2004-04-07 00:11:11 +02:00
|
|
|
Shorewall 2.0.2-Beta 1
|
2004-01-31 17:11:22 +01:00
|
|
|
|
2004-02-10 01:04:10 +01:00
|
|
|
----------------------------------------------------------------------
|
2004-04-07 00:11:11 +02:00
|
|
|
Problems Corrected since 2.0.1
|
2004-03-15 19:40:17 +01:00
|
|
|
|
2004-04-21 22:12:23 +02:00
|
|
|
1) The /etc/init.d/shorewall script installed on Debian by install.sh
|
|
|
|
failed silently due to a missing file
|
|
|
|
(/usr/share/shorewall/wait4ifup). That file is not part of the
|
|
|
|
normal Shorewall distribution and is provided by the Debian
|
|
|
|
maintainer.
|
2004-04-02 21:18:02 +02:00
|
|
|
|
2004-04-21 23:44:22 +02:00
|
|
|
2) A meaningless warning message out of the proxyarp file processing
|
|
|
|
has been eliminated.
|
|
|
|
|
2004-01-31 20:06:39 +01:00
|
|
|
-----------------------------------------------------------------------
|
2004-03-17 00:31:22 +01:00
|
|
|
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
|
2004-01-31 20:06:39 +01:00
|
|
|
|
2004-04-07 04:19:29 +02:00
|
|
|
1) Dynamic Zone support.
|
|
|
|
|
2004-04-22 22:57:36 +02:00
|
|
|
If you don't need to use the "shorewall add" and "shorewall delete"
|
|
|
|
commands, you should set DYNAMIC_ZONES=No in
|
|
|
|
/etc/shorewall/shorewall.conf.
|
2004-02-17 23:34:48 +01:00
|
|
|
|
2004-01-31 17:11:22 +01:00
|
|
|
New Features:
|
|
|
|
|
2004-04-29 05:27:47 +02:00
|
|
|
1) Shorewall has now been integrated with
|
|
|
|
iptables-save/iptables-restore to provide very fast start and
|
|
|
|
restart. The elements of this integration are as follows:
|
|
|
|
|
2004-04-29 20:00:56 +02:00
|
|
|
a) The 'shorewall save' command now saves the current configuration
|
2004-04-29 05:27:47 +02:00
|
|
|
in addition to the current dynamic blacklist. If you have
|
|
|
|
dynamic zones, you will want to issue 'shorewall save' when the
|
|
|
|
zones are empty or the current contents of the zones will be
|
|
|
|
restored by the 'shorewall restore' and 'shorewall -f start'
|
|
|
|
commands.
|
|
|
|
|
|
|
|
b) The 'shorewall restore' command has been added. This command
|
|
|
|
restores the configuration at the time of the last 'save'.
|
|
|
|
|
|
|
|
c) The -f (fast) option has been added to 'shorewall start'. When
|
|
|
|
specified (e.g. 'shorewall -f start'), shorewall will perform a
|
|
|
|
'shorewall restore' if there is a saved configuration. If there
|
|
|
|
is no saved configuration, a normal 'shorewall start' is
|
|
|
|
performed.
|
|
|
|
|
|
|
|
d) The /etc/init.d/shorewall script now translates the 'start'
|
|
|
|
command into 'shorewall -f start' so that fast restart is
|
|
|
|
possible.
|
|
|
|
|
2004-04-29 05:34:43 +02:00
|
|
|
e) When a state-changing command encounters an error and there is a
|
|
|
|
current saved configuration, that configuration will be restored
|
2004-04-29 20:00:56 +02:00
|
|
|
(currently, the firewall is placed in the 'stopped' state).
|
|
|
|
|
|
|
|
f) If you have previously saved the running configuration and want
|
2004-04-30 05:29:07 +02:00
|
|
|
Shorewall to discard it, use the 'shorewall forget' command.
|
2004-04-29 05:34:43 +02:00
|
|
|
|
2004-04-29 05:27:47 +02:00
|
|
|
WARNING: iptables 1.2.9 is broken with respect to iptables-save;
|
2004-04-30 05:29:07 +02:00
|
|
|
If your kernel has connection tracking match support, you must
|
|
|
|
patch iptables 1.2.9 with the iptables patch availale from
|
2004-04-29 05:34:43 +02:00
|
|
|
the Shorewall errata page.
|
2004-04-29 05:27:47 +02:00
|
|
|
|
|
|
|
2) The previous implementation of dynamic zones was difficult to
|
2004-04-08 04:20:18 +02:00
|
|
|
maintain. I have changed the code to make dynamic zones optional
|
2004-04-07 04:19:29 +02:00
|
|
|
under the control of the DYNAMIC_ZONES option in
|
|
|
|
/etc/shorewall/shorewall.conf.
