2003-06-27 23:02:52 +02:00
|
|
|
This is a snapshot release of Shorewall.
|
2002-05-01 01:13:15 +02:00
|
|
|
|
2003-03-26 17:11:31 +01:00
|
|
|
Problems Corrected:
|
2002-12-31 02:10:28 +01:00
|
|
|
|
2003-06-18 20:26:05 +02:00
|
|
|
1) A problem seen on RH7.3 systems where Shorewall encountered start
|
|
|
|
|
errors when started using the "service" mechanism has been worked
|
|
|
|
|
around.
|
2003-06-18 02:29:04 +02:00
|
|
|
|
2003-06-27 23:02:52 +02:00
|
|
|
2) A problem introduced in earlier snapshots has been corrected. This
|
|
|
|
|
problem caused incorrect netfilter rules to be created when the
|
|
|
|
|
destination zone in a rule was qualified by an address in CIDR
|
|
|
|
|
format.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
2003-06-30 16:21:42 +02:00
|
|
|
ACCEPT fw net:206.124.146.0/24 tcp pop3
|
|
|
|
|
|
|
|
|
|
3) A problem introduced in Snapshot 20030629 has been corrected whereby
|
|
|
|
|
the output of the capabilities report was corrupted in the case
|
|
|
|
|
where the capability was not available.
|
2003-06-27 23:02:52 +02:00
|
|
|
|
2003-07-01 22:29:01 +02:00
|
|
|
4) Where a list of IP addresses appears in the DEST column of a DNAT[-]
|
|
|
|
|
rule, Shorewall incorrectly created multiple DNAT rules in the nat
|
|
|
|
|
table (one for each element in the list). Shorewall now correctly
|
|
|
|
|
creates a single DNAT rule with multiple "--to-destination" clauses.
|
|
|
|
|
|
|
|
|
|
Migration Considerations:
|
|
|
|
|
|
|
|
|
|
This version of Shorewall uses shell features that aren't available
|
|
|
|
|
in all shells. Before you upgrade to this version of Shorewall, you
|
|
|
|
|
should download and run the 'shellcheck.sh' script from
|
|
|
|
|
http://shorewall.net/pub/shorewall/misc.
|
|
|
|
|
|
2003-05-31 17:29:14 +02:00
|
|
|
New Features:
|
2003-05-22 22:37:24 +02:00
|
|
|
|
2003-06-18 20:37:37 +02:00
|
|
|
1) A 'newnotsyn' interface option has been added. This option may be
|
|
|
|
|
specified in /etc/shorewall/interfaces and overrides the setting
|
|
|
|
|
NEWNOTSYN=No for packets arriving on the associated interface.
|
2003-06-22 18:58:33 +02:00
|
|
|
|
|
|
|
|
2) The means for specifying a range of IP addresses in
|
|
|
|
|
/etc/shorewall/masq to use for SNAT is now
|
|
|
|
|
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
|
|
|
|
|
|
2003-06-23 01:10:20 +02:00
|
|
|
3) Shorewall can now add IP addresses to subnets other than the first
|
|
|
|
|
one on an interface.
|
2003-06-22 18:58:33 +02:00
|
|
|
|
2003-06-27 23:02:52 +02:00
|
|
|
4) DNAT[-] rules may now be used to load balance (round-robin) over a
|
|
|
|
|
set of servers. Up to 256 servers may be specified in a range of
|
|
|
|
|
addresses given as <first address>-<last address>.
|
2003-06-23 00:56:25 +02:00
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
2003-06-27 23:02:52 +02:00
|
|
|
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
|
|
|
|
|
|
|
|
|
|
Note that this capability has previously been available using a
|
|
|
|
|
combination of a DNAT- rule and one or more ACCEPT rules. That
|
|
|
|
|
technique is still preferable for load-balancing over a large number
|
|
|
|
|
of servers (> 16) since specifying a range in the DNAT rule causes
|
|
|
|
|
one filter table ACCEPT rule to be generated for each IP address in
|
|
|
|
|
the range.
|
|
|
|
|
|
2003-06-28 03:09:12 +02:00
|
|
|
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
|
|
|
|
have been removed and have been replaced by code that detects
|
|
|
|
|
whether these capabilities are present in the current kernel. The
|
|
|
|
|
output of the start, restart and check commands have been enhanced
|
|
|
|
|
to report the outcome:
|
2003-06-27 23:02:52 +02:00
|
|
|
|
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
|
|
|
NAT: Available
|
|
|
|
|
Packet Mangling: Available
|
2003-06-28 03:09:12 +02:00
|
|
|
Multi-port Match: Available
|
2003-06-27 23:02:52 +02:00
|
|
|
Verifying Configuration...
|
|
|
|
|
|
|
|
|
|
6) Support for the Connection Tracking Match Extension has been
|
|
|
|
|
added. This extension is available in recent kernel/iptables
|
|
|
|
|
releases and allows for rules which match against elements in
|
|
|
|
|
netfilter's connection tracking table.
|
|
|
|
|
|
|
|
|
|
Shorewall automatically detects the availability of this extension
|
|
|
|
|
and reports its availability in the output of the start, restart and
|
|
|
|
|
check commands.
|
|
|
|
|
|
|
|
|
|
Shorewall has detected the following iptables/netfilter capabilities:
|
|
|
|
|
NAT: Available
|
|
|
|
|
Packet Mangling: Available
|
2003-06-28 03:09:12 +02:00
|
|
|
Multi-port Match: Available
|
2003-06-27 23:02:52 +02:00
|
|
|
Connection Tracking Match: Available
|
|
|
|
|
Verifying Configuration...
|
|
|
|
|
|
|
|
|
|
If this extension is available, the ruleset generated by Shorewall
|
|
|
|
|
is changed in the following ways:
|
|
|
|
|
|
|
|
|
|
a) To handle 'norfc1918' filtering, Shorewall will not create chains
|
|
|
|
|
in the mangle table but will rather do all 'norfc1918' filtering in
|
|
|
|
|
the filter table (rfc1918 chain).
|
|
|
|
|
|
|
|
|
|
b) Recall that Shorewall DNAT rules generate two netfilter rules;
|
|
|
|
|
one in the nat table and one in the filter table. If the Connection
|
|
|
|
|
Tracking Match Extension is available, the rule in the filter table
|
|
|
|
|
is extended to check that the original destination address was the
|
|
|
|
|
same as specified (or defaulted to) in the DNAT rule.
|
2003-06-28 17:22:22 +02:00
|
|
|
|
|
|
|
|
7) The shell used to interpret the firewall script
|
|
|
|
|
(/usr/share/shorewall/firewall) may now be specified using the
|
2003-06-30 16:21:42 +02:00
|
|
|
SHOREWALL_SHELL parameter in shorewall.conf.
|
