
|
|
|
|
|
|
I have added a new "ALL <a href="NAT.htm#AllInterFaces">"ALL
|
|
|
|
|
|
INTERFACES"<22> column to /etc/shorewall/nat</a>. By placing
|
|
|
|
|
|
"no" or "No" in the new column, the NAT behavior of prior versions
|
|
|
|
|
|
may be retained.<2E></li>
|
|
|
|
|
|
<li>The treatment of <a
|
|
|
|
|
|
href="IPSEC.htm#RoadWarrior">IPSEC Tunnels where the remote gateway
|
|
|
|
|
|
is a standalone system has been improved</a>. Previously, it was
|
|
|
|
|
|
necessary to include an additional rule allowing UDP port 500 traffic
|
|
|
|
|
|
to pass through the tunnel. Shorewall will now create this rule
|
|
|
|
|
|
automatically when you place the name of the remote peer's zone in
|
|
|
|
|
|
a new GATEWAY ZONE column in /etc/shorewall/tunnels.<2E></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#modules">You may now pass parameters
|
|
|
|
|
|
when loading netfilter modules and you can specify the modules
|
|
|
|
|
|
to load.</a></li>
|
|
|
|
|
|
<li>Compressed modules are now loaded.
|
|
|
|
|
|
This requires that you modutils support loading compressed
|
|
|
|
|
|
modules.</li>
|
|
|
|
|
|
<li><a
|
|
|
|
|
|
href="Documentation.htm#TOS">You may now set the Type of Service
|
|
|
|
|
|
(TOS) field in packets.</a></li>
|
|
|
|
|
|
<li>Corrected rules generated for port
|
|
|
|
|
|
redirection (again).</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li> <a
|
|
|
|
|
|
href="Documentation.htm#Conf">Accepting RELATED connections
|
|
|
|
|
|
is now optional.</a></li>
|
|
|
|
|
|
<li>Corrected problem where if "shorewall
|
|
|
|
|
|
start" aborted early (due to kernel configuration errors
|
|
|
|
|
|
for example), superfluous 'sed' error messages were reported.</li>
|
|
|
|
|
|
<li>Corrected rules generated for port
|
|
|
|
|
|
redirection.</li>
|
|
|
|
|
|
<li>The order in which iptables kernel
|
|
|
|
|
|
modules are loaded has been corrected (Thanks to Mark
|
|
|
|
|
|
Pavlidis).<2E></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Correct message issued when Proxy
|
|
|
|
|
|
ARP address added (Thanks to Jason Kirtland).</li>
|
|
|
|
|
|
<li>/tmp/shorewallpolicy-$$ is now
|
|
|
|
|
|
removed if there is an error while starting the firewall.</li>
|
|
|
|
|
|
<li>/etc/shorewall/icmp.def and /etc/shorewall/common.def
|
|
|
|
|
|
are now used to define the icmpdef and common chains unless
|
|
|
|
|
|
overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
|
|
|
|
|
|
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf
|
|
|
|
|
|
has been corrected. An extra space after "/etc/shorwall/policy"
|
|
|
|
|
|
has been removed and "/etc/shorwall/rules" has been added.</li>
|
|
|
|
|
|
<li>When a sub-shell encounters a fatal
|
|
|
|
|
|
error and has stopped the firewall, it now kills the main
|
|
|
|
|
|
shell so that the main shell will not continue.</li>
|
|
|
|
|
|
<li>A problem has been corrected where
|
|
|
|
|
|
a sub-shell stopped the firewall and main shell continued
|
|
|
|
|
|
resulting in a perplexing error message referring to "common.so"
|
|
|
|
|
|
resulted.</li>
|
|
|
|
|
|
<li>Previously, placing "-" in the
|
|
|
|
|
|
PORT(S) column in /etc/shorewall/rules resulted in an error
|
|
|
|
|
|
message during start. This has been corrected.</li>
|
|
|
|
|
|
<li>The first line of "install.sh"
|
|
|
|
|
|
has been corrected -- I had inadvertently deleted the initial
|
|
|
|
|
|
"#".</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Port redirection now works again.</li>
|
|
|
|
|
|
<li>The icmpdef and common chains <a
|
2002-09-29 23:42:38 +02:00
|
|
|
|
href="Documentation.htm#Icmpdef">may now be user-defined</a>.</li>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The firewall no longer fails to
|
|
|
|
|
|
start if "routefilter" is specified for an interface that
|
|
|
|
|
|
isn't started. A warning message is now issued in this
|
|
|
|
|
|
case.</li>
|
|
|
|
|
|
<li>The LRP Version is renamed "shorwall"
|
|
|
|
|
|
for 8,3 MSDOS file system compatibility.</li>
|
|
|
|
|
|
<li>A couple of LRP-specific problems
|
|
|
|
|
|
were corrected.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/8/2001 - Shorewall is now affiliated with the <a
|
|
|
|
|
|
href="http://leaf.sourceforge.net">Leaf Project</a> </b> <a
