diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm
index 2d5d59430..143f6ca4f 100644
--- a/Shorewall-Website/News.htm
+++ b/Shorewall-Website/News.htm
@@ -18,10 +18,319 @@ Texts. A copy of the license is included in the section entitled “GNU Free
Documentation License”.
-2004-05-13
+
2004-06-23
- 4/5/2004 - Shorewall 2.0.1
+
6/3/2004 - Shorewall 2.0.2f
+
+Fixes one problem:
+
+
+ - Versions 2.0.2d and 2.0.2e fail to load kernel modules unless
+MODULE_SUFFIX is set in shorewall.conf
+
+
+6/2/2004 - Shorewall 2.0.2e
+
+One problem corrected:
+
+
+ - LOG rules within an action generate two Netfilter logging rules.
+
+
+5/28/2004 - Shorewall 2.0.2d
+
+One problem corrected:
+
+
+ - Shorewall was checking capabilities before loading kernel
+modules. Consequently, if kernel module autoloading was disabled, the
+capabilities were mis-detected.
+
+
+5/21/2004 - Shorewall 2.0.2c
+One problem corrected:
+
+ - DNAT rules with a dynamic source zone don't work
+properly. When used, these rules cause the rule to be checked against
+ALL input, not just input from the designated zone.
+
+
+5/18/2004 - Shorewall 2.0.2b
+Corrects two problems:
+
+ - Specifying a null common action in /etc/shorewall/actions
+(e.g., :REJECT) results in a startup error.
+
+
+ - If /var/lib/shorewall does not exist, shorewall start fails.
+
+
+5/15/2004 - Shorewall 2.0.2a
+
+Corrects two problems:
+
+
+ - Temporary restore files were not being removed from
+/var/lib/shorewall. These files have names of the form
+'restore-nnnnn'.
+You can remove files that have accumulated with the command:
+
+ rm -f /var/lib/shorewall/restore-[0-9]*
+
+
+ - The restore script did not load kernel modules. The result
+was that after a cold load, applications like FTP and IRC DCC didn't
+work.
+
+To correct:
+
+ 1) Install 2.0.2a
+ 2) "shorewall restart"
+ 3) "shorewall save"
+
+5/13/2004 - Shorewall 2.0.2
+Problems Corrected since 2.0.1
+
+
+ - The /etc/init.d/shorewall script installed on Debian by
+install.sh failed silently due to a missing file
+(/usr/share/shorewall/wait4ifup). That file is not part of the normal
+Shorewall distribution and is provided by the Debian maintainer.
+ - A meaningless warning message out of the proxyarp file
+processing has been eliminated.
+ - The "shorewall delete" command now correctly removes all
+dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
+Engel for this correction.
+
+Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
+
+ - Extension Scripts -- In order for extension scripts to work
+properly with the new iptables-save/restore integration (see New
+Feature 1 below), some change may be required to your extension
+scripts. If your extension scripts are executing commands other than
+iptables then those commands must also be written to the restore file
+(a temporary file in /var/lib/shorewall that is renamed
+/var/lib/shorewall/restore-base at the end of the operation).
+
+The following functions should be of help:
+
+A. save_command() -- saves the passed command to the restore file.
+
+ Example:
+
+ save_command echo Operation
+Complete
+
+ That command would simply write "echo Operation Complete"
+to the restore file.
+
+B. run_and_save_command() -- saves the passed command to the restore
+file then executes it. The return value is the exit status of the
+command.
+
+ Example:
+
+ run_and_save_command "echo 1 >
+/proc/sys/net/ipv4/icmp_echo_ignore_all"
+
+ Note that as in this example, when the command
+involves file redirection then the entire command must be enclosed in
+quotes. This applies to all of the functions described here.
+
+C. ensure_and_save_command() -- runs the passed command. If the command
+fails, the firewall is restored to it's prior saved state and the
+operation is terminated. If the command succeeds, the command is
+written to the restore file.
+
+
+ - Dynamic Zone support -- If you don't need to use the
+"shorewall add" and "shorewall delete commands, you should set
+DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.
+
+New Features:
+
+ - Shorewall has now been integrated with
+iptables-save/iptables-restore to provide very fast start and restart.
