2004-07-03 18:41:53 +02:00
|
|
|
Shorewall 2.1.0
|
2004-01-31 17:11:22 +01:00
|
|
|
|
2004-02-10 01:04:10 +01:00
|
|
|
----------------------------------------------------------------------
|
2004-06-28 19:53:31 +02:00
|
|
|
Problems Corrected since 2.0.3
|
|
|
|
|
|
|
|
|
|
1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an
|
|
|
|
|
error and Shorewall fails to start.
|
|
|
|
|
|
|
|
|
|
2) A potential security vulnerablilty in the way that Shorewall
|
|
|
|
|
handles temporary files and directories has been corrected.
|
|
|
|
|
|
2004-07-06 22:41:53 +02:00
|
|
|
3) Two problems with logging NAT rules (DNAT and REDIRECT) could cause
|
|
|
|
|
startup failures.
|
|
|
|
|
|
2004-07-12 15:01:55 +02:00
|
|
|
4) Some users have reported the pkttype match option in iptables/
|
|
|
|
|
Netfilter failing to match certain broadcast packets. The result
|
|
|
|
|
is that the firewall log shows a lot of broadcast packets.
|
|
|
|
|
|
|
|
|
|
Users experiencing this problem can use PKTTYPE=No in
|
|
|
|
|
shorewall.conf to cause Shorewall to use IP address filtering of
|
|
|
|
|
broadcasts rather than packet type.
|
|
|
|
|
|
2004-07-10 19:03:31 +02:00
|
|
|
Problems Corrected since 2.1.0
|
|
|
|
|
|
|
|
|
|
1) The "check" command fails with the following message:
|
|
|
|
|
|
|
|
|
|
iptables: No chain/target/match by that name
|
|
|
|
|
|
2004-01-31 20:06:39 +01:00
|
|
|
-----------------------------------------------------------------------
|
2004-07-03 18:41:53 +02:00
|
|
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
2004-05-01 04:20:58 +02:00
|
|
|
|
2004-07-25 00:17:13 +02:00
|
|
|
1) Shorewall configuration files except shorewall.conf are now empty
|
|
|
|
|
(they contain only comments). If you wish to retain the defaults
|
|
|
|
|
in any of the following files, you should copy these files before
|
|
|
|
|
upgrading them then restore them after the upgrade:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/zones
|
|
|
|
|
/etc/shorewall/policy
|
|
|
|
|
/etc/shorewall/tos
|
2004-05-27 20:18:41 +02:00
|
|
|
|
2004-07-28 21:22:00 +02:00
|
|
|
2) The following builtin actions have been removed and have been
|
|
|
|
|
replaced by the new action logging implementation described in the
|
|
|
|
|
new features below.
|
|
|
|
|
|
|
|
|
|
logNotSyn
|
|
|
|
|
rLogNotSyn
|
|
|
|
|
dLogNotSyn
|
|
|
|
|
|
2004-05-27 18:27:50 +02:00
|
|
|
-----------------------------------------------------------------------
|
2004-01-31 17:11:22 +01:00
|
|
|
New Features:
|
|
|
|
|
|
2004-07-01 16:12:29 +02:00
|
|
|
1) ICMP packets that are in the INVALID state are now dropped by the
|
|
|
|
|
Reject and Drop default actions. They do so using the new
|
|
|
|
|
'dropInvalid' builtin action.
|
2004-07-13 02:33:30 +02:00
|
|
|
|
|
|
|
|
2) The /etc/shorewall/masq file INTERFACE column now allows additional
|
|
|
|
|
options.
|
|
|
|
|
|
|
|
|
|
Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT
|
|
|
|
|
rules defined in the /etc/shorewall/nat file. If you preceed the
|
|
|
|
|
interface name with a plus sign ("+") then the rule will be
|
|
|
|
|
evaluated before one-to-one NAT.
|
|
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
|
|
|
|
|
+eth0
|
|
|
|
|
+eth1:192.0.2.32/27
|
|
|
|
|
|
|
|
|
|
Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
|
|
|
|
|
entry by following the interface name by ":" but no digit.
|
|
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
|
|
|
|
|
eth0:
|
|
|
|
|
eth1::192.0.2.32/27
|
|
|
|
|
+eth3:
|
|
|
|
|
|
2004-07-15 22:29:06 +02:00
|
|
|
3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
|
|
|
|
|
you to override the setting of ADD_IP_ALIASES=Yes by following the
|
|
|
|
|
interface name with ":" but no digit.
|
|
|
|
|
|
2004-07-25 03:30:09 +02:00
|
|
|
4) All configuration files in the Shorewall distribution with the
|
|
|
|
|
exception of shorewall.conf are now empty. In particular, the
|
|
|
|
|
/etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos
|
|
|
|
|
files now have no active entries. Hopefully this will stop the
|
|
|
|
|
questions on the support and development lists regarding why the
|
|
|
|
|
default entries are the way they are.
