2008-12-13 17:38:55 +01:00
|
|
|
Shorewall 4.3.3
|
2008-12-07 19:17:26 +01:00
|
|
|
|
|
|
|
|
----------------------------------------------------------------------------
|
2008-12-11 00:24:55 +01:00
|
|
|
R E L E A S E 4 . 3 H I G H L I G H T S
|
2008-12-07 19:17:26 +01:00
|
|
|
----------------------------------------------------------------------------
|
2008-12-11 00:24:55 +01:00
|
|
|
1) Support is included for IPv6.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-13 16:49:48 +01:00
|
|
|
Minimun system requirements:
|
|
|
|
|
|
2008-12-13 18:28:34 +01:00
|
|
|
- Kernel 2.6.23 or later with 2.6.25 or later strongly recommended.
|
2008-12-13 16:49:48 +01:00
|
|
|
- iptables 1.4.0 or later with 1.4.1 strongly recommended.
|
|
|
|
|
- Perl 5.10 if you wish to use DNS names in your IPv6 config files.
|
|
|
|
|
In that case you will also have to install Perl Socket6 support.
|
|
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
Problems Corrected in 4.3.3
|
2008-12-11 20:24:34 +01:00
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
None.
|
2008-12-13 16:49:48 +01:00
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
Other changes in 4.3.3
|
2008-12-13 16:49:48 +01:00
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
1) In as much as ip6tables doesn't support the ECN target, the 'ecn'
|
|
|
|
|
file has been removed and its processing disabled.
|
2008-12-11 20:24:34 +01:00
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
2) The 'maclist' option is now supported in /etc/shorewall6/interfaces
|
|
|
|
|
and in /etc/shorewall6/hosts.
|
2008-12-11 20:24:34 +01:00
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
MAC verification is not performed on the following IPv6 traffic:
|
2008-12-12 01:59:42 +01:00
|
|
|
|
2008-12-13 17:38:55 +01:00
|
|
|
a) Multicast.
|
|
|
|
|
b) Source or destination is a link-level address (ff80::/10).
|
2008-12-13 00:20:47 +01:00
|
|
|
|
2008-12-13 18:00:11 +01:00
|
|
|
3) Traffic shaping is now enabled in Shorewall6. See below.
|
|
|
|
|
|
2008-12-13 18:28:34 +01:00
|
|
|
4) Shorewall6 and Shorewall6 Lite now check the kernel version during
|
|
|
|
|
'start' processing. If the kernel version is less than 2.6.25, a
|
|
|
|
|
fatal error is generated.
|
|
|
|
|
|
2008-12-07 19:17:26 +01:00
|
|
|
Migration Issues.
|
|
|
|
|
|
2008-12-11 20:24:34 +01:00
|
|
|
None.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
New Features in Shorewall 4.3
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
1) Two new packages are included:
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
|
|
|
|
|
rather than IPv4.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
|
|
|
|
|
rather than IPv4.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
The packages store their configurations in /etc/shorewall6/ and
|
|
|
|
|
/etc/shorewall6-lite/ respectively.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
The fact that the packages are separate from their IPv4 counterparts
|
|
|
|
|
means that you control IPv4 and IPv6 traffic separately (the same
|
|
|
|
|
way that Netfilter does). Starting/Stopping the firewall for one
|
|
|
|
|
address family has no effect on the other address family.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
Other features of Shorewall6 are:
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
a) There is no NAT of any kind (most people see this as a giant step
|
|
|
|
|
forward). When an ISP assigns you a public IPv6 address, you are
|
|
|
|
|
actually assigned an IPv6 'prefix' which is like an IPv4
|
2008-12-12 01:08:03 +01:00
|
|
|
subnet. A 64-bit prefix allows 4 billion squared individual hosts
|
|
|
|
|
(the size of the current IPv4 address space squared).
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
b) The default zone type is ipv6.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
c) The currently-supported interface options in Shorewall6 are:
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
blacklist
|
|
|
|
|
bridge
|
2008-12-12 17:08:20 +01:00
|
|
|
dhcp
|
2008-12-13 00:31:57 +01:00
|
|
|
nosmurfs
|
2008-12-11 00:24:55 +01:00
|
|
|
optional
|
|
|
|
|
routeback
|
|
|
|
|
sourceroute
|
|
|
|
|
tcpflags
|
|
|
|
|
mss
|
2008-12-12 01:59:42 +01:00
|
|
|
forward (setting it to 0 makes the router behave like a host
|
|
|
|
|
on that interface rather than like a router).
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
d) The currently-supported host options in Shorewall6 are:
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
blacklist
|
|
|
|
|
routeback
|
|
|
|
|
tcpflags
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-13 18:00:11 +01:00
|
|
|
e) Traffic Shaping is disabled by default. The tcdevices and
|
|
|
|
|
tcclasses files are address-family independent so
|
|
|
|
|
to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
|
|
|
|
|
should be specified in Shorewall or in Shorewall6 but not in
|
|
|
|
|
both. In the configuration where the internal traffic shaper is
|
|
|
|
|
not enabled, CLEAR_TC=No should be specified.
|
|
|
|
|
|
|
|
|
|
tcfilters are not available in Shorewall6.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 20:24:34 +01:00
|
|
|
f) When both an interface and an address or address list need to
|
2008-12-11 00:24:55 +01:00
|
|
|
be specified in a rule, the address or list must be enclosed in
|
|
|
|
|
square brackets. Example:
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-13 00:20:47 +01:00
|
|
|
#ACTION SOURCE DEST
|
|
|
|
|
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 20:24:34 +01:00
|
|
|
Note that this includes MAC addresses as well as IPv6 addresses.
|
|
|
|
|
|
|
|
|
|
The HOSTS column in /etc/shorewall6/hosts also uses this
|
|
|
|
|
convention:
|
|
|
|
|
|
2008-12-12 17:08:20 +01:00
|
|
|
#ZONE HOSTS OPTIONS
|
|
|
|
|
chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
|
|
|
|
|
|
|
|
|
|
Even when an interface is not specified, it is permitted to
|
|
|
|
|
enclose addresses in [] to improve readability. Example:
|
|
|
|
|
|
|
|
|
|
#ACTION SOURCE DEST
|
|
|
|
|
ACCEPT net:[2001:1::1] $FW
|
2008-12-11 20:24:34 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
|
2008-12-07 19:17:26 +01:00
|
|
|
|
2008-12-11 00:24:55 +01:00
|
|
|
h) The options available in shorewall6.conf are a subset of those
|
|
|
|
|
available in shorewall.conf.
|
2008-12-11 20:24:34 +01:00
|
|
|
|
|
|
|
|
i) The Socket6.pm Perl module is required if you include DNS names
|
|
|
|
|
in your Shorewall6 configuration. Note that it is loaded the
|
|
|
|
|
first time that a DNS name is encountered so if it is missing,
|
|
|
|
|
you get a message similar to this one:
|
|
|
|
|
|
|
|
|
|
...
|
|
|
|
|
Checking /etc/shorewall6/rules...
|
|
|
|
|
Can't locate Socket6.pm in @INC (@INC contains: /root ...
|
|
|
|
|
teastep@ursa:~/Configs/standalone6$
|