|
|
|
|
|
2004-04-29 05:27:47 +02:00
|
|
|
3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
|
2004-04-10 04:47:04 +02:00
|
|
|
following directories for configuration files.
|
|
|
|
|
|
|
|
a) The directory specified in a 'try' command or specified using
|
|
|
|
the -c option.
|
|
|
|
|
|
|
|
b) /etc/shorewall
|
|
|
|
|
|
|
|
c) /usr/share/shorewall
|
|
|
|
|
|
|
|
In this release, the CONFIG_PATH option is added to shorewall.conf.
|
|
|
|
CONFIG_PATH contains a list of directory names separated by colons
|
|
|
|
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
|
|
|
|
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
|
|
|
|
|
|
|
|
Now Shorewall searches for shorewall.conf according to the old
|
|
|
|
rules and for other configuration files as follows:
|
|
|
|
|
|
|
|
a) The directory specified in a 'try' command or specified using
|
|
|
|
the -c option.
|
|
|
|
|
|
|
|
b) Each directory in $CONFIG_PATH is searched in sequence.
|
|
|
|
|
2004-04-10 06:03:29 +02:00
|
|
|
In case it is not obvious, your CONFIG_PATH should include
|
|
|
|
/usr/share/shorewall and your shorewall.conf file must be in the
|
|
|
|
directory specified via -c or in a try command, in /etc/shorewall
|
|
|
|
or in /usr/share/shorewall.
|
|
|
|
|
2004-04-20 23:54:42 +02:00
|
|
|
For distribution packagers, the default CONFIG_PATH is set in
|
|
|
|
/usr/share/shorewall/configpath. You can customize this file to
|
|
|
|
have a default that differs from mine.
|
|
|
|
|
2004-04-29 05:27:47 +02:00
|
|
|
4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
|
2004-04-19 22:39:51 +02:00
|
|
|
would only take effect if the ALL INTERFACES column also contained
|
|
|
|
Yes or yes. Now, the LOCAL columns contents are treated
|
|
|
|
independently of the contents of the ALL INTERFACES column.
|
|
|
|
|
2004-04-29 05:27:47 +02:00
|
|
|
5) The folks at Mandrake have created yet another kernel module
|
2004-04-21 23:44:22 +02:00
|
|
|
naming convention (module names end in "ko.gz"). As a consequence,
|
2004-04-29 20:10:42 +02:00
|
|
|
beginning with this release, if MODULE_SUFFIX isn't specified in
|
2004-04-21 23:44:22 +02:00
|
|
|
shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
|
2004-04-20 22:14:09 +02:00
|
|
|
|
2004-04-29 05:34:43 +02:00
|
|
|
6) An updated bogons file is included in this release.
|
2004-04-20 04:20:43 +02:00
|
|
|
|
2004-04-29 05:27:47 +02:00
|
|
|
7) In /etc/shorewall/rules and in action files generated from
|
2004-04-20 23:47:49 +02:00
|
|
|
/usr/share/shorewall/action.template, rules that perform logging can
|
|
|
|
specify an optional "log tag". A log tag is a string of alphanumeric
|
|
|
|
characters and is specified by following the log level with ":" and
|
|
|
|
the log tag.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
ACCEPT:info:ftp net dmz tcp 21
|
|
|
|
|
|
|
|
The log tag is appended to the log prefix generated by the LOGPREFIX
|
|
|
|
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
|
|
|
|
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
|
|
|
|
generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank).
|
|
|
|
The maximum length of a log prefix supported by iptables is 29
|
|
|
|
characters; if a larger prefix is generated, Shorewall will issue a
|
|
|
|
warning message and will truncate the prefix to 29 characters.
|
|
|
|
|
2004-04-30 04:13:23 +02:00
|
|
|
8) A new "-q" option has been added to /sbin/shorewall commands. It
|
|
|
|
causes the start, restart, check and refresh commands to produce
|
|
|
|
much less output so that warning messages are more visible (when
|
|
|
|
testing this change, I discovered a bug where a bogus warning
|
|
|
|
message was being generated).
|
|
|
|
|
|
|
|
9) Shorewall now used 'modprobe' to load kernel modules if that utility
|
|
|
|
is available in the PATH; otherwise, 'insmod' is used.
|
2004-04-20 23:47:49 +02:00
|
|
|
|
2004-04-10 06:03:29 +02:00
|
|
|
|
2004-04-10 04:47:04 +02:00
|
|
|
|