2004-05-16 19:52:54 +02:00
|
|
|
Shorewall 2.0.3 Beta 1
|
2004-01-31 17:11:22 +01:00
|
|
|
|
2004-02-10 01:04:10 +01:00
|
|
|
----------------------------------------------------------------------
|
2004-05-16 19:52:54 +02:00
|
|
|
Problems Corrected since 2.0.2
|
2004-03-15 19:40:17 +01:00
|
|
|
|
2004-05-16 19:52:54 +02:00
|
|
|
1) The 'firewall' script is not purging temporary restore files in
|
|
|
|
/var/lib/shorewall. These files have names of the form
|
|
|
|
"restore-nnnnn".
|
2004-04-02 21:18:02 +02:00
|
|
|
|
2004-05-16 19:52:54 +02:00
|
|
|
2) The /var/lib/shorewall/restore script did not load the kernel
|
|
|
|
modules specified in /etc/shorewall/modules.
|
2004-05-04 20:39:21 +02:00
|
|
|
|
2004-05-25 00:49:57 +02:00
|
|
|
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
|
|
|
|
:REJECT) results in a startup error.
|
|
|
|
|
|
|
|
4) If /var/lib/shorewall does not exist, shorewall start fails.
|
|
|
|
|
|
|
|
5) DNAT rules with a dynamic source zone don't work properly. When
|
|
|
|
used, these rules cause the rule to be checked against ALL input,
|
|
|
|
not just input from the designated zone.
|
|
|
|
|
|
|
|
6) The install.sh script reported installing some files in
|
|
|
|
/etc/shorewall when the files were actually installed in
|
|
|
|
/usr/share/shorewall.
|
|
|
|
|
2004-01-31 20:06:39 +01:00
|
|
|
-----------------------------------------------------------------------
|
2004-05-16 19:52:54 +02:00
|
|
|
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
2004-05-01 04:20:58 +02:00
|
|
|
|
2004-05-27 20:18:41 +02:00
|
|
|
1) The 'dropNonSyn' standard builtin action has been replaced with the
|
|
|
|
'dropNotSyn' standard builtin action. The old name can still be used
|
|
|
|
but will generate a warning.
|
|
|
|
|
|
|
|
2) To lay the groundwork for eventual removal of NEWNOTSYN from
|
|
|
|
shorewall.conf and removal of the 'newnotsyn' interface option,
|
|
|
|
several new standard builtin actions have been defined. See New
|
|
|
|
Feature 3 below.
|
2004-05-27 18:27:50 +02:00
|
|
|
-----------------------------------------------------------------------
|
2004-01-31 17:11:22 +01:00
|
|
|
New Features:
|
|
|
|
|
2004-05-18 15:56:35 +02:00
|
|
|
1) "!" is now allowed in accounting rules.
|
2004-05-22 18:53:04 +02:00
|
|
|
|
|
|
|
2) Interface names appearing within the configuration are now
|
|
|
|
verified. Interface names must match the name of an entry in
|
|
|
|
/etc/shorewall/interfaces (or if bridging is enabled, they must
|
|
|
|
match the name of an entry in /etc/shorewall/interfaces or the name
|
|
|
|
of a bridge port appearing in /etc/shorewall/hosts).
|
|
|
|
|
2004-05-27 18:27:50 +02:00
|
|
|
3) A new 'rejectNonSyn' built-in standard action has been added. This
|
|
|
|
action responds to "New not SYN" packets with an RST.
|
|
|
|
|
2004-05-27 20:18:41 +02:00
|
|
|
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
|
|
|
|
action. The old name will be accepted until the next major release
|
|
|
|
of Shorewall but will generate a warning.
|
|
|
|
|
|
|
|
Several new logging actions involving "New not SYN" packets have
|
|
|
|
been added:
|
|
|
|
|
|
|
|
logNewNotSyn -- logs the packet with disposition = LOG
|
|
|
|
dLogNewNotSyn -- logs the packet with disposition = DROP
|
|
|
|
rLogNewNotSyn -- logs the packet with disposition = REJECT
|
|
|
|
|
|
|
|
The packets are logged at the log level specified in the
|
|
|
|
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
|
|
|
|
not specified, then 'info' is assumed.
|
|
|
|
|
|
|
|
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
|
|
|
|
|
|
|
|
A: To simulate the behavior of NEWNOTSYN=No:
|
|
|
|
|
|
|
|
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
|
|
|
|
b) Create /etc/shorewall/action.NoNewNotSyn containing:
|
|
|
|
|
|
|
|
dLogNotSyn
|
|
|
|
dropNotSyn
|
|
|
|
|
|
|
|
c) Early in your rules file, place:
|
|
|
|
|
|
|
|
NoNewNotSyn all all tcp
|
|
|
|
|
|
|
|
B: Drop 'New not SYN' packets from the net only. Don't log them.
|
|
|
|
|
|
|
|
a) Early in your rules file, place:
|
|
|
|
|
|
|
|
dropNotSyn net all tcp
|