diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt
index ad9088bef..29425d6ba 100644
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@@ -9,3 +9,5 @@ Changes since 1.4.2
4. Return more appropriate ICMP responses if the systems supports them.
+5. Silently drop UDP 135 in common.def.
+
diff --git a/STABLE/common.def b/STABLE/common.def
index ef0b4a554..5e1ce0657 100644
--- a/STABLE/common.def
+++ b/STABLE/common.def
@@ -16,6 +16,7 @@ run_iptables -A common -p icmp -j icmpdef
############################################################################
# NETBIOS chatter
#
+run_iptables -A common -p udp --dport 135 -j reject
run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject
diff --git a/STABLE/documentation/NAT.htm b/STABLE/documentation/NAT.htm
index b45526c6e..eb4530c3a 100644
--- a/STABLE/documentation/NAT.htm
+++ b/STABLE/documentation/NAT.htm
@@ -1,114 +1,117 @@
-
+
Shorewall NAT
-
+
-
+
-
-
+
+
-
-
- |
+ |
+
+
Static NAT
- |
-
-
-
+
+
+
+
-
- IMPORTANT: If all you want to do is forward
- ports to servers behind your firewall, you do NOT want to use static
-NAT. Port forwarding can be accomplished with simple entries in the
- rules file.
-
- Static NAT is a way to make systems behind a firewall and configured
-with private IP addresses (those reserved for private use in RFC1918)
-appear to have public IP addresses. Before you try to use this technique,
+
+
IMPORTANT: If all you want to do is forward
+ ports to servers behind your firewall, you do NOT want to use static
+NAT. Port forwarding can be accomplished with simple entries in the
+ rules file.
+
+ Static NAT is a way to make systems behind a firewall and configured
+with private IP addresses (those reserved for private use in RFC1918)
+appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the Shorewall Setup Guide.
-
+
The following figure represents a static NAT environment.
-
+
-
-
+
+
-
- Static NAT can be used to make the systems with the
- 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
-we assume that the interface to the upper subnet is eth0, then the following
- /etc/shorewall/NAT file would make the lower left-hand system appear
-to have IP address 130.252.100.18 and the right-hand one to have IP address
- 130.252.100.19.
-
+
+ Static NAT can be used to make the systems with the 10.1.1.*
+addresses appear to be on the upper (130.252.100.*) subnet. If we assume
+that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
+file would make the lower left-hand system appear to have IP address
+130.252.100.18 and the right-hand one to have IP address 130.252.100.19.
+
-
-
- | EXTERNAL |
- INTERFACE |
- INTERNAL |
- ALL INTERFACES |
- LOCAL |
-
+
- | 130.252.100.18 |
- eth0 |
- 10.1.1.2 |
- yes |
- yes |
-
-
- | 130.252.100.19 |
- eth0 |
- 10.1.1.3 |
- yes |
- yes |
-
-
-
+ EXTERNAL |
+ INTERFACE |
+ INTERNAL |
+ ALL INTERFACES |
+ LOCAL |
+
+
+ | 130.252.100.18 |
+ eth0 |
+ 10.1.1.2 |
+ yes |
+ yes |
+
+
+ | 130.252.100.19 |
+ eth0 |
+ 10.1.1.3 |
+ yes |
+ yes |
+
+
+
-
- Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
- example) is (are) not included in any specification in /etc/shorewall/masq
+
+
Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
+ example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.
-
- Note 1: The "ALL INTERFACES" column
-is used to specify whether access to the external IP from all firewall
- interfaces should undergo NAT (Yes or yes) or if only access from the
- interface in the INTERFACE column should undergo NAT. If you leave this
- column empty, "Yes" is assumed. The ALL INTERFACES column was added
-in version 1.1.6.
-
- Note 2: Shorewall will automatically add the external address to the
+
+
Note 1: The "ALL INTERFACES" column is used
+to specify whether access to the external IP from all firewall interfaces
+should undergo NAT (Yes or yes) or if only access from the interface in
+the INTERFACE column should undergo NAT. If you leave this column empty,
+"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.
+
+ Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify ADD_IP_ALIASES="no" (or "No") in
-/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
-you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
-
- Note 3: The contents of the "LOCAL" column
-determine whether packets originating on the firewall itself and destined
-for the EXTERNAL address are redirected to the internal ADDRESS. If this
-column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
-"Yes" or "yes") then such packets are redirected; otherwise, such packets
+ href="Documentation.htm#Aliases">ADD_IP_ALIASES="no" (or "No") in
+/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
+you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
+ RESTRICTION: Shorewall can only add external addresses to an interface
+that is configured with a single subnetwork -- if your external interface
+has addresses in more than one subnetwork, Shorewall can only add addresses
+to the first one.
+
+ Note 3: The contents of the "LOCAL" column
+determine whether packets originating on the firewall itself and destined
+for the EXTERNAL address are redirected to the internal ADDRESS. If this
+column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
+"Yes" or "yes") then such packets are redirected; otherwise, such packets
are not redirected. The LOCAL column was added in version 1.1.8.
-
-
+
+
-
-Last updated 1/11/2003 - Last updated 4/11/2003 - Tom Eastep
- Copyright © Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm
index ce8c60946..43bd19380 100644
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@@ -4,7 +4,7 @@
-
+
Shorewall News
@@ -13,947 +13,943 @@
-
+
-
+
-
+
-
-
- |
+ |
+
+
-
+
Shorewall News Archive
- |
-
+
+
-
-
+
+
-
-5/18/2003 - Shorewall 1.4.3
-
- Problems Corrected:
-
-
- - There were several cases where Shorewall would fail to remove a temporary
-directory from /tmp. These cases have been corrected.
- - The rules for allowing all traffic via the loopback interface have
-been moved to before the rule that drops status=INVALID packets. This insures
-that all loopback traffic is allowed even if Netfilter connection tracking
-is confused.
-
- New Features:
-
-
- - IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels
-file.
- - Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
- by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may
- not use ULOG with fireparse unless you modify fireparse.
-
-5/10/2003 - Shorewall Mirror in Asia
-
-
-Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
-
-
-5/8/2003 - Shorewall Mirror in Chile
- Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.
+
+5/20/2003 - Shorewall-1.4.3a
+
+This version primarily corrects the documentation included in the .tgz and
+in the .rpm. In addition:
-4/21/2003 - Samples updated for Shorewall version 1.4.2
-
-Thanks to Francesca Smith, the sample configurations are now upgraded to
-Shorewall version 1.4.2.
-
-4/9/2003 - Shorewall 1.4.2
-
-
- Problems Corrected:
-
-
-
- - TCP connection requests rejected out of the common chain
- are now properly rejected with TCP RST; previously, some of these requests
- were rejected with an ICMP port-unreachable response.
- - 'traceroute -I' from behind the firewall previously timed out
- on the first hop (e.g., to the firewall). This has been worked around.
-
-
-
-
- New Features:
-
- - Where an entry in the/etc/shorewall/hosts file specifies a particular
- host or network, Shorewall now creates an intermediate chain for handling
- input from the related zone. This can substantially reduce the number of
- rules traversed by connections requests from such zones.
-
-
- - Any file may include an INCLUDE directive. An INCLUDE directive
- consists of the word INCLUDE followed by a file name and causes the contents
- of the named file to be logically included into the file containing the
-INCLUDE. File names given in an INCLUDE directive are assumed to reside
-in /etc/shorewall or in an alternate configuration directory if one has
-been specified for the command.
-
- Examples:
- shorewall/params.mgmt:
- MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
- TIME_SERVERS=4.4.4.4
- BACKUP_SERVERS=5.5.5.5
- ----- end params.mgmt -----
-
-
- shorewall/params:
- # Shorewall 1.3 /etc/shorewall/params
- [..]
- #######################################
-
- INCLUDE params.mgmt
-
- # params unique to this host here
- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- ----- end params -----
-
-
- shorewall/rules.mgmt:
- ACCEPT net:$MGMT_SERVERS $FW tcp 22
- ACCEPT $FW net:$TIME_SERVERS udp 123
- ACCEPT $FW net:$BACKUP_SERVERS tcp 22
- ----- end rules.mgmt -----
-
- shorewall/rules:
- # Shorewall version 1.3 - Rules File
- [..]
- #######################################
-
- INCLUDE rules.mgmt
-
- # rules unique to this host here
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- ----- end rules -----
-
- INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
-directives are ignored with a warning message.
-
-
- - Routing traffic from an interface back out that interface continues
- to be a problem. While I firmly believe that this should never happen,
-people continue to want to do it. To limit the damage that such nonsense
-produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
-and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
- column may not contain '-'; in other words, 'routeback' can't be used as
- an option for a multi-zone interface. The 'routeback' option CAN be specified
- however on individual group entries in /etc/shorewall/hosts.
-
- The 'routeback' option is similar to the old 'multi' option with two
- exceptions:
-
- a) The option pertains to a particular zone,interface,address tuple.
-
- b) The option only created infrastructure to pass traffic from
-(zone,interface,address) tuples back to themselves (the 'multi' option
-affected all (zone,interface,address) tuples associated with the given
-'interface').
-
- See the 'Upgrade Issues' for information
- about how this new option may affect your configuration.
-
-
+ - (This change is in 1.4.3 but is not documented) If you are running iptables
+1.2.7a and kernel 2.4.20, then Shorewall will return reject replies as follows:
+ a) tcp - RST
+ b) udp - ICMP port unreachable
+ c) icmp - ICMP host unreachable
+ d) Otherwise - ICMP host prohibited
+ If you are running earlier software, Shorewall will follow it's traditional
+convention:
+ a) tcp - RST
+ b) Otherwise - ICMP port unreachable
+ - UDP port 135 is now silently dropped in the common.def chain. Remember
+that this chain is traversed just before a DROP or REJECT policy is enforced.
+
-
-3/24/2003 - Shorewall 1.4.1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-This release follows up on 1.4.0. It corrects a problem introduced in
-1.4.0 and removes additional warts.
-
- Problems Corrected:
+
5/18/2003 - Shorewall 1.4.3
-
+ Problems Corrected:
+
- - When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
- it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
- file is empty. That problem has been corrected so that ECN disabling rules
- are only added if there are entries in /etc/shorewall/ecn.
+ - There were several cases where Shorewall would fail to remove a temporary
+directory from /tmp. These cases have been corrected.
+ - The rules for allowing all traffic via the loopback interface have
+been moved to before the rule that drops status=INVALID packets. This insures
+that all loopback traffic is allowed even if Netfilter connection tracking
+is confused.
+
+
+ New Features:
+
+
+ - IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels
+ file.
+ - Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
+ by setting LOGMARKER="fp=" in /etc/shorewall/shorewall.conf. Note: You may
+ not use ULOG with fireparse unless you modify fireparse.
+
+
+
+5/10/2003 - Shorewall Mirror in Asia
+
+
+Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
+
+
+5/8/2003 - Shorewall Mirror in Chile
+ Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago
+Chile.
+4/21/2003 - Samples updated for Shorewall version 1.4.2
+
+Thanks to Francesca Smith, the sample configurations are now upgraded
+to Shorewall version 1.4.2.
+
+4/9/2003 - Shorewall 1.4.2
+
+
+ Problems Corrected:
+
+
+
+ - TCP connection requests rejected out of the common chain
+ are now properly rejected with TCP RST; previously, some of these requests
+ were rejected with an ICMP port-unreachable response.
+ - 'traceroute -I' from behind the firewall previously timed out
+ on the first hop (e.g., to the firewall). This has been worked around.
+
+
+
+
+ New Features:
+
+
+ - Where an entry in the/etc/shorewall/hosts file specifies a particular
+ host or network, Shorewall now creates an intermediate chain for handling
+ input from the related zone. This can substantially reduce the number
+of rules traversed by connections requests from such zones.
+
+
+ - Any file may include an INCLUDE directive. An INCLUDE directive
+ consists of the word INCLUDE followed by a file name and causes the contents
+ of the named file to be logically included into the file containing the
+INCLUDE. File names given in an INCLUDE directive are assumed to reside
+in /etc/shorewall or in an alternate configuration directory if one has
+been specified for the command.
+
+ Examples:
+ shorewall/params.mgmt:
+ MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
+ TIME_SERVERS=4.4.4.4
+ BACKUP_SERVERS=5.5.5.5
+ ----- end params.mgmt -----
+
+
+ shorewall/params:
+ # Shorewall 1.3 /etc/shorewall/params
+ [..]
+ #######################################
+
+ INCLUDE params.mgmt
+
+ # params unique to this host here
+ #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+ ----- end params -----
+
+
+ shorewall/rules.mgmt:
+ ACCEPT net:$MGMT_SERVERS $FW tcp 22
+ ACCEPT $FW net:$TIME_SERVERS udp 123
+ ACCEPT $FW net:$BACKUP_SERVERS tcp 22
+ ----- end rules.mgmt -----
+
+ shorewall/rules:
+ # Shorewall version 1.3 - Rules File
+ [..]
+ #######################################
+
+ INCLUDE rules.mgmt
+
+ # rules unique to this host here
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+ ----- end rules -----
+
+ INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
+directives are ignored with a warning message.
+
+
+ - Routing traffic from an interface back out that interface continues
+ to be a problem. While I firmly believe that this should never happen,
+ people continue to want to do it. To limit the damage that such nonsense
+ produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
+ and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the
+'ZONE' column may not contain '-'; in other words, 'routeback' can't
+be used as an option for a multi-zone interface. The 'routeback' option
+CAN be specified however on individual group entries in /etc/shorewall/hosts.
+
+ The 'routeback' option is similar to the old 'multi' option with
+two exceptions:
+
+ a) The option pertains to a particular zone,interface,address
+tuple.
+
+ b) The option only created infrastructure to pass traffic from
+(zone,interface,address) tuples back to themselves (the 'multi' option
+affected all (zone,interface,address) tuples associated with the given
+'interface').
+
+ See the 'Upgrade Issues' for information
+ about how this new option may affect your configuration.
+
- New Features:
-
-Note: In the list that follows, the term group refers to
-a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a
-host address) accessed through a particular interface. Examples:
-
+
+3/24/2003 - Shorewall 1.4.1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
+and removes additional warts.
+
+ Problems Corrected:
+
+
+
+ - When Shorewall 1.4.0 is run under the ash shell (such as on
+Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
+ file is empty. That problem has been corrected so that ECN disabling rules
+ are only added if there are entries in /etc/shorewall/ecn.
+
+
+ New Features:
+
+Note: In the list that follows, the term group refers
+to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
+a host address) accessed through a particular interface. Examples:
+
eth0:0.0.0.0/0
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
- You can use the "shorewall check" command to see the groups associated
- with each of your zones.
-
-
+ eth2:192.168.1.0/24
+ eth3:192.0.2.123
+
+ You can use the "shorewall check" command to see the groups associated
+ with each of your zones.
+
+
- - Beginning with Shorewall 1.4.1, if a zone Z comprises more than
- one group then if there is no explicit Z to Z policy and there are
- no rules governing traffic from Z to Z then Shorewall will permit all traffic
- between the groups in the zone.
- - Beginning with Shorewall 1.4.1, Shorewall will never create rules
- to handle traffic from a group to itself.
- - A NONE policy is introduced in 1.4.1. When a policy of NONE is
- specified from Z1 to Z2:
-
+ - Beginning with Shorewall 1.4.1, if a zone Z comprises more than
+ one group then if there is no explicit Z to Z policy and there
+are no rules governing traffic from Z to Z then Shorewall will permit all
+traffic between the groups in the zone.
+ - Beginning with Shorewall 1.4.1, Shorewall will never create
+rules to handle traffic from a group to itself.
+ - A NONE policy is introduced in 1.4.1. When a policy of NONE
+is specified from Z1 to Z2:
+
-
+
- - There may be no rules created that govern connections from Z1
-to Z2.
- - Shorewall will not create any infrastructure to handle traffic
+
- There may be no rules created that govern connections from Z1
+ to Z2.
+ - Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.
-
+
- See the upgrade issues for a discussion
- of how these changes may affect your configuration.
+ See the upgrade issues for a discussion
+ of how these changes may affect your configuration.
3/17/2003 - Shorewall 1.4.0
- Shorewall 1.4 represents
- the next step in the evolution of Shorewall. The main thrust of the
- initial release is simply to remove the cruft that has accumulated in
+ Shorewall 1.4 represents
+ the next step in the evolution of Shorewall. The main thrust of the
+ initial release is simply to remove the cruft that has accumulated in
Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package
- ('ip' utility).
-
- Function from 1.3 that has been omitted from this version
-include:
-
+
+ IMPORTANT: Shorewall 1.4.0 requires the iproute package
+ ('ip' utility).
+
+ Function from 1.3 that has been omitted from this version
+ include:
+
- - The MERGE_HOSTS variable in shorewall.conf is no
+
- The MERGE_HOSTS variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
-
-
- - Interface names of the form <device>:<integer>
- in /etc/shorewall/interfaces now generate an error.
-
-
- - Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
- OLD_PING_HANDLING=Yes will generate an error at startup as will specification
- of the 'noping' or 'filterping' interface options.
-
-
- - The 'routestopped' option in the /etc/shorewall/interfaces
- and /etc/shorewall/hosts files is no longer supported and will generate
- an error at startup if specified.
-
-
- - The Shorewall 1.2 syntax for DNAT and REDIRECT rules
-is no longer accepted.
-
-
- - The ALLOWRELATED variable in shorewall.conf is no longer
- supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
-
-
- - The icmp.def file has been removed.
-
-
-
- Changes for 1.4 include:
-
-
- - The /etc/shorewall/shorewall.conf file has been completely
- reorganized into logical sections.
-
-
- - LOG is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - The firewall script and version file are now installed
- in /usr/share/shorewall.
-
-
- - Late arriving DNS replies are now silently dropped in
- the common chain by default.
-
-
- - In addition to behaving like OLD_PING_HANDLING=No, Shorewall
- 1.4 no longer unconditionally accepts outbound ICMP packets. So if
-you want to 'ping' from the firewall, you will need the appropriate rule
-or policy.
-
-
- - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - 802.11b devices with names of the form wlan<n> now support
- the 'maclist' option.
-
-
- - Explicit Congestion Notification (ECN - RFC 3168) may now
-be turned off on a host or network basis using the new /etc/shorewall/ecn
- file. To use this facility:
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-
- - The /etc/shorewall/params file is now processed first so that
- variables may be used in the /etc/shorewall/shorewall.conf file.
-
-
- - Shorewall now gives a more helpful diagnostic when
- the 'ipchains' compatibility kernel module is loaded and a 'shorewall
-start' command is issued.
-
-
- - The SHARED_DIR variable has been removed from shorewall.conf.
- This variable was for use by package maintainers and was not documented
- for general use.
-
-
- - Shorewall now ignores 'default' routes when detecting masq'd
- networks.
-
-
-
-3/10/2003 - Shoreall 1.3.14a
-
-A roleup of the following bug fixes and other updates:
-
-
- - There is an updated rfc1918 file that reflects the resent allocation
- of 222.0.0.0/8 and 223.0.0.0/8.
-
-
-
-
- - The documentation for the routestopped file claimed that a comma-separated
- list could appear in the second column while the code only supported
- a single host or network address.
- - Log messages produced by 'logunclean' and 'dropunclean' were
-not rate-limited.
- - 802.11b devices with names of the form wlan<n>
-don't support the 'maclist' interface option.
- - Log messages generated by RFC 1918 filtering are not rate limited.
- - The firewall fails to start in the case where you have "eth0
-eth1" in /etc/shorewall/masq and the default route is through eth1
-
-
-
-2/8/2003 - Shoreawall 1.3.14
-
-New features include
-
-
- - An OLD_PING_HANDLING option has been added to shorewall.conf.
- When set to Yes, Shorewall ping handling is as it has always been
- (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled
- via rules and policies just like any other connection request.
- The FORWARDPING=Yes option in shorewall.conf and the 'noping'
-and 'filterping' options in /etc/shorewall/interfaces will all
-generate an error.
-
-
- - It is now possible to direct Shorewall to create
-a "label" such as "eth0:0" for IP addresses that it creates under
- ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
- the label instead of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names of the form
-$DEV.$VID (e.g., eth0.0)
- - In /etc/shorewall/tcrules, the MARK value may be optionally
- followed by ":" and either 'F' or 'P' to designate that the marking
- will occur in the FORWARD or PREROUTING chains respectively. If this
- additional specification is omitted, the chain used to mark packets
-will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
-in shorewall.conf.
-
-
- - When an interface name is entered in the SUBNET
-column of the /etc/shorewall/masq file, Shorewall previously masqueraded
- traffic from only the first subnet defined on that interface. It
- did not masquerade traffic from:
-
- a) The subnets associated with other addresses
-on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an
-interface name in the SUBNET column, shorewall will use the firewall's
-routing table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
-
- [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple
- local subnets connected to an interface that is specified in
-the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
- file will need changing. In most cases, you will simply be able to
-remove redundant entries. In some cases though, you might want to change
-from using the interface name to listing specific subnetworks if the
-change described above will cause masquerading to occur on subnetworks
- that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is
-as follows:
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
- is no longer required.