|
2004-07-13 02:33:30 +02:00
|
|
|
|
2004-07-28 04:36:40 +02:00
|
|
|
5) Previously, specifying a log level (and optionally a log tag) on a
|
|
|
|
|
rule that specified a user-defined (or Shorewall-defined) action
|
|
|
|
|
would log all traffic passed to the action. Beginning with this
|
|
|
|
|
release, specifying a log level in a rule that specifies a user-
|
|
|
|
|
or Shorewall-defined action will cause each rule in the action to
|
|
|
|
|
be logged with the specified level (and tag).
|
|
|
|
|
|
|
|
|
|
The extent to which logging of action rules occurs is goverend by
|
|
|
|
|
the following:
|
|
|
|
|
|
|
|
|
|
a) When you invoke an action and specify a log level, only those
|
|
|
|
|
rules in the action that have no log level will be changed to log
|
|
|
|
|
at the level specified at the action invocation.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/action.foo:
|
|
|
|
|
|
|
|
|
|
ACCEPT - - tcp 22
|
|
|
|
|
bar:info
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
|
|
|
|
|
|
foo:debug fw net
|
|
|
|
|
|
|
|
|
|
Logging in the invoke 'foo' action will be:
|
|
|
|
|
|
|
|
|
|
ACCEPT:debug - - tcp 22
|
|
|
|
|
bar:info
|
|
|
|
|
|
|
|
|
|
b) If you follow the log level with "!" then logging will
|
|
|
|
|
be at that level for all rules recursively invoked by the action
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/action.foo:
|
|
|
|
|
|
|
|
|
|
ACCEPT - - tcp 22
|
|
|
|
|
bar:info
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
|
|
|
|
|
|
foo:debug! fw net
|
|
|
|
|
|
|
|
|
|
Logging in the invoke 'foo' action will be:
|
|
|
|
|
|
|
|
|
|
ACCEPT:debug - - tcp 22
|
|
|
|
|
bar:debug!
|
|
|
|
|
|
2004-07-28 21:22:00 +02:00
|
|
|
This change has an effect on extension scripts used with
|
|
|
|
|
user-defined actions. If you define an action 'acton' and you have
|
|
|
|
|
a /etc/shorewall/acton script then when that script is invoked,
|
|
|
|
|
the following three variables will be set for use by the script:
|
|
|
|
|
|
|
|
|
|
$CHAIN = the name of the chain where your rules are to be
|
|
|
|
|
placed. When logging is used on an action invocation,
|
|
|
|
|
Shorewall creates a chain with a slightly different name from
|
|
|
|
|
the action itself.
|
|
|
|
|
|
|
|
|
|
$LEVEL = Log level. If empty, no logging was specified.
|
|
|
|
|
|
|
|
|
|
$TAG = Log Tag.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
|
|
|
|
|
|
acton:info:test
|
|
|
|
|
|
|
|
|
|
Your /etc/shorewall/acton file will be run with:
|
|
|
|
|
|
|
|
|
|
$CHAIN="acton1"
|
|
|
|
|
$LEVEL="info"
|
|
|
|
|
$TAG="test"
|
2004-07-28 04:36:40 +02:00
|
|
|
|
2004-08-02 23:48:40 +02:00
|
|
|
6) The /etc/shorewall/startup_disabled file is no longer created when
|
|
|
|
|
Shorewall is first installed. Rather, the variable STARTUP_ENABLED
|
|
|
|
|
is set to 'No' in /etc/shorewall/shorewall.conf. In order to get
|
|
|
|
|
Shorewall to start, that variable's value must be set to
|
|
|
|
|
'Yes'. This change accomplishes two things:
|
|
|
|
|
|
|
|
|
|
a) It prevents Shorewall from being started prematurely by the
|
|
|
|
|
user's initialization scripts.
|
|
|
|
|
|
|
|
|
|
b) It causes /etc/shorewall/shorewall.conf to be modified so that
|
|
|
|
|
it won't be replaced by upgrades using RPM.
|
2004-08-06 17:35:05 +02:00
|
|
|
|
|
|
|
|
7) Some additional support has been added for the 2.6 Kernel IPSEC
|
|
|
|
|
implementation. To use this support, you must have installed the
|
|
|
|
|
IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
|
|
|
|
|
both your kernel and iptables.
|
|
|
|
|
|
|
|
|
|
This new Shorewall support is enabled through use of the 'ipsec'
|
|
|
|
|
option in /etc/shorewall/hosts.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
Under 2.4 Kernel FreeS/Wan:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/zones:
|
|
|
|
|
|
|
|
|
|
net Net The big bad Internet
|
|
|
|
|
vpn VPN Remote Network
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/interfaces:
|
|
|
|
|
|
|
|
|
|
net eth0 ...
|
|
|
|
|
vpn ipsec0 ...
|
|
|
|
|
|
|
|
|
|
Under 2.6 Kernel with this new support:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/zones (note the change of order):
|
|
|
|
|
|
|
|
|
|
vpn VPN Remote Network
|
|
|
|
|
net Net The big bad Internet
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/interfaces:
|
|
|
|
|
|
|
|
|
|
net eth0 ...
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/hosts:
|
|
|
|
|
|
|
|
|
|
vpn eth0:0.0.0.0/0 ipsec
|