+The elements of this integration are as follows:
+
+a) The 'shorewall save' command now saves the current configuration in
+addition to the current dynamic blacklist. If you have dynamic zones,
+you will want to issue 'shorewall save' when the zones are empty or the
+current contents of the zones will be restored by the 'shorewall
+restore' and 'shorewall -f start' commands.
+
+b) The 'shorewall restore' command has been added. This command
+restores the configuration at the time of the last 'save'.
+
+c) The -f (fast) option has been added to 'shorewall start'. When
+specified (e.g. 'shorewall -f start'), shorewall will perform a
+'shorewall restore' if there is a saved configuration. If there is no
+saved configuration, a normal 'shorewall start' is performed.
+
+d) The /etc/init.d/shorewall script now translates the 'start' command
+into 'shorewall -f start' so that fast restart is possible.
+
+e) When a state-changing command encounters an error and there is
+current saved configuration, that configuration will be restored
+(currently, the firewall is placed in the 'stopped' state).
+
+f) If you have previously saved the running configuration and want
+Shorewall to discard it, use the 'shorewall forget' command. WARNING:
+iptables 1.2.9 is broken with respect to iptables-save; if your kernel
+has connection tracking match support, you must patch iptables 1.2.9
+with the iptables patch availale from the Shorewall errata page.
+
+
+ - The previous implementation of dynamic zones was difficult
+to maintain. I have changed the code to make dynamic zones optional
+under the control of the DYNAMIC_ZONES option in
+/etc/shorewall/shorewall.conf.
+
+
+ - In earlier Shorewall 2.0 releases, Shorewall searches in
+order the following directories for configuration files.
+
+a) The directory specified in a 'try' command or specified using the -c
+option.
+b) /etc/shorewall
+c) /usr/share/shorewall
+
+In this release, the CONFIG_PATH option is added to shorewall.conf.
+CONFIG_PATH contains a list of directory names separated by colons
+(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
+"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
+Shorewall searches for shorewall.conf according to the old rules and
+for other configuration files as follows:
+
+a) The directory specified in a 'try' command or specified using the -c
+option.
+b) Each directory in $CONFIG_PATH is searched in sequence.
+
+In case it is not obvious, your CONFIG_PATH should include
+/usr/share/shorewall and your shorewall.conf file must be in the
+directory specified via -c or in a try command, in /etc/shorewall or in
+/usr/share/shorewall.
+
+For distribution packagers, the default CONFIG_PATH is set in
+/usr/share/shorewall/configpath. You can customize this file to have a
+default that differs from mine.
+
+
+ - Previously, in /etc/shorewall/nat a Yes (or yes) in the
+LOCAL column would only take effect if the ALL INTERFACES column also
+contained Yes or yes. Now, the LOCAL columns contents are treated
+independently of the contents of the ALL INTERFACES column.
+
+
+ - The folks at Mandrake have created yet another kernel
+module naming convention (module names end in "ko.gz"). As a
+consequence, beginning with this release, if MODULE_SUFFIX isn't
+specified in shorewall.conf, then the default value is "o gz ko o.gz
+ko.gz".
+
+
+ - An updated bogons file is included in this release.
+
+
+ - In /etc/shorewall/rules and in action files generated from
+/usr/share/shorewall/action.template, rules that perform logging can
+specify an optional "log tag". A log tag is a string of alphanumeric
+characters and is specified by following the log level with ":" and the
+log tag.
+
+Example:
+
+ ACCEPT:info:ftp
+net dmz
+tcp 21
+
+The log tag is appended to the log prefix generated by the LOGPREFIX
+variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
+prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
+"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum
+length of a log prefix supported by iptables is 29 characters; if a
+larger prefix is generated, Shorewall will issue a warning message and
+will truncate the prefix to 29 characters.
+
+
+ - A new "-q" option has been added to /sbin/shorewall
+commands. It causes the start, restart, check and refresh commands to
+produce much less output so that warning messages are more visible
+(when testing this change, I discovered a bug where a bogus warning
+message was being generated).
+
+
+ - Shorewall now uses 'modprobe' to load kernel modules if
+that utility is available in the PATH; otherwise, 'insmod' is used.
+
+
+ - It is now possible to restrict entries in the
+/etc/shorewall/masq file to particular protocols and destination
+port(s). Two new columns (PROTO and PORT(S)) have been added to the
+file.