-
- Example 3 -- What if your current configuration is
- like this?
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry
- in /etc/shorewall/masq to:
-
-
- #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+ - Interface names of the form <device>:<integer>
+ in /etc/shorewall/interfaces now generate an error.
+
+
+ - Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
+ OLD_PING_HANDLING=Yes will generate an error at startup as will specification
+ of the 'noping' or 'filterping' interface options.
+
+
+ - The 'routestopped' option in the /etc/shorewall/interfaces
+ and /etc/shorewall/hosts files is no longer supported and will generate
+ an error at startup if specified.
+
+
+ - The Shorewall 1.2 syntax for DNAT and REDIRECT rules
+ is no longer accepted.
+
+
+ - The ALLOWRELATED variable in shorewall.conf is no longer
+ supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
+
+
+ - The icmp.def file has been removed.
+
+
-
-
- 2/5/2003 - Shorewall Support included in Webmin 1.060
-
-Webmin version 1.060 now has Shorewall support included as standard. See
- http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1
-
-Includes the Beta 2 content plus support for OpenVPN tunnels.
-
-1/28/2003 - Shorewall 1.3.14-Beta2
-
-Includes the Beta 1 content plus restores VLAN device names of the form
- $dev.$vid (e.g., eth0.1)
-
-1/25/2003 - Shorewall 1.3.14-Beta1
-
-
-The Beta includes the following changes:
-
-
+ Changes for 1.4 include:
+
- - An OLD_PING_HANDLING option has been added
-to shorewall.conf. When set to Yes, Shorewall ping handling is
-as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled
- via rules and policies just like any other connection request.
- The FORWARDPING=Yes option in shorewall.conf and the 'noping'
-and 'filterping' options in /etc/shorewall/interfaces will all
-generate an error.
-
-
- - It is now possible to direct Shorewall to create
- a "label" such as "eth0:0" for IP addresses that it creates under
- ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
- the label instead of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - When an interface name is entered in the SUBNET
- column of the /etc/shorewall/masq file, Shorewall previously masqueraded
- traffic from only the first subnet defined on that interface. It
- did not masquerade traffic from:
-
- a) The subnets associated with other addresses
-on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an
-interface name in the SUBNET column, shorewall will use the firewall's
+ - The /etc/shorewall/shorewall.conf file has been completely
+ reorganized into logical sections.
+
+
+ - LOG is now a valid action for a rule (/etc/shorewall/rules).
+
+
+ - The firewall script and version file are now installed
+ in /usr/share/shorewall.
+
+
+ - Late arriving DNS replies are now silently dropped
+in the common chain by default.
+
+
+ - In addition to behaving like OLD_PING_HANDLING=No,
+Shorewall 1.4 no longer unconditionally accepts outbound ICMP packets.
+So if you want to 'ping' from the firewall, you will need the appropriate
+rule or policy.
+
+
+ - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
+
+
+ - 802.11b devices with names of the form wlan<n> now
+support the 'maclist' option.
+
+
+ - Explicit Congestion Notification (ECN - RFC 3168) may now
+be turned off on a host or network basis using the new /etc/shorewall/ecn
+ file. To use this facility:
+
+ a) You must be running kernel 2.4.20
+ b) You must have applied the patch in
+ http://www.shorewall/net/pub/shorewall/ecn/patch.
+ c) You must have iptables 1.2.7a installed.
+
+
+ - The /etc/shorewall/params file is now processed first so
+that variables may be used in the /etc/shorewall/shorewall.conf file.
+
+
+ - Shorewall now gives a more helpful diagnostic when
+ the 'ipchains' compatibility kernel module is loaded and a 'shorewall
+ start' command is issued.
+
+
+ - The SHARED_DIR variable has been removed from shorewall.conf.
+ This variable was for use by package maintainers and was not documented
+ for general use.
+
+
+ - Shorewall now ignores 'default' routes when detecting masq'd
+ networks.
+
+
+
+3/10/2003 - Shoreall 1.3.14a
+
+A roleup of the following bug fixes and other updates:
+
+
+ - There is an updated rfc1918 file that reflects the resent allocation
+ of 222.0.0.0/8 and 223.0.0.0/8.
+
+
+
+
+ - The documentation for the routestopped file claimed that a
+comma-separated list could appear in the second column while the
+code only supported a single host or network address.
+ - Log messages produced by 'logunclean' and 'dropunclean' were
+ not rate-limited.
+ - 802.11b devices with names of the form wlan<n>
+don't support the 'maclist' interface option.
+ - Log messages generated by RFC 1918 filtering are not rate limited.
+ - The firewall fails to start in the case where you have "eth0
+ eth1" in /etc/shorewall/masq and the default route is through eth1
+
+
+
+2/8/2003 - Shoreawall 1.3.14
+
+New features include
+
+
+ - An OLD_PING_HANDLING option has been added to shorewall.conf.
+ When set to Yes, Shorewall ping handling is as it has always been
+ (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled
+ via rules and policies just like any other connection request.
+ The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
+ 'filterping' options in /etc/shorewall/interfaces will all generate
+ an error.
+
+
+ - It is now possible to direct Shorewall to create
+ a "label" such as "eth0:0" for IP addresses that it creates under
+ ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
+ the label instead of just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - Support for OpenVPN Tunnels.
+
+
+ - Support for VLAN devices with names of the form
+$DEV.$VID (e.g., eth0.0)
+
+
+ - In /etc/shorewall/tcrules, the MARK value may be
+optionally followed by ":" and either 'F' or 'P' to designate that
+the marking will occur in the FORWARD or PREROUTING chains respectively.
+If this additional specification is omitted, the chain used to mark
+packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN
+option in shorewall.conf.
+
+
+ - When an interface name is entered in the SUBNET
+column of the /etc/shorewall/masq file, Shorewall previously masqueraded
+ traffic from only the first subnet defined on that interface.
+It did not masquerade traffic from:
+
+ a) The subnets associated with other addresses
+ on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an
+interface name in the SUBNET column, shorewall will use the firewall's
routing table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
+
+ Example 1 -- This is how it works in 1.3.14.
+
-
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
- [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple
- local subnets connected to an interface that is specified in
-the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
- file will need changing. In most cases, you will simply be able to
-remove redundant entries. In some cases though, you might want to change
-from using the interface name to listing specific subnetworks if the
-change described above will cause masquerading to occur on subnetworks
- that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is
-as follows:
-
-
+
+ [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
+
+ When upgrading to Shorewall 1.3.14, if you have
+multiple local subnets connected to an interface that is specified
+in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
+ file will need changing. In most cases, you will simply be able to
+remove redundant entries. In some cases though, you might want to change
+from using the interface name to listing specific subnetworks if the change
+ described above will cause masquerading to occur on subnetworks that you
+ don't wish to masquerade.
+
+ Example 2 -- Suppose that your current config is
+as follows:
+
+
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
- is no longer required.
-
- Example 3 -- What if your current configuration is
- like this?
-
-
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ In this case, the second entry in /etc/shorewall/masq
+ is no longer required.
+
+ Example 3 -- What if your current configuration
+is like this?
+
+
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry
- in /etc/shorewall/masq to:
-
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ In this case, you would want to change the entry
+ in /etc/shorewall/masq to:
+
+
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
+
+
+ 2/5/2003 - Shorewall Support included in Webmin 1.060
+
+Webmin version 1.060 now has Shorewall support included as standard. See
+ http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1
+
+Includes the Beta 2 content plus support for OpenVPN tunnels.
+
+1/28/2003 - Shorewall 1.3.14-Beta2
+Includes the Beta 1 content plus restores VLAN device names of the form
+ $dev.$vid (e.g., eth0.1)
+
+1/25/2003 - Shorewall 1.3.14-Beta1
+
+
+The Beta includes the following changes:
+
+
+
+ - An OLD_PING_HANDLING option has been added
+to shorewall.conf. When set to Yes, Shorewall ping handling is
+as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled
+ via rules and policies just like any other connection request.
+ The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
+ 'filterping' options in /etc/shorewall/interfaces will all generate
+ an error.
+
+
+ - It is now possible to direct Shorewall to
+create a "label" such as "eth0:0" for IP addresses that it creates
+under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done
+by specifying the label instead of just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - When an interface name is entered in the SUBNET
+ column of the /etc/shorewall/masq file, Shorewall previously masqueraded
+ traffic from only the first subnet defined on that interface. It
+ did not masquerade traffic from:
+
+ a) The subnets associated with other addresses
+ on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an
+interface name in the SUBNET column, shorewall will use the firewall's
+routing table to construct the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
+
+
+
+ [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
+
+ When upgrading to Shorewall 1.3.14, if you have
+multiple local subnets connected to an interface that is specified
+in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
+ file will need changing. In most cases, you will simply be able to
+remove redundant entries. In some cases though, you might want to change
+from using the interface name to listing specific subnetworks if the change
+ described above will cause masquerading to occur on subnetworks that you
+ don't wish to masquerade.
+
+ Example 2 -- Suppose that your current config is
+as follows:
+
+
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ In this case, the second entry in /etc/shorewall/masq
+ is no longer required.
+
+ Example 3 -- What if your current configuration
+is like this?
+
+
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+ [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ In this case, you would want to change the entry
+ in /etc/shorewall/masq to:
+
+
+
+ #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
+
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
the PDF may be downloaded from
- ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
1/17/2003 - shorewall.net has MOVED
-
+
Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net
-are now hosted on a system in Bellevue, Washington. A big thanks to Alex
-for making this happen.
-
-
+ href="http://www.rettc.com">Rett Consulting, www.shorewall.net and
+ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
+big thanks to Alex for making this happen.
+
+
1/13/2003 - Shorewall 1.3.13
-
-
+
+
Just includes a few things that I had on the burner:
-
-
+
+
- - A new 'DNAT-' action has been added for
-entries in the /etc/shorewall/rules file. DNAT- is intended for
-advanced users who wish to minimize the number of rules that connection
- requests must traverse.
-
- A Shorewall DNAT rule actually generates two
-iptables rules: a header rewriting rule in the 'nat' table and
-an ACCEPT rule in the 'filter' table. A DNAT- rule only generates
-the first of these rules. This is handy when you have several DNAT
+ - A new 'DNAT-' action has been added for
+ entries in the /etc/shorewall/rules file. DNAT- is intended
+for advanced users who wish to minimize the number of rules that
+connection requests must traverse.
+
+ A Shorewall DNAT rule actually generates two
+iptables rules: a header rewriting rule in the 'nat' table and
+an ACCEPT rule in the 'filter' table. A DNAT- rule only generates
+the first of these rules. This is handy when you have several DNAT
rules that would generate the same ACCEPT rule.