|
|
|
|
|
|
href="http://leaf.sourceforge.net"> <img border="0"
|
|
|
|
|
|
src="images/leaflogo.gif" width="49" height="36">
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</a></p>
|
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>4/5/2001 - The current version of Shorewall is 1.1.1. In this version:</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The common chain is traversed from
|
|
|
|
|
|
INPUT, OUTPUT and FORWARD before logging occurs</li>
|
|
|
|
|
|
<li>The source has been cleaned up
|
|
|
|
|
|
dramatically</li>
|
|
|
|
|
|
<li>DHCP DISCOVER packets with RFC1918
|
|
|
|
|
|
source addresses no longer generate log messages. Linux
|
|
|
|
|
|
DHCP clients generate such packets and it's annoying
|
|
|
|
|
|
to see them logged.<2E></li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/25/2001 - The current version of Shorewall is 1.1.0. In this version:</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Log messages now indicate the packet
|
|
|
|
|
|
disposition.</li>
|
|
|
|
|
|
<li>Error messages have been improved.</li>
|
|
|
|
|
|
<li>The ability to define zones consisting
|
|
|
|
|
|
of an enumerated set of hosts and/or subnetworks has
|
|
|
|
|
|
been added.</li>
|
|
|
|
|
|
<li>The zone-to-zone chain matrix is
|
|
|
|
|
|
now sparse so that only those chains that contain meaningful
|
|
|
|
|
|
rules are defined.</li>
|
|
|
|
|
|
<li>240.0.0.0/4 and 169.254.0.0/16
|
|
|
|
|
|
have been added to the source subnetworks whose packets
|
|
|
|
|
|
are dropped under the <i>norfc1918</i> interface
|
|
|
|
|
|
option.</li>
|
|
|
|
|
|
<li>Exits are now provided for executing
|
|
|
|
|
|
an user-defined script when a chain is defined, when
|
|
|
|
|
|
the firewall is initialized, when the firewall is started,
|
|
|
|
|
|
when the firewall is stopped and when the firewall is cleared.</li>
|
|
|
|
|
|
<li>The Linux kernel's route filtering
|
|
|
|
|
|
facility can now be specified selectively on network
|
|
|
|
|
|
interfaces.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
<p><b>3/19/2001 - The current version of Shorewall is 1.0.4. This version:</b></p>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>Allows user-defined zones. Shorewall
|
|
|
|
|
|
now has only one pre-defined zone (fw) with the remaining
|
|
|
|
|
|
zones being defined in the new configuration file /etc/shorewall/zones.
|
|
|
|
|
|
The /etc/shorewall/zones file released in this version
|
|
|
|
|
|
provides behavior that is compatible with Shorewall 1.0.3.<2E></li>
|
|
|
|
|
|
<li>Adds the ability to specify logging
|
|
|
|
|
|
in entries in the /etc/shorewall/rules file.</li>
|
|
|
|
|
|
<li>Correct handling of the icmp-def
|
|
|
|
|
|
chain so that only ICMP packets are sent through the
|
|
|
|
|
|
chain.</li>
|
|
|
|
|
|
<li>Compresses the output of "shorewall
|
|
|
|
|
|
monitor" if awk is installed. Allows the command to work
|
|
|
|
|
|
if awk isn't installed (although it's not pretty).</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
|
|
|
|
|
|
release with no new features.</b></p>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
<li>The PATH variable in the firewall
|
|
|
|
|
|
script now includes /usr/local/bin and /usr/local/sbin.</li>
|
|
|
|
|
|
<li>DMZ-related chains are now correctly
|
|
|
|
|
|
deleted if the DMZ is deleted.</li>
|
|
|
|
|
|
<li>The interface OPTIONS for "gw"
|
|
|
|
|
|
interfaces are no longer ignored.</li>
|
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</ul>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
|
|
|
|
|
|
<p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
|
|
|
|
|
|
additional "gw" (gateway) zone for tunnels and it supports
|
|
|
|
|
|
IPSEC tunnels with end-points on the firewall. There is also
|
|
|
|
|
|
a .lrp available now.</b></p>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a>
|
|
|
|
|
|
</font></p>
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p><a href="copyright.htm"><font size="2"> Copyright</font> <20> <font
|
|
|
|
|
|
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
2003-01-22 01:37:23 +01:00
|
|
|
|
</p>
|
2002-09-29 23:42:38 +02:00
|
|
|
|
<br>
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</body>
|
|
|
|
|
|
</html>
|