+
+Example:
+
+You want all outgoing SMTP traffic entering the firewall on eth1 to be
+sent from eth0 with source IP address 206.124.146.177. You want all
+other outgoing traffic from eth1 to be sent from eth0 with source IP
+address 206.124.146.176.
+
+ eth0
+eth1 206.124.146.177 tcp 25
+ eth0
+eth1 206.124.146.176
+
+THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
+
+Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
+the progress message at "shorewall start" would be:
+
+ Masqueraded Networks and Hosts:
+ To 0.0.0.0/0 (tcp 25) from
+10.0.0.0/8 through eth0 using 206.124.146.177
+ To 0.0.0.0/0 (all) from 10.0.0.0/8
+through eth0 using 206.124.146.176
+
+
+ - Two new actions are available in the /etc/shorewall/rules
+file.
+
+ ACCEPT+ -- Behaves like ACCEPT
+with the exception that it exempts matching connections from subsequent
+DNAT[-] and REDIRECT[-] rules.
+ NONAT -- Exempts
+matching connections from subsequent DNAT[-] and REDIRECT[-] rules.
+
+
+ - A new extension script 'initdone' has been added. This
+script is invoked at the same point as the 'common' script was
+previously and is useful for users who mis-used that script under
+Shorewall 1.x (the script was intended for adding rules to the 'common'
+chain but many users treated it as a script for adding rules before
+Shorewall's).
+
+
+ - Installing/Upgrading Shorewall on Slackware has been
+improved. Slackware users must use the tarball and must modify settings
+in the install.sh script before running it as follows:
+
+ DEST="/etc/rc.d"
+ INIT="rc.firewall"
+
+Thanks to Alex Wilms for helping with this change.
+
+4/17/2004 - Presentation at
+LinuxFest NW
+
+Today I gave a presentation at LinuxFest NW in Bellingham. The
+presentation was entitled "Shorewall
+and the Enterprise" and described the history of Shorewall and gave
+an overview of its features.
+ 4/5/2004 - Shorewall 2.0.1
Problems Corrected since 2.0.0
diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm
index 06e3e6b04..d6e56107e 100644
--- a/Shorewall-Website/Shorewall_index_frame.htm
+++ b/Shorewall-Website/Shorewall_index_frame.htm
@@ -6,50 +6,94 @@
Shorewall Index
-
+
+Home
+Download
+Installation
+
+Documentation
+FAQs
+(Wiki)
+Troubleshooting
+Support
+
+About the Author
+CVS
+Repository
+Donations
+Errata
+Features
+Mailing
+Lists
+Mirrors
+News Archive
+Quotes from Users
+Requirements
+Upgrade
+Issues
+Useful Links
+What it
+Cannot Do
+
-
-
-Copyright © 2001-2004 Thomas
-M. Eastep.
-
+Copyright ©
+2001-2004
+Thomas
+M. Eastep.
+
-
-
+
+
+
+
diff --git a/Shorewall-Website/download.htm b/Shorewall-Website/download.htm
index bd6b83dec..a1ee33e7d 100644
--- a/Shorewall-Website/download.htm
+++ b/Shorewall-Website/download.htm
@@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “GNU Free
Documentation License”.
-2004-05-18
+
2004-06-15
I strongly urge you to read and print a copy of the
Once you've printed the appropriate QuickStart Guide, download
one of the modules:
- - If you run a RedHat, SuSE, Mandrake, Linux
+
- If you run a RedHat, Fedora, SuSE, Mandrake,
+Linux
PPC, Trustix or
TurboLinux distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other
diff --git a/Shorewall-Website/index.htm b/Shorewall-Website/index.htm
index c22c9f151..6bb1b0895 100644
--- a/Shorewall-Website/index.htm
+++ b/Shorewall-Website/index.htm
@@ -10,7 +10,7 @@ charset=UTF-8">
border="1"framespacing="0">
-
”.
Table of Contents
@@ -51,17 +51,13 @@ Shorewall
two-interface setup?
License
-News
-
News
-6/3/2004 - Shorewall 2.0.2f
-
-Fixes one problem:
-
+7/02/2004 -
+Shorewall 2.0.3c
+
+Problems Corrected:
+
- - Versions 2.0.2d and 2.0.2e fail to load kernel modules unless
-MODULE_SUFFIX is set in shorewall.conf
+ - Error messages regarding $RESTOREBASE occur during shorewall stop
+ - If CLEAR_TC=Yes in shorewall.conf, shorewall stop fails without removing the
+lock file.
+
+
+6/30/2004
+-
+Shorewall 2.0.3b and Shorewall 1.4.10g
+
+Problems Corrected:
+
+ - The security vulnerability fix released in Shorewall 2.0.3a
+failed under Slackware 9.1.
+ - The security vulnerability fix released in Shorewall 2.0.3a
+failed if mktemp was not installed.
-6/2/2004 - Shorewall 2.0.2e
-
-One problem corrected:
-
+6/28/2004 -
+Shorewall 2.0.3a and Shorewall 1.4.10f
+
+Problems Corrected:
- - LOG rules within an action generate two Netfilter logging rules.
+ - Javier Fernández-Sanguino Peña has discovered an exploitable
+vulnerability in the way that Shorewall handles temporary files and
+directories. The vulnerability can allow a non-root user to cause
+arbitrary files on the system to be overwritten. LEAF Bering and Bering
+uClibc users are generally not at risk due to the fact that LEAF boxes
+do not typically allow logins by non-root users.
+ - (2.0.3a only) A non-empty DEST entry in /etc/shorewall/tcrules
+will generate an error and Shorewall fails to start.
-6/1/2004 - shorewall.net Downtime
-
-The
-following systems will be down on Saturday 5 June for server rebuild.
-
-
- - shorewall.net
- - lists.shorewall.net
- - www1.shorewall.net
- - ftp1.shorewall.net
- - cvs.shorewall.net
- - rsync.shorewall.net
-
-This will affect:
-
- - Shorewall site and list archives search
- - Mailing Lists
- - Mailing List Archives
- - CVS
- - Primary shorewall.net DNS
-
-I plan to start the rebuild on Saturday morning PDT (-0700) and hope to
-be finished by Saturday evening.
-
-5/28/2004 - Shorewall 2.0.2d
-
-One problem corrected:
-
+Note:: Slackware users may need the
+'functions' file from CVS (STABLE/ project for 1.4.10f and STABLE2/
+project for 2.0.3a) to prevent startup errors with these versions
+installed. These updatged files are also available from the Errata (
2.0, 1.4).
+
+
+
+Problems Corrected:
- - Shorewall was checking capabilities before loading kernel
-modules. Consequently, if kernel module autoloading was disabled, the
-capabilities were mis-detected.
-
+ - The 'firewall' script is not purging temporary restore files in
+/var/lib/shorewall. These files have names of the form "restore-nnnnn".
+ - The /var/lib/shorewall/restore script did not load the kernel
+modules specified in /etc/shorewall/modules.
+ - Specifying a null common action in /etc/shorewall/actions (e.g.,
+:REJECT) results in a startup error.
+ - If /var/lib/shorewall does not exist, shorewall start fails.
+ - DNAT rules with a dynamic source zone don't work properly. When
+used, these rules cause the rule to be checked against ALL input, not
+just input from the designated zone.
+ - The install.sh script reported installing some files in
+/etc/shorewall when the files were actually installed in
+/usr/share/shorewall.
+ - Shorewall checks netfilter capabilities before loading kernel
+modules. Hence if kernel module autoloading isn't enabled, the
+capabilities will be misdetected.
+ - The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
+ - The file /etc/init.d/shorewall now gets proper ownership when the
+RPM is built by a non-root user.
+ - Rules that specify bridge ports in both the SOURCE and DEST
+columns no longer cause "shorewall start" to fail.
+ - Comments in the rules file have been added to advise users that
+"all" in the SOURCE or DEST column does not affect intra-zone traffic.
+ - With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are
+now passed through the blacklisting chains. Without this change, it is
+not possible to blacklist hosts that are mounting certain types of
+ICMP-based DOS attacks.
-5/21/2004 - Shorewall 2.0.2c
-One problem corrected:
+Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
- - DNAT rules with a dynamic source zone don't work
-properly. When used, these rules cause the rule to be checked against
-ALL input, not just input from the designated zone.
-
-
-5/18/2004 - Shorewall 2.0.2b
-Corrects two problems:
-
- - Specifying a null common action in /etc/shorewall/actions
-(e.g., :REJECT) results in a startup error.
-
-
- - If /var/lib/shorewall does not exist, shorewall start fails.