-
- Here are three rules from my previous rules
+
+ Here are three rules from my previous rules
file:
-
- DNAT net dmz:206.124.146.177 tcp smtp
- - 206.124.146.178
- DNAT net dmz:206.124.146.177 tcp smtp
- - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
-
- These three rules ended up generating _three_
+
+ DNAT net dmz:206.124.146.177 tcp
+smtp - 206.124.146.178
+ DNAT net dmz:206.124.146.177 tcp
+smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp
+www,smtp,ftp,...
+
+ These three rules ended up generating _three_
copies of
-
- ACCEPT net dmz:206.124.146.177 tcp
+
+ ACCEPT net dmz:206.124.146.177 tcp
smtp
-
- By writing the rules this way, I end up with
- only one copy of the ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177 tcp smtp
- - 206.124.146.178
- DNAT- net dmz:206.124.146.177 tcp smtp
- - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
-
-
- - The 'shorewall check' command now prints
+
+ By writing the rules this way, I end up with
+ only one copy of the ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177 tcp
+smtp - 206.124.146.178
+ DNAT- net dmz:206.124.146.177 tcp
+smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp
+www,smtp,ftp,....
+
+
+ - The 'shorewall check' command now prints
out the applicable policy between each pair of zones.
-
-
- - A new CLEAR_TC option has been added to
-shorewall.conf. If this option is set to 'No' then Shorewall won't
-clear the current traffic control rules during [re]start. This
-setting is intended for use by people that prefer to configure traffic
-shaping when the network interfaces come up rather than when the firewall
-is started. If that is what you want to do, set TC_ENABLED=Yes and
-CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
- your traffic shaping rules can still use the 'fwmark' classifier based
-on packet marking defined in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable has been added
- that allows distribution packagers to easily move the shared
-directory (default /usr/lib/shorewall). Users should never have
-a need to change the value of this shorewall.conf setting.
-
-
+
+
+ - A new CLEAR_TC option has been added to
+ shorewall.conf. If this option is set to 'No' then Shorewall
+won't clear the current traffic control rules during [re]start.
+This setting is intended for use by people that prefer to configure
+traffic shaping when the network interfaces come up rather than when
+the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
+ and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file.
+That way, your traffic shaping rules can still use the 'fwmark' classifier
+ based on packet marking defined in /etc/shorewall/tcrules.
+
+
+ - A new SHARED_DIR variable has been added
+ that allows distribution packagers to easily move the shared directory
+ (default /usr/lib/shorewall). Users should never have a need
+to change the value of this shorewall.conf setting.
+
+
-
-1/6/2003 - BURNOUT
-
-
-Until further notice, I will not be involved in either Shorewall Development
- or Shorewall Support
-
+
+1/6/2003 - BURNOUT
+
+
+Until further notice, I will not be involved in either Shorewall Development
+ or Shorewall Support
+
-Tom Eastep
-
-
+
+
12/30/2002 - Shorewall Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
+
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
the PDF may be downloaded from
-
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+
-
+
12/27/2002 - Shorewall 1.3.12 Released
-
+
Features include:
-
-
+
+
- - "shorewall refresh" now reloads the
+
- "shorewall refresh" now reloads the
traffic shaping rules (tcrules and tcstart).
- - "shorewall debug [re]start" now turns
- off debugging after an error occurs. This places the point
- of the failure near the end of the trace rather than up in the
+
- "shorewall debug [re]start" now turns
+ off debugging after an error occurs. This places the point
+ of the failure near the end of the trace rather than up in the
middle of it.
- - "shorewall [re]start" has been speeded
- up by more than 40% with my configuration. Your milage may vary.
- - A "shorewall show classifiers" command
- has been added which shows the current packet classification
- filters. The output from this command is also added as a separate
- page in "shorewall monitor"
- - ULOG (must be all caps) is now accepted
- as a valid syslog level and causes the subject packets to
-be logged using the ULOG target rather than the LOG target.
-This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
+
- "shorewall [re]start" has been speeded
+ up by more than 40% with my configuration. Your milage may
+vary.
+ - A "shorewall show classifiers" command
+ has been added which shows the current packet classification
+ filters. The output from this command is also added as a
+separate page in "shorewall monitor"
+ - ULOG (must be all caps) is now accepted
+ as a valid syslog level and causes the subject packets to
+be logged using the ULOG target rather than the LOG target. This
+ allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
and log all Shorewall messages to a separate log file.
- - If you are running a kernel that has
-a FORWARD chain in the mangle table ("shorewall show mangle"
- will show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
- in shorewall.conf. This allows
- for marking input packets based on their destination even
-when you are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall
- directory with empty 'init', 'start', 'stop' and 'stopped'
- files. If you already have a file with one of these names, don't
- worry -- the upgrade process won't overwrite your file.
- - I have added a new RFC1918_LOG_LEVEL
-variable to shorewall.conf.
-This variable specifies the syslog level at which packets are
-logged as a result of entries in the /etc/shorewall/rfc1918 file.
-Previously, these packets were always logged at the 'info' level.
-
-
+ - If you are running a kernel that has
+ a FORWARD chain in the mangle table ("shorewall show mangle"
+ will show you the chains in the mangle table), you can set
+MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
+This allows for marking input packets based on their destination
+even when you are using Masquerading or SNAT.
+ - I have cluttered up the /etc/shorewall
+ directory with empty 'init', 'start', 'stop' and 'stopped'
+ files. If you already have a file with one of these names, don't
+ worry -- the upgrade process won't overwrite your file.
+ - I have added a new RFC1918_LOG_LEVEL
+ variable to shorewall.conf.
+ This variable specifies the syslog level at which packets
+are logged as a result of entries in the /etc/shorewall/rfc1918
+file. Previously, these packets were always logged at the 'info'
+level.
+
+
-
+
12/20/2002 - Shorewall 1.3.12 Beta 3
-
- This version corrects a problem with Blacklist
- logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything
- but ULOG, the firewall would fail to start and "shorewall refresh"
+
+ This version corrects a problem with Blacklist
+ logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything
+ but ULOG, the firewall would fail to start and "shorewall refresh"
would also fail.
-
+
12/20/2002 - Shorewall 1.3.12 Beta 2
-
-The first public Beta version of Shorewall 1.3.12 is now available (Beta
- 1 was made available only to a limited audience).
-
- Features include:
-
+
+The first public Beta version of Shorewall 1.3.12 is now available (Beta
+ 1 was made available only to a limited audience).
+
+ Features include:
+
- - "shorewall refresh" now reloads
-the traffic shaping rules (tcrules and tcstart).
- - "shorewall debug [re]start" now
-turns off debugging after an error occurs. This places the
-point of the failure near the end of the trace rather than up
-in the middle of it.
- - "shorewall [re]start" has been
-speeded up by more than 40% with my configuration. Your milage
+
- "shorewall refresh" now reloads
+ the traffic shaping rules (tcrules and tcstart).
+ - "shorewall debug [re]start" now
+ turns off debugging after an error occurs. This places
+the point of the failure near the end of the trace rather than
+up in the middle of it.
+ - "shorewall [re]start" has been
+speeded up by more than 40% with my configuration. Your milage
may vary.
- - A "shorewall show classifiers"
-command has been added which shows the current packet classification
- filters. The output from this command is also added as a separate
+
- A "shorewall show classifiers"
+command has been added which shows the current packet classification
+ filters. The output from this command is also added as a separate
page in "shorewall monitor"
- - ULOG (must be all caps) is now
-accepted as a valid syslog level and causes the subject packets
-to be logged using the ULOG target rather than the LOG target.
-This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
+
- ULOG (must be all caps) is now
+accepted as a valid syslog level and causes the subject packets
+to be logged using the ULOG target rather than the LOG target.
+ This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
and log all Shorewall messages to a separate log file.
- - If you are running a kernel that
- has a FORWARD chain in the mangle table ("shorewall show
-mangle" will show you the chains in the mangle table), you
-can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows
-for marking input packets based on their destination even when
- you are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall
- directory with empty 'init', 'start', 'stop' and 'stopped'
- files. If you already have a file with one of these names, don't
+
- If you are running a kernel that
+ has a FORWARD chain in the mangle table ("shorewall show
+mangle" will show you the chains in the mangle table), you can
+set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for
+ marking input packets based on their destination even when you
+are using Masquerading or SNAT.
+ - I have cluttered up the /etc/shorewall
+ directory with empty 'init', 'start', 'stop' and 'stopped'
+ files. If you already have a file with one of these names, don't
worry -- the upgrade process won't overwrite your file.
-
+
- You may download the Beta from:
-
+ You may download the Beta from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
-
+
+
12/12/2002 - Mandrake Multi Network Firewall 
-
- Shorewall is at the center of MandrakeSoft's
- recently-announced Multi
- Network Firewall (MNF) product. Here is the press
+
+ Shorewall is at the center of MandrakeSoft's
+ recently-announced Multi
+ Network Firewall (MNF) product. Here is the press
release.
-
+
12/7/2002 - Shorewall Support for Mandrake 9.0
-
-Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
- I have installed 9.0 on one of my systems and I am now
- in a position to support Shorewall users who run Mandrake
-9.0.
+
+Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
+ I have installed 9.0 on one of my systems and I am now
+ in a position to support Shorewall users who run Mandrake 9.0.
-
+
12/6/2002 - Debian 1.3.11a Packages Available
-
+
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
12/3/2002 - Shorewall 1.3.11a
-
-This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
- excluded subnets (e.g., "DNAT foo!bar ..."). Current
-1.3.11 users who don't need rules of this type need not
-upgrade to 1.3.11.
+
+This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
+ excluded subnets (e.g., "DNAT foo!bar ..."). Current
+1.3.11 users who don't need rules of this type need not upgrade
+to 1.3.11.
-
+
11/24/2002 - Shorewall 1.3.11
-
+
In this version:
-
+
- - A 'tcpflags' option has
+
- A 'tcpflags' option has
been added to entries in /etc/shorewall/interfaces.
- This option causes Shorewall to make a set of sanity check on TCP
- packet header flags.
- - It is now allowed to use
-'all' in the SOURCE or DEST column in a rule. When used, 'all' must
-appear by itself (in may not be qualified) and it does not enable
- intra-zone traffic. For example, the rule
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic from
- 'loc' to 'loc'.
- - Shorewall's use of the 'echo'
- command is now compatible with bash clones such as ash
-and dash.
- - fw->fw policies now generate
- a startup error. fw->fw rules generate a warning
-and are ignored
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces.
+ This option causes Shorewall to make a set of sanity check on TCP
+ packet header flags.
+ - It is now allowed to use
+ 'all' in the SOURCE or DEST column in a rule. When used, 'all' must appear
+ by itself (in may not be qualified) and it does not enable intra-zone
+ traffic. For example, the rule
+
+ ACCEPT loc all tcp 80
+
+ does not enable http traffic
+from 'loc' to 'loc'.
+ - Shorewall's use of the
+'echo' command is now compatible with bash clones such
+as ash and dash.
+ - fw->fw policies now
+generate a startup error. fw->fw rules generate a
+warning and are ignored
-
+
-
+
11/14/2002 - Shorewall Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
+
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
the PDF may be downloaded from
-
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+
-
-11/09/2002 - Shorewall is Back at SourceForge
-
+
+11/09/2002 - Shorewall is Back at SourceForge
+
-
+
The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
+
-
+
11/09/2002 - Shorewall 1.3.10
-
+
In this version:
-
-
- - You may now define the contents of a zone dynamically
- with the "shorewall
- add" and "shorewall delete" commands. These commands
- are expected to be used primarily within FreeS/Wan updown scripts.
- - Shorewall can now do MAC verification on ethernet
-segments. You can specify the set of allowed MAC addresses on the
-segment and you can optionally tie each MAC address to one or more
-IP addresses.
- - PPTP Servers and Clients
- running on the firewall system may now be defined in
- the /etc/shorewall/tunnels file.
- - A new 'ipsecnat' tunnel
- type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
- - The PATH used by Shorewall
- may now be specified in /etc/shorewall/shorewall.conf.
- - The main firewall script
- is now /usr/lib/shorewall/firewall. The script in
-/etc/init.d/shorewall is very small and uses /sbin/shorewall
- to do the real work. This change makes custom distributions
-such as for Debian and for Gentoo easier to manage since
-it is /etc/init.d/shorewall that tends to have distribution-dependent
- code
-
-
-
-
-
-10/24/2002 - Shorewall is now in Gentoo Linux
-
- Alexandru Hartmann reports
- that his Shorewall package is now a part of the Gentoo Linux distribution.
- Thanks Alex!
-
-
-10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:
-
-
+
- You may now define the contents of a zone dynamically
+ href="IPSEC.htm#Dynamic">define the contents of a zone dynamically
with the "shorewall
- add" and "shorewall delete" commands. These commands
- are expected to be used primarily within . These commands
+ are expected to be used primarily within FreeS/Wan updown
- scripts.
+scripts.
- Shorewall can now do MAC verification on ethernet segments.
- You can specify the set of allowed MAC addresses on
-the segment and you can optionally tie each MAC address to one
-or more IP addresses.
+ href="MAC_Validation.html"> MAC verification on ethernet segments.
+You can specify the set of allowed MAC addresses on the segment
+and you can optionally tie each MAC address to one or more IP addresses.
- PPTP Servers and Clients
running on the firewall system may now be defined in
the /etc/shorewall/tunnels file.
@@ -964,106 +960,177 @@ or more IP addresses.
may now be specified in /etc/shorewall/shorewall.conf.
- The main firewall script
- is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall
- is very small and uses /sbin/shorewall to do the real
- work. This change makes custom distributions such as for
-Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
- that tends to have distribution-dependent code.
+ is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall
+ is very small and uses /sbin/shorewall to do the real
+work. This change makes custom distributions such as for Debian
+ and for Gentoo easier to manage since it is /etc/init.d/shorewall
+ that tends to have distribution-dependent code
- You may download the Beta
+
+
+10/24/2002 - Shorewall is now in Gentoo Linux
+
+ Alexandru Hartmann reports
+ that his Shorewall package is now a part of the Gentoo Linux distribution.
+ Thanks Alex!
+
+
+10/23/2002 - Shorewall 1.3.10 Beta 1
+ In this version:
+
+
+
+ - You may now define the contents of a zone dynamically
+ with the "shorewall
+ add" and "shorewall delete" commands. These commands
+ are expected to be used primarily within FreeS/Wan updown
+scripts.
+ - Shorewall can now do MAC verification on ethernet segments.
+ You can specify the set of allowed MAC addresses on
+ the segment and you can optionally tie each MAC address to
+one or more IP addresses.
+ - PPTP Servers and Clients
+ running on the firewall system may now be defined
+in the /etc/shorewall/tunnels file.
+ - A new 'ipsecnat' tunnel
+ type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
+ - The PATH used by Shorewall
+ may now be specified in /etc/shorewall/shorewall.conf.
+ - The main firewall script
+ is now /usr/lib/shorewall/firewall. The script in
+/etc/init.d/shorewall is very small and uses /sbin/shorewall
+ to do the real work. This change makes custom distributions
+such as for Debian and for Gentoo easier to manage since
+it is /etc/init.d/shorewall that tends to have distribution-dependent
+ code.
+
+
+
+ You may download the Beta
from:
-
+
-
+
10/10/2002 - Debian 1.3.9b Packages Available
-
+
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
10/9/2002 - Shorewall 1.3.9b
- This release rolls up fixes
+ This release rolls up fixes
to the installer and to the firewall script.
-
+
10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server
- here at shorewall.net are now running RedHat release
+
+ The firewall and server
+ here at shorewall.net are now running RedHat release
8.0.
-
- 9/30/2002 - Shorewall 1.3.9a
- Roles up the fix for broken
- tunnels.
-
-
-9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated firewall
- script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
- -- copy that file to /usr/lib/shorewall/firewall.
+
+ 9/30/2002 - Shorewall
+1.3.9a
+ Roles up the fix for
+broken tunnels.
+9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is an updated firewall
+ script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
+ -- copy that file to /usr/lib/shorewall/firewall.
+
+
9/28/2002 - Shorewall 1.3.9
-
+
In this version:
-
+
-
+
- - DNS Names are
-now allowed in Shorewall config files (although I recommend against
- using them).
- - The connection
- SOURCE may now be qualified by both interface and
- IP address in a Shorewall
-rule.
- - Shorewall startup
- is now disabled after initial installation until
- the file /etc/shorewall/startup_disabled is removed. This avoids
- nasty surprises during reboot for users who install Shorewall
- but don't configure it.
- - The 'functions'
- and 'version' files and the 'firewall' symbolic link
- have been moved from /var/lib/shorewall to /usr/lib/shorewall
+
- DNS Names are
+ now allowed in Shorewall config files (although I recommend against
+ using them).
+ - The connection
+ SOURCE may now be qualified by both interface and
+ IP address in a Shorewall rule.
+ - Shorewall
+startup is now disabled after initial installation
+ until the file /etc/shorewall/startup_disabled is removed.
+ This avoids nasty surprises during reboot for users who
+ install Shorewall but don't configure it.
+ - The 'functions'
+ and 'version' files and the 'firewall' symbolic link
+ have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.
-
+
-
+
-
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- ![]()
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+ 
- A couple of recent
- configuration changes at www.shorewall.net broke
- the Search facility:
+ A couple of recent
+ configuration changes at www.shorewall.net broke
+ the Search facility:
-
-
+
+
-
+
+ - Mailing
+List Archive Search was not available.
+ - The Site
+Search index was incomplete
+ - Only one
+page of matches was presented.
+
+
+
+
+
+
+ Hopefully these
+ problems are now corrected.
+
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+ A couple of recent
+ configuration changes at www.shorewall.net had the
+ negative effect of breaking the Search facility:
+
+
+
- Mailing List
Archive Search was not available.
- The Site
@@ -1071,2027 +1138,2003 @@ Search index was incomplete
- Only one
page of matches was presented.
-
-
-
-
-
- Hopefully these
- problems are now corrected.
-
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- A couple of recent
- configuration changes at www.shorewall.net had the
- negative effect of breaking the Search facility:
-
-
-
- - Mailing List
- Archive Search was not available.
- - The Site Search
- index was incomplete
- - Only one page
- of matches was presented.
-
-
+
- Hopefully these
+ Hopefully these
problems are now corrected.
-
-9/18/2002 - Debian 1.3.8 Packages Available
-
-
+9/18/2002 - Debian 1.3.8 Packages Available
+
+
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/16/2002 - Shorewall 1.3.8
-
+
In this version:
-
+
-
+
- - A NEWNOTSYN option has been
- added to shorewall.conf. This option determines whether Shorewall
- accepts TCP packets which are not part of an established
- connection and that are not 'SYN' packets (SYN flag on
- and ACK flag off).
- - The need
- for the 'multi' option to communicate between zones
- za and zb on the same interface is removed in the case
- where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will
+
- A NEWNOTSYN option has been
+ added to shorewall.conf. This option determines whether Shorewall
+ accepts TCP packets which are not part of an established
+ connection and that are not 'SYN' packets (SYN flag
+ on and ACK flag off).
+ - The need
+ for the 'multi' option to communicate between zones
+ za and zb on the same interface is removed in the case
+ where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will
exist if:
-
+
- -
- There is a policy for za to zb; or
- - There
+
-
+ There is a policy for za to zb; or
+ - There
is at least one rule for za to zb.
-
+
-
+
-
+
- - The /etc/shorewall/blacklist
- file now contains three columns. In addition
-to the SUBNET/ADDRESS column, there are optional PROTOCOL
- and PORT columns to block only certain applications from
+
- The /etc/shorewall/blacklist
+ file now contains three columns. In addition to
+ the SUBNET/ADDRESS column, there are optional PROTOCOL
+ and PORT columns to block only certain applications from
the blacklisted addresses.
-
+
-
+
-
+
9/11/2002 - Debian 1.3.7c Packages Available
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/2/2002 - Shorewall 1.3.7c
-
-This is a role up of a fix for "DNAT" rules where the source zone is $FW
+
+
This is a role up of a fix for "DNAT" rules where the source zone is $FW
(fw).
-
+
8/31/2002 - I'm not available
-
-I'm currently on vacation -- please respect my need for a couple of
-weeks free of Shorewall problem reports.
+
+I'm currently on vacation -- please respect my need for a couple of
+ weeks free of Shorewall problem reports.
-
+
-Tom
-
+
8/26/2002 - Shorewall 1.3.7b
-
-This is a role up of the "shorewall refresh" bug fix and the change which
- reverses the order of "dhcp" and "norfc1918"
+
+
This is a role up of the "shorewall refresh" bug fix and the change which
+ reverses the order of "dhcp" and "norfc1918"
checking.
-
+
8/26/2002 - French FTP Mirror is Operational
-
+
ftp://france.shorewall.net/pub/mirrors/shorewall
+ href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall
is now available.
-
+
8/25/2002 - Shorewall Mirror in France
-
-Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
+
+
Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
at http://france.shorewall.net.