-
-
-5/15/2004 - Shorewall 2.0.2a
-
-Corrects two problems:
-
-
- - Temporary restore files were not being removed from
-/var/lib/shorewall. These files have names of the form
-'restore-nnnnn'.
-You can remove files that have accumulated with the command:
-
- rm -f /var/lib/shorewall/restore-[0-9]*
-
-
- - The restore script did not load kernel modules. The result
-was that after a cold load, applications like FTP and IRC DCC didn't
-work.
-
-To correct:
-
- 1) Install 2.0.2a
- 2) "shorewall restart"
- 3) "shorewall save"
-
-5/13/2004 - Shorewall 2.0.2
-Problems Corrected since 2.0.1
-
-
- - The /etc/init.d/shorewall script installed on Debian by
-install.sh failed silently due to a missing file
-(/usr/share/shorewall/wait4ifup). That file is not part of the normal
-Shorewall distribution and is provided by the Debian maintainer.
- - A meaningless warning message out of the proxyarp file
-processing has been eliminated.
- - The "shorewall delete" command now correctly removes all
-dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
-Engel for this correction.
-
-Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
-
- - Extension Scripts -- In order for extension scripts to work
-properly with the new iptables-save/restore integration (see New
-Feature 1 below), some change may be required to your extension
-scripts. If your extension scripts are executing commands other than
-iptables then those commands must also be written to the restore file
-(a temporary file in /var/lib/shorewall that is renamed
-/var/lib/shorewall/restore-base at the end of the operation).
-
-The following functions should be of help:
-
-A. save_command() -- saves the passed command to the restore file.
-
- Example:
-
- save_command echo Operation
-Complete
-
- That command would simply write "echo Operation Complete"
-to the restore file.
-
-B. run_and_save_command() -- saves the passed command to the restore
-file then executes it. The return value is the exit status of the
-command.
-
- Example:
-
- run_and_save_command "echo 1 >
-/proc/sys/net/ipv4/icmp_echo_ignore_all"
-
- Note that as in this example, when the command
-involves file redirection then the entire command must be enclosed in
-quotes. This applies to all of the functions described here.
-
-C. ensure_and_save_command() -- runs the passed command. If the command
-fails, the firewall is restored to it's prior saved state and the
-operation is terminated. If the command succeeds, the command is
-written to the restore file.
-
-
- - Dynamic Zone support -- If you don't need to use the
-"shorewall add" and "shorewall delete commands, you should set
-DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.
+ - The 'dropNonSyn' standard builtin action has been replaced with
+the 'dropNotSyn' standard builtin action. The old name can still be
+used but will generate a warning.
New Features:
- - Shorewall has now been integrated with
-iptables-save/iptables-restore to provide very fast start and restart.
-The elements of this integration are as follows:
+ - Shorewall now supports multiple saved configurations.
+
+ - The default saved configuration (restore script) in
+/var/lib/shorewall is now specified using the RESTOREFILE option in
+shorewall.conf. If this variable isn't set then to maintain backward
+compatibility, 'restore' is assumed.
+
+The value of RESTOREFILE must be a simple file name; no slashes ("/")
+may be included.
+
+ - The "save" command has been extended to be able to specify the
+name of a saved configuration.
+
+ shorewall
+save [ <file name> ]
+
+The current state is saved to /var/lib/shorewall/<file name>. If
+no <file name> is given, the configuration is saved to the file
+determined by the RESTOREFILE setting.
+ - The "restore" command has been extended to be able to specify
+the name of a saved configuration:
+
+ shorewall
+restore [ <file name> ]
+
+The firewall state is restored from /var/lib/shorewall/<file
+name>. If no <file name> is given, the firewall state is
+restored from the file determined by the RESTOREFILE setting.
+ - The "forget" command has changed. Previously, the command
+unconditionally removed the /var/lib/shorewall/save file which records
+the current dynamic blacklist. The "forget" command now leaves that
+file alone.
+
+Also, the "forget" command has been extended to be able to specify the
+name of a saved configuration:
+
+
+shorewall forget [ <file name> ]
+
+The file /var/lib/shorewall/<file name> is removed. If no
+<file name> is given, the file determined by the RESTOREFILE
+setting is removed.
+ - The "shorewall -f start" command restores the state from the
+file determined by the RESTOREFILE setting.