-
+
8/25/2002 - Shorewall 1.3.7a Debian Packages Available
-
-Lorenzo Martignoni reports that the packages for version 1.3.7a are available
+
+
Lorenzo Martignoni reports that the packages for version 1.3.7a are available
at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
+
+
8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
-- Shorewall 1.3.7a released
-
+
-
-1.3.7a corrects problems occurring in rules file processing when starting
+
+
1.3.7a corrects problems occurring in rules file processing when starting
Shorewall 1.3.7.
-
+
8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
-
+
Features in this release include:
-
+
- - The 'icmp.def'
- file is now empty! The rules in that file were required
- in ipchains firewalls but are not required in Shorewall.
- Users who have ALLOWRELATED=No in shorewall.conf should see
-the Upgrade Issues.
- - A 'FORWARDPING'
- option has been added to shorewall.conf. The effect
- of setting this variable to Yes is the same as
- the effect of adding an ACCEPT rule for ICMP echo-request
- in /etc/shorewall/icmpdef.
- Users who have such a rule in icmpdef are encouraged
- to switch to FORWARDPING=Yes.
- - The loopback
- CLASS A Network (127.0.0.0/8) has been added to
- the rfc1918 file.
- - Shorewall
- now works with iptables 1.2.7
- - The documentation
- and web site no longer uses FrontPage themes.
+ - The
+'icmp.def' file is now empty! The rules in that file
+ were required in ipchains firewalls but are not required
+ in Shorewall. Users who have ALLOWRELATED=No in
+ shorewall.conf should see
+ the Upgrade Issues.
+ - A 'FORWARDPING'
+ option has been added to shorewall.conf. The effect
+ of setting this variable to Yes is the same as
+ the effect of adding an ACCEPT rule for ICMP echo-request
+ in /etc/shorewall/icmpdef.
+ Users who have such a rule in icmpdef are
+encouraged to switch to FORWARDPING=Yes.
+ - The
+loopback CLASS A Network (127.0.0.0/8) has been added
+ to the rfc1918 file.
+ - Shorewall
+ now works with iptables 1.2.7
+ - The
+documentation and web site no longer uses FrontPage
+ themes.
-
+
-
-I would like to thank John Distler for his valuable input regarding TCP
- SYN and ICMP treatment in Shorewall. That
-input has led to marked improvement in Shorewall
+
+
I would like to thank John Distler for his valuable input regarding TCP
+ SYN and ICMP treatment in Shorewall. That
+input has led to marked improvement in Shorewall
in the last two releases.
-
+
8/13/2002 - Documentation in the CVS Repository
-
-The Shorewall-docs project now contains just the HTML and image files
-- the Frontpage files have been removed.
+
+The Shorewall-docs project now contains just the HTML and image files -
+the Frontpage files have been removed.
-
+
8/7/2002 - STABLE branch added to CVS Repository
-
-This branch will only be updated after I release a new version of Shorewall
- so you can always update from this branch
+
+
This branch will only be updated after I release a new version of Shorewall
+ so you can always update from this branch
to get the latest stable tree.
-
-8/7/2002 - Upgrade Issues section
-added to the Errata Page
+
+8/7/2002 - Upgrade Issues section added
+ to the Errata Page
-
-Now there is one place to go to look for issues involved with upgrading
+
+
Now there is one place to go to look for issues involved with upgrading
to recent versions of Shorewall.
-
+
8/7/2002 - Shorewall 1.3.6
-
+
This is primarily a bug-fix rollup with a couple of new features:
-
+
+ The
+processing of "New not SYN" packets may be extended
+ by commands in the new newnotsyn extension script.
+
+
+
7/30/2002 - Shorewall 1.3.5b Released
-
+
This interim release:
-
+
-
+
7/29/2002 - New Shorewall Setup Guide Available
-
+
The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm.
- The guide is intended for use by people who
- are setting up Shorewall to manage multiple public
- IP addresses and by people who want to learn more about
- Shorewall than is described in the single-address guides.
+ href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm.
+ The guide is intended for use by people who
+ are setting up Shorewall to manage multiple public
+ IP addresses and by people who want to learn more about
+ Shorewall than is described in the single-address guides.
Feedback on the new guide is welcome.
-
+
7/28/2002 - Shorewall 1.3.5 Debian Package Available
-
-Lorenzo Martignoni reports that the packages are version 1.3.5a and are
+
+
Lorenzo Martignoni reports that the packages are version 1.3.5a and are
available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/27/2002 - Shorewall 1.3.5a Released
-
+
This interim release restores correct handling of REDIRECT rules.
-
+
7/26/2002 - Shorewall 1.3.5 Released
-
-This will be the last Shorewall release for a while. I'm going to be
-focusing on rewriting a lot of the documentation.
+
+This will be the last Shorewall release for a while. I'm going to be
+ focusing on rewriting a lot of the documentation.
-
+
In this version:
-
+
- - Empty
-and invalid source and destination qualifiers are
-now detected in the rules file. It is a good idea to use
- the 'shorewall check' command before you issue a 'shorewall
- restart' command be be sure that you don't have any configuration
- problems that will prevent a successful restart.
- - Added
- MERGE_HOSTS variable in shorewall.conf to provide
- saner behavior of the /etc/shorewall/hosts
-file.
- - The time
- that the counters were last reset is now displayed
- in the heading of the 'status' and 'show' commands.
- - A proxyarp
- option has been added for entries in
- /etc/shorewall/interfaces.
- This option facilitates Proxy ARP sub-netting as described
- in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
- Specifying the proxyarp option for an interface
+
- Empty
+ and invalid source and destination qualifiers are
+ now detected in the rules file. It is a good idea to
+use the 'shorewall check' command before you issue
+ a 'shorewall restart' command be be sure that you don't have
+any configuration problems that will prevent a successful
+ restart.
+ - Added
+ MERGE_HOSTS variable in shorewall.conf to provide
+ saner behavior of the /etc/shorewall/hosts
+ file.
+ - The
+time that the counters were last reset is now displayed
+ in the heading of the 'status' and 'show' commands.
+ - A proxyarp
+ option has been added for entries in
+ /etc/shorewall/interfaces.
+ This option facilitates Proxy ARP sub-netting as described
+ in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
+ Specifying the proxyarp option for an interface
causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
- - The Samples
- have been updated to reflect the new capabilities
- in this release.
-
-
-
+ The
+Samples have been updated to reflect the new capabilities
+ in this release.
+
+
+
7/16/2002 - New Mirror in Argentina
-
-Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
+
+
Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
Argentina. Thanks Buanzo!!!
-
+
7/16/2002 - Shorewall 1.3.4 Released
-
+
In this version:
-
+
- - A new
- /etc/shorewall/routestopped
- file has been added. This file is intended to
- eventually replace the routestopped option
- in the /etc/shorewall/interface and /etc/shorewall/hosts
- files. This new file makes remote firewall administration
- easier by allowing any IP or subnet to be enabled while
- Shorewall is stopped.
- - An /etc/shorewall/stopped
- extension script
- has been added. This script is invoked after Shorewall
- has stopped.
- - A DETECT_DNAT_ADDRS
+
- A new
+ /etc/shorewall/routestopped
+ file has been added. This file is intended to
+ eventually replace the routestopped option
+ in the /etc/shorewall/interface and /etc/shorewall/hosts
+ files. This new file makes remote firewall administration
+ easier by allowing any IP or subnet to be enabled while
+ Shorewall is stopped.
+ - An /etc/shorewall/stopped
+ extension script
+ has been added. This script is invoked after Shorewall
+ has stopped.
+ - A DETECT_DNAT_ADDRS
option has been added to /etc/shoreall/shorewall.conf.
- When this option is selected, DNAT rules only apply when
- the destination address is the external interface's
+ href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf.
+ When this option is selected, DNAT rules only apply when
+ the destination address is the external interface's
primary IP address.
- - The QuickStart Guide has
- been broken into three guides and has been almost
- entirely rewritten.
- - The Samples
- have been updated to reflect the new capabilities
- in this release.
-
-
-
+ The
+ QuickStart Guide
+ has been broken into three guides and has been
+almost entirely rewritten.
+ The
+Samples have been updated to reflect the new capabilities
+ in this release.
+
+
+
7/8/2002 - Shorewall 1.3.3 Debian Package Available
-
+
Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/6/2002 - Shorewall 1.3.3 Released
-
+
In this version:
-
+
- - Entries
- in /etc/shorewall/interface that use the wildcard
-character ("+") now have the "multi" option assumed.
- - The 'rfc1918'
- chain in the mangle table has been renamed 'man1918'
- to make log messages generated from that chain distinguishable
- from those generated by the 'rfc1918' chain in
- the filter table.
- - Interface
- names appearing in the hosts file are now validated
- against the interfaces file.
- - The TARGET
- column in the rfc1918 file is now checked for correctness.
- - The chain
- structure in the nat table has been changed to reduce
- the number of rules that a packet must traverse and to
- correct problems with NAT_BEFORE_RULES=No
- - The "hits"
- command has been enhanced.
-
-
-
+ Entries
+ in /etc/shorewall/interface that use the wildcard
+ character ("+") now have the "multi" option assumed.
+ The
+'rfc1918' chain in the mangle table has been renamed
+ 'man1918' to make log messages generated from that
+chain distinguishable from those generated by the
+ 'rfc1918' chain in the filter table.
+ Interface
+ names appearing in the hosts file are now validated
+ against the interfaces file.
+ The
+TARGET column in the rfc1918 file is now checked for
+ correctness.
+ The
+chain structure in the nat table has been changed
+ to reduce the number of rules that a packet must traverse
+ and to correct problems with NAT_BEFORE_RULES=No
+ The
+"hits" command has been enhanced.
+
+
+
6/25/2002 - Samples Updated for 1.3.2
-
-The comments in the sample configuration files have been updated to reflect
+
+
The comments in the sample configuration files have been updated to reflect
new features introduced in Shorewall 1.3.2.
-
+
6/25/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/19/2002 - Documentation Available in PDF Format
-
-Thanks to Mike Martinez, the Shorewall Documentation is now available
-for download in Adobe PDF format.
+
+Thanks to Mike Martinez, the Shorewall Documentation is now available for
+ download in Adobe
+ PDF format.
-
+
6/16/2002 - Shorewall 1.3.2 Released
-
+
In this version:
-
+
+ A logwatch command has
+been added to /sbin/shorewall.
+ A dynamic blacklist facility
+ has been added.
+ Support
+ for the Netfilter multiport
+ match function has been added.
+ The
+files firewall, functions and version
+ have been moved from /etc/shorewall to /var/lib/shorewall.
+
+
+
6/6/2002 - Why CVS Web access is Password Protected
-
-Last weekend, I installed the CVS Web package to provide brower-based
-access to the Shorewall CVS repository. Since then, I have had several
-instances where my server was almost unusable due to the high load generated
-by website copying tools like HTTrack and WebStripper. These mindless tools:
+
+Last weekend, I installed the CVS Web package to provide brower-based access
+ to the Shorewall CVS repository. Since then, I have had several instances
+where my server was almost unusable due to the high load generated by website
+copying tools like HTTrack and WebStripper. These mindless tools:
-
+
- - Ignore
+
- Ignore
robot.txt files.
- - Recursively
- copy everything that they find.
- - Should
+
- Recursively
+ copy everything that they find.
+ - Should
be classified as weapons rather than tools.
-
+
-
-These tools/weapons are particularly damaging when combined with CVS Web
- because they doggedly follow every link in
- the cgi-generated HTML resulting in 1000s of
-executions of the cvsweb.cgi script. Yesterday, I spend
- several hours implementing measures to block these tools
- but unfortunately, these measures resulted in my server
- OOM-ing under even moderate load.
+
+These tools/weapons are particularly damaging when combined with CVS Web
+ because they doggedly follow every link in
+ the cgi-generated HTML resulting in 1000s of executions
+ of the cvsweb.cgi script. Yesterday, I spend several
+ hours implementing measures to block these tools but unfortunately,
+ these measures resulted in my server OOM-ing under
+ even moderate load.
-
-Until I have the time to understand the cause of the OOM (or until I buy
- more RAM if that is what is required), CVS
+
+
Until I have the time to understand the cause of the OOM (or until I buy
+ more RAM if that is what is required), CVS
Web access will remain Password Protected.
-
+
6/5/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/2/2002 - Samples Corrected
-
-The 1.3.0 samples configurations had several serious problems that prevented
- DNS and SSH from working properly. These
-problems have been corrected in the The 1.3.0 samples configurations had several serious problems that prevented
+ DNS and SSH from working properly. These problems
+ have been corrected in the 1.3.1 samples.
-
+
6/1/2002 - Shorewall 1.3.1 Released
-
+
Hot on the heels of 1.3.0, this release:
-
+
-
+
5/29/2002 - Shorewall 1.3.0 Released
-
-In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
- includes:
+
+In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
+ includes:
-
+
- - A 'filterping'
- interface option that allows ICMP echo-request
-(ping) requests addressed to the firewall to be handled
- by entries in /etc/shorewall/rules and /etc/shorewall/policy.
-
-
-
+ A 'filterping'
+ interface option that allows ICMP echo-request (ping)
+ requests addressed to the firewall to be handled by
+ entries in /etc/shorewall/rules and /etc/shorewall/policy.
+
+
+
5/23/2002 - Shorewall 1.3 RC1 Available
-
-In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
- incorporates the following:
+
+In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
+ incorporates the following:
-
+
-
+
5/19/2002 - Shorewall 1.3 Beta 2 Available
-
-In addition to the changes in Beta 1, this release which carries the
-designation 1.2.91 adds:
+
+In addition to the changes in Beta 1, this release which carries the
+ designation 1.2.91 adds:
-
+
-
+
5/17/2002 - Shorewall 1.3 Beta 1 Available
-
-Beta 1 carries the version designation 1.2.90 and implements the following
+
+
Beta 1 carries the version designation 1.2.90 and implements the following
features:
-
+
- - Simplified
- rule syntax which makes the intent of each rule clearer
+
- Simplified
+ rule syntax which makes the intent of each rule clearer
and hopefully makes Shorewall easier to learn.
- - Upward
- compatibility with 1.2 configuration files has been
- maintained so that current users can migrate to the
+
- Upward
+ compatibility with 1.2 configuration files has been
+ maintained so that current users can migrate to the
new syntax at their convenience.
- - WARNING: Compatibility with the old
- parameterized sample configurations has NOT been maintained.
- Users still running those configurations should migrate
- to the new sample configurations before upgrading
- to 1.3 Beta 1.
-
-
-
+ WARNING: Compatibility with the old
+ parameterized sample configurations has NOT been maintained.
+ Users still running those configurations should migrate
+ to the new sample configurations before upgrading
+ to 1.3 Beta 1.
+
+
+
5/4/2002 - Shorewall 1.2.13 is Available
-
+
In this version:
-
+
+ SYN-flood protection is
+ added.
+ IP addresses
+ added under ADD_IP_ALIASES
+ and ADD_SNAT_ALIASES now inherit the VLSM
+ and Broadcast Address of the interface's primary
+ IP address.
+ The
+order in which port forwarding DNAT and Static DNAT
+ can now be reversed
+ so that port forwarding rules can override the contents
+of /etc/shorewall/nat.
+
+
+
4/30/2002 - Shorewall Debian News
-
-Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
-Debian
- Testing Branch and the Debian
- Unstable Branch.
+
+Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian
+Testing Branch and the Debian
+Unstable Branch.
-
+
4/20/2002 - Shorewall 1.2.12 is Available
-
+
- - The 'try'
- command works again
- - There
-is now a single RPM that also works with SuSE.
-
-
-
+ The
+'try' command works again
+ There
+ is now a single RPM that also works with SuSE.
+
+
+
4/17/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that:
-
+
+ Shorewall
+ 1.2.10 is in the Debian
+ Testing Branch
+ Shorewall
+ 1.2.11 is in the Debian
+ Unstable Branch
+
+
+
Thanks, Lorenzo!
-
+
4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
-
-Thanks to Stefan Mohr, there
+
+
Thanks to Stefan Mohr, there
is now a Shorewall 1.2.11
- SuSE RPM available.
+ href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm">
+ SuSE RPM available.
-
+
4/13/2002 - Shorewall 1.2.11 Available
-
+
In this version:
-
+
-
+
4/13/2002 - Hamburg Mirror now has FTP
-
+
Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
+ href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall.
Thanks Stefan!
-
+
4/12/2002 - New Mirror in Hamburg
-
-Thanks to Stefan Mohr, there
- is now a mirror of the Shorewall website
-at http://germany.shorewall.net.
+
+
Thanks to Stefan Mohr, there
+ is now a mirror of the Shorewall website at
+ http://germany.shorewall.net.
-
+
4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
-
-Version 1.1 of the QuickStart
- Guide is now available. Thanks to those
- who have read version 1.0 and offered their suggestions.
+
+
Version 1.1 of the QuickStart
+ Guide is now available. Thanks to those
+ who have read version 1.0 and offered their suggestions.
Corrections have also been made to the sample scripts.
-
+
4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
-
-Version 1.0 of the QuickStart
- Guide is now available. This Guide and
- its accompanying sample configurations are expected
- to provide a replacement for the recently withdrawn
-parameterized samples.
+
+Version 1.0 of the QuickStart
+ Guide is now available. This Guide and
+ its accompanying sample configurations are expected
+ to provide a replacement for the recently withdrawn parameterized
+ samples.
-
+
4/8/2002 - Parameterized Samples Withdrawn
-
+
Although the parameterized
- samples have allowed people to get a
-firewall up and running quickly, they have unfortunately
- set the wrong level of expectation among those who
-have used them. I am therefore withdrawing support for
-the samples and I am recommending that they not be used in
-new Shorewall installations.
+ href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized
+ samples have allowed people to get a firewall
+ up and running quickly, they have unfortunately
+ set the wrong level of expectation among those who
+have used them. I am therefore withdrawing support for the
+samples and I am recommending that they not be used in new
+ Shorewall installations.
-
+
4/2/2002 - Updated Log Parser
-
-John Lodge has provided an updated
+
+
John Lodge has provided an updated
version of his CGI-based log parser
- with corrected date handling.
+ href="pub/shorewall/parsefw/">CGI-based log parser
+ with corrected date handling.
-
+
3/30/2002 - Shorewall Website Search Improvements
-
-The quick search on the home page now excludes the mailing list archives.
- The Extended
-Search allows excluding the archives or
-restricting the search to just the archives. An archive
- search form is also available on the mailing list information
+
+The quick search on the home page now excludes the mailing list archives.
+ The Extended Search
+ allows excluding the archives or restricting
+the search to just the archives. An archive search
+form is also available on the mailing list information
page.
-
+
3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
-
+
+ Shorewall
+ 1.2.9 is now in the Debian
+ Unstable Distribution.
+
+
+
3/25/2002 - Log Parser Available
-
+
John Lodge has provided a CGI-based log parser for Shorewall. Thanks
+ href="pub/shorewall/parsefw/">CGI-based log parser
for Shorewall. Thanks
John.
-
+
3/20/2002 - Shorewall 1.2.10 Released
-
+
In this version:
-
+
- - A "shorewall
- try" command has been added (syntax: shorewall
-try <configuration directory>).
- This command attempts "shorewall -c <configuration
-directory> start" and if that results in the firewall
- being stopped due to an error, a "shorewall start" command
- is executed. The 'try' command allows you to create a new
- configuration and
-attempt to start it; if there is an error that leaves your
- firewall in the stopped state, it will automatically be restarted
- using the default configuration (in /etc/shorewall).
- - A new
-variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf.
- If this variable is set to "Yes", Shorewall will automatically
- add IP addresses listed in the third column of
-the /etc/shorewall/masq
-file.
- - Copyright
- notices have been added to the documenation.
-
-
-
+ A "shorewall
+ try" command has been added (syntax: shorewall try
+ <configuration directory>). This
+ command attempts "shorewall -c <configuration
+directory> start" and if that results in the firewall
+ being stopped due to an error, a "shorewall start" command
+ is executed. The 'try' command allows you to create a new
+ configuration and attempt
+ to start it; if there is an error that leaves your firewall
+ in the stopped state, it will automatically be restarted using
+ the default configuration (in /etc/shorewall).
+ A new
+ variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf.
+ If this variable is set to "Yes", Shorewall will
+automatically add IP addresses listed in the third
+ column of the /etc/shorewall/masq
+ file.
+ Copyright
+ notices have been added to the documenation.
+
+
+
3/11/2002 - Shorewall 1.2.9 Released
-
+
In this version:
-
+
+
+
+
+3/1/2002 - 1.2.8 Debian Package is Available
+
+
+
+See http://security.dsi.unimi.it/~lorenzo/debian.html
+
+
+
+2/25/2002 - New Two-interface Sample
+
+
+I've enhanced the two interface sample to allow access from the firewall
+ to servers in the local zone -
+ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+
+
+2/23/2002 - Shorewall 1.2.8 Released
+
+
+
+Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
+ problems associated with the lock file used to prevent multiple state-changing
+ operations from occuring simultaneously. My
+ apologies for any inconvenience my carelessness
+ may have caused.