+
+ - "!" is now allowed in accounting rules.
+ - Interface names appearing within the configuration are now
+verified. Interface names must match the name of an entry in
+/etc/shorewall/interfaces (or if bridging is enabled, they must match
+the name of an entry in /etc/shorewall/interfaces or the name of a
+bridge port appearing in /etc/shorewall/hosts).
+ - A new 'rejNotSyn' built-in standard action has been added. This
+action responds to "New not SYN" packets with an RST.
-a) The 'shorewall save' command now saves the current configuration in
-addition to the current dynamic blacklist. If you have dynamic zones,
-you will want to issue 'shorewall save' when the zones are empty or the
-current contents of the zones will be restored by the 'shorewall
-restore' and 'shorewall -f start' commands.
+The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
+action. The old name will be accepted until the next major release of
+Shorewall but will generate a warning.
-b) The 'shorewall restore' command has been added. This command
-restores the configuration at the time of the last 'save'.
+Several new logging actions involving "New not SYN" packets have been
+added:
-c) The -f (fast) option has been added to 'shorewall start'. When
-specified (e.g. 'shorewall -f start'), shorewall will perform a
-'shorewall restore' if there is a saved configuration. If there is no
-saved configuration, a normal 'shorewall start' is performed.
+ logNewNotSyn -- logs
+the packet with disposition = LOG
+ dLogNewNotSyn -- logs the
+packet with disposition = DROP
+ rLogNewNotSyn -- logs the
+packet with disposition = REJECT
-d) The /etc/init.d/shorewall script now translates the 'start' command
-into 'shorewall -f start' so that fast restart is possible.
+The packets are logged at the log level specified in the LOGNEWNOTSYN
+option in shorewall.conf. If than option is empty or not specified,
+then 'info' is assumed.
-e) When a state-changing command encounters an error and there is
-current saved configuration, that configuration will be restored
-(currently, the firewall is placed in the 'stopped' state).
+Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
+
+ - To simulate the behavior of NEWNOTSYN=No:
+
+ - Add 'NoNewNotSyn' to /etc/shorewall/actions.
+ - Create /etc/shorewall/action.NoNewNotSyn containing:
+
+
+dLogNotSyn
+
+dropNotSyn
+
+
+ - Early in your rules file, place:
+
+
+NoNewNotSyn all all tcp
+
+
+
+
+ - Drop 'New not SYN' packets from the net only. Don't log them:
+
+ - Early in your rules file, place:
+
+
+dropNotSyn
+net all tcp
+
+
+
+
+ - Slackware users no longer have to modify the install.sh script
+before installation. Tuomo Soini has provided a change that allows the
+INIT and FIREWALL variables to be specified outside the script as in:
-f) If you have previously saved the running configuration and want
-Shorewall to discard it, use the 'shorewall forget' command. WARNING:
-iptables 1.2.9 is broken with respect to iptables-save; if your kernel
-has connection tracking match support, you must patch iptables 1.2.9
-with the iptables patch availale from the Shorewall errata page.
-
-
- - The previous implementation of dynamic zones was difficult
-to maintain. I have changed the code to make dynamic zones optional
-under the control of the DYNAMIC_ZONES option in
-/etc/shorewall/shorewall.conf.
-
-
- - In earlier Shorewall 2.0 releases, Shorewall searches in
-order the following directories for configuration files.
-
-a) The directory specified in a 'try' command or specified using the -c
-option.
-b) /etc/shorewall
-c) /usr/share/shorewall
-
-In this release, the CONFIG_PATH option is added to shorewall.conf.
-CONFIG_PATH contains a list of directory names separated by colons
-(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
-"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
-Shorewall searches for shorewall.conf according to the old rules and
-for other configuration files as follows:
-
-a) The directory specified in a 'try' command or specified using the -c
-option.
-b) Each directory in $CONFIG_PATH is searched in sequence.
-
-In case it is not obvious, your CONFIG_PATH should include
-/usr/share/shorewall and your shorewall.conf file must be in the
-directory specified via -c or in a try command, in /etc/shorewall or in
-/usr/share/shorewall.
-
-For distribution packagers, the default CONFIG_PATH is set in
-/usr/share/shorewall/configpath. You can customize this file to have a
-default that differs from mine.
-
-
- - Previously, in /etc/shorewall/nat a Yes (or yes) in the
-LOCAL column would only take effect if the ALL INTERFACES column also
-contained Yes or yes. Now, the LOCAL columns contents are treated
-independently of the contents of the ALL INTERFACES column.
-
-
- - The folks at Mandrake have created yet another kernel
-module naming convention (module names end in "ko.gz"). As a
-consequence, beginning with this release, if MODULE_SUFFIX isn't
-specified in shorewall.conf, then the default value is "o gz ko o.gz
-ko.gz".
-
-
- - An updated bogons file is included in this release.
-
-
- - In /etc/shorewall/rules and in action files generated from
-/usr/share/shorewall/action.template, rules that perform logging can
-specify an optional "log tag". A log tag is a string of alphanumeric
-characters and is specified by following the log level with ":" and the
-log tag.
-
-Example:
-
- ACCEPT:info:ftp
-net dmz
-tcp 21
-
-The log tag is appended to the log prefix generated by the LOGPREFIX
-variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
-prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
-"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum
-length of a log prefix supported by iptables is 29 characters; if a
-larger prefix is generated, Shorewall will issue a warning message and
-will truncate the prefix to 29 characters.
-
-
- - A new "-q" option has been added to /sbin/shorewall
-commands. It causes the start, restart, check and refresh commands to
-produce much less output so that warning messages are more visible
-(when testing this change, I discovered a bug where a bogus warning
-message was being generated).
-
-
- - Shorewall now uses 'modprobe' to load kernel modules if
-that utility is available in the PATH; otherwise, 'insmod' is used.
-
-
- - It is now possible to restrict entries in the
-/etc/shorewall/masq file to particular protocols and destination
-port(s). Two new columns (PROTO and PORT(S)) have been added to the
-file.
-
-Example:
-
-You want all outgoing SMTP traffic entering the firewall on eth1 to be
-sent from eth0 with source IP address 206.124.146.177. You want all
-other outgoing traffic from eth1 to be sent from eth0 with source IP
-address 206.124.146.176.
-
- eth0
-eth1 206.124.146.177 tcp 25
- eth0
-eth1 206.124.146.176
-
-THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
-
-Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
-the progress message at "shorewall start" would be:
-
- Masqueraded Networks and Hosts:
- To 0.0.0.0/0 (tcp 25) from
-10.0.0.0/8 through eth0 using 206.124.146.177
- To 0.0.0.0/0 (all) from 10.0.0.0/8
-through eth0 using 206.124.146.176
-
-
- - Two new actions are available in the /etc/shorewall/rules
-file.
-
- ACCEPT+ -- Behaves like ACCEPT
-with the exception that it exempts matching connections from subsequent
-DNAT[-] and REDIRECT[-] rules.
- NONAT -- Exempts
-matching connections from subsequent DNAT[-] and REDIRECT[-] rules.
-
-
- - A new extension script 'initdone' has been added. This
-script is invoked at the same point as the 'common' script was
-previously and is useful for users who mis-used that script under
-Shorewall 1.x (the script was intended for adding rules to the 'common'
-chain but many users treated it as a script for adding rules before
-Shorewall's).
-
-
- - Installing/Upgrading Shorewall on Slackware has been
-improved. Slackware users must use the tarball and must modify settings
-in the install.sh script before running it as follows:
-
- DEST="/etc/rc.d"
- INIT="rc.firewall"
-
-Thanks to Alex Wilms for helping with this change.
+ DEST=/etc/rc.d INIT=rc.firewall
+./install.sh
-4/17/2004 - Presentation at
-LinuxFest NW
-
-Today I gave a presentation at LinuxFest NW in Bellingham. The
-presentation was entitled "Shorewall
-and the Enterprise" and described the history of Shorewall and gave
-an overview of its features.
-
More News
diff --git a/Shorewall-Website/useful_links.html b/Shorewall-Website/useful_links.html
index 116386279..39254a9b0 100755
--- a/Shorewall-Website/useful_links.html
+++ b/Shorewall-Website/useful_links.html
@@ -10,7 +10,7 @@
-
Useful Links
+
Useful Links
-
Copyright © 2003 Thomas M. Eastep
+
Copyright © 2003-2004 Thomas M. Eastep
@@ -33,10 +33,9 @@ Documentation License”.
-