+
+
+
+2/22/2002 - Shorewall 1.2.7 Released
+
+
+
+In this version:
+
+
+
+
+ - UPnP
+probes (UDP destination port 1900) are now silently
+ dropped in the common chain
+ - RFC
+1918 checking in the mangle table has been streamlined
+ to no longer require packet marking. RFC 1918 checking
+ in the filter table has been changed to require half as
+ many rules as previously.
+ - A 'shorewall
+ check' command has been added that does a cursory
+ validation of the zones, interfaces, hosts, rules and
+ policy files.
+
+
+
+
+
+
+2/18/2002 - 1.2.6 Debian Package is Available
+
+
+
+See http://security.dsi.unimi.it/~lorenzo/debian.html
+
+
+
+2/8/2002 - Shorewall 1.2.6 Released
+
+
+
+In this version:
+
+
+
+
+ - $-variables
+ may now be used anywhere in the configuration files
+ except /etc/shorewall/zones.
+ - The
+interfaces and hosts files now have their contents
+ validated before any changes are made to the existing
+ Netfilter configuration. The appearance of a zone
+name that isn't defined in /etc/shorewall/zones causes "shorewall
+ start" and "shorewall restart" to abort without changing
+ the Shorewall state. Unknown options in either file cause
+a warning to be issued.
+ - A problem
+ occurring when BLACKLIST_LOGLEVEL was not set has
+ been corrected.
+
+
+
+
+
+2/4/2002 - Shorewall 1.2.5 Debian Package Available
+
+
+
+see http://security.dsi.unimi.it/~lorenzo/debian.html
+
+
+
+2/1/2002 - Shorewall 1.2.5 Released
+
+
+
+Due to installation problems with Shorewall 1.2.4, I have released Shorewall
+ 1.2.5. Sorry for the rapid-fire development.
+
+
+
+In version 1.2.5:
+
+
+
+
+ - The installation
+ problems have been corrected.
+ - SNAT is now supported.
+ - A "shorewall
+ version" command has been added
+ - The default
+ value of the STATEDIR variable in /etc/shorewall/shorewall.conf
+ has been changed to /var/lib/shorewall in order
+ to conform to the GNU/Linux File Hierarchy Standard,
+ Version 2.2.
+
+
+
+
+
+1/28/2002 - Shorewall 1.2.4 Released
+
+
+
+
+ - The "fw"
+ zone may now be given a
+ different name.
+ - You may
+ now place end-of-line comments (preceded by '#') in
+ any of the configuration files
+ - There
+is now protection against against two state changing
+ operations occuring concurrently. This is implemented
+ using the 'lockfile' utility if it is available
+ (lockfile is part of procmail); otherwise, a less robust
+ technique is used. The lockfile is created in the STATEDIR
+ defined in /etc/shorewall/shorewall.conf and has the
+name "lock".
+ - "shorewall
+ start" no longer fails if "detect" is specified
+ in /etc/shorewall/interfaces
+ for an interface with subnet mask 255.255.255.255.
+
+
+
+
+
+1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
+
+
+
+1/20/2002 - Corrected firewall script available
+
+
+
+Corrects a problem with BLACKLIST_LOGLEVEL. See the
+ errata for details.
+
+
+
+1/19/2002 - Shorewall 1.2.3 Released
+
+
+
+This is a minor feature and bugfix release. The single new feature is:
+
+
+
+
+ - Support
+ for TCP MSS Clamp to PMTU -- This support is usually
+ required when the internet connection is via PPPoE
+ or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
+
+
+
+
+
+The following problems were corrected:
+
+
+
+ - The "shorewall
+ status" command no longer hangs.
+ - The "shorewall
+ monitor" command now displays the icmpdef chain
+ - The CLIENT
+ PORT(S) column in tcrules is no longer ignored
+
+
+
+
+
+1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
+
+
+
+Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
+ that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
+ for details.
+
+
+
+1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
+ Shorewall Debian package is now available. There
+ is a link to Lorenzo's site from the Shorewall download page.
+
+
+
+1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores
+ the "shorewall status" command to health.
+
+
+
+1/8/2002 - Shorewall 1.2.2 Released
+
+
+
+In version 1.2.2
+
+
+
+
+ - Support
+ for IP blacklisting has been added
+
+
+
+
+
+ - You
+specify whether you want packets from blacklisted
+hosts dropped or rejected using the BLACKLIST_DISPOSITION
+ setting in /etc/shorewall/shorewall.conf
+ - You
+specify whether you want packets from blacklisted
+hosts logged and at what syslog level using the
+ BLACKLIST_LOGLEVEL
+ setting in /etc/shorewall/shorewall.conf
+ - You
+list the IP addresses/subnets that you wish to blacklist
+ in /etc/shorewall/blacklist
+ - You
+specify the interfaces you want checked against the
+ blacklist using the new "blacklist" option
+ in /etc/shorewall/interfaces.
+ - The
+black list is refreshed from /etc/shorewall/blacklist
+ by the "shorewall refresh" command.
+
-
- - Several
- bugs have been fixed
- - The 1.2.9
- Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ - Use of
+ TCP RST replies has been expanded
-
-
-
-3/1/2002 - 1.2.8 Debian Package is Available
-
-
-
-See http://security.dsi.unimi.it/~lorenzo/debian.html
-
-
-
-2/25/2002 - New Two-interface Sample
-
-
-I've enhanced the two interface sample to allow access from the firewall
- to servers in the local zone -
- http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
-
-
-2/23/2002 - Shorewall 1.2.8 Released
-
-
-
-Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
- problems associated with the lock file used to prevent multiple state-changing
- operations from occuring simultaneously.
-My apologies for any inconvenience my carelessness
- may have caused.
-
-
-
-2/22/2002 - Shorewall 1.2.7 Released
-
-
-
-In this version:
-
-
-
-
- - UPnP
-probes (UDP destination port 1900) are now silently
- dropped in the common chain
- - RFC 1918
- checking in the mangle table has been streamlined
- to no longer require packet marking. RFC 1918 checking
- in the filter table has been changed to require half
-as many rules as previously.
- - A 'shorewall
- check' command has been added that does a cursory
- validation of the zones, interfaces, hosts, rules
-and policy files.
-
-
-
-
-
-
-2/18/2002 - 1.2.6 Debian Package is Available
-
-
-
-See http://security.dsi.unimi.it/~lorenzo/debian.html
-
-
-
-2/8/2002 - Shorewall 1.2.6 Released
-
-
-
-In this version:
-
-
-
-
- - $-variables
- may now be used anywhere in the configuration files
- except /etc/shorewall/zones.
- - The interfaces
- and hosts files now have their contents validated
- before any changes are made to the existing Netfilter
- configuration. The appearance of a zone name that isn't
- defined in /etc/shorewall/zones causes "shorewall
-start" and "shorewall restart" to abort without changing
- the Shorewall state. Unknown options in either file cause
-a warning to be issued.
- - A problem
- occurring when BLACKLIST_LOGLEVEL was not set has
- been corrected.
-
-
-
-
-
-2/4/2002 - Shorewall 1.2.5 Debian Package Available
-
-
-
-see http://security.dsi.unimi.it/~lorenzo/debian.html
-
-
-
-2/1/2002 - Shorewall 1.2.5 Released
-
-
-
-Due to installation problems with Shorewall 1.2.4, I have released Shorewall
- 1.2.5. Sorry for the rapid-fire development.
-
-
-
-In version 1.2.5:
-
-
-
-
- - The installation
- problems have been corrected.
- - SNAT is now supported.
- - A "shorewall
- version" command has been added
- - The default
- value of the STATEDIR variable in /etc/shorewall/shorewall.conf
- has been changed to /var/lib/shorewall in
-order to conform to the GNU/Linux File Hierarchy Standard,
- Version 2.2.
-
-
-
-
-
-1/28/2002 - Shorewall 1.2.4 Released
-
-
-
-
- - The "fw"
- zone may now be given a
- different name.
- - You may
- now place end-of-line comments (preceded by '#')
-in any of the configuration files
- - There
-is now protection against against two state changing
- operations occuring concurrently. This is implemented
- using the 'lockfile' utility if it is available
-(lockfile is part of procmail); otherwise, a less robust
- technique is used. The lockfile is created in the STATEDIR
- defined in /etc/shorewall/shorewall.conf and has the name
- "lock".
- - "shorewall
- start" no longer fails if "detect" is specified
- in /etc/shorewall/interfaces
- for an interface with subnet mask 255.255.255.255.
-
-
-
-
-
-1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
-
-
-
-1/20/2002 - Corrected firewall script available
-
-
-
-Corrects a problem with BLACKLIST_LOGLEVEL. See the
- errata for details.
-
-
-
-1/19/2002 - Shorewall 1.2.3 Released
-
-
-
-This is a minor feature and bugfix release. The single new feature is:
-
-
-
-
- - Support
- for TCP MSS Clamp to PMTU -- This support is usually
- required when the internet connection is via PPPoE
- or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
-
-
-
-
-
-The following problems were corrected:
-
-
-
- - The "shorewall
- status" command no longer hangs.
- - The "shorewall
- monitor" command now displays the icmpdef chain
- - The CLIENT
- PORT(S) column in tcrules is no longer ignored
-
-
-
-
-
-1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
-
-
-
-Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
- that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
- for details.
-
-
-
-1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
- Shorewall Debian package is now available.
-There is a link to Lorenzo's site from the Shorewall download page.
-
-
-
-1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores
- the "shorewall status" command to health.
-
-
-
-1/8/2002 - Shorewall 1.2.2 Released
-
-
-
-In version 1.2.2
-
-
-
-
- - Support
- for IP blacklisting has been added
-
-
-
-
+
- - You
-specify whether you want packets from blacklisted
- hosts dropped or rejected using the BLACKLIST_DISPOSITION
- setting in /etc/shorewall/shorewall.conf
- - You
-specify whether you want packets from blacklisted
- hosts logged and at what syslog level using the
- BLACKLIST_LOGLEVEL
- setting in /etc/shorewall/shorewall.conf
- - You
-list the IP addresses/subnets that you wish to blacklist
- in /etc/shorewall/blacklist
- - You
-specify the interfaces you want checked against the
- blacklist using the new "blacklist" option
- in /etc/shorewall/interfaces.
- - The
-black list is refreshed from /etc/shorewall/blacklist
- by the "shorewall refresh" command.
-
-
-
-
-
-
-
- - Use of
-TCP RST replies has been expanded
-
-
-
-
-
- - TCP
-connection requests rejected because of a REJECT policy
+
- TCP
+connection requests rejected because of a REJECT policy
are now replied with a TCP RST packet.
- - TCP
-connection requests rejected because of a protocol=all
- rule in /etc/shorewall/rules are now replied
+
- TCP
+connection requests rejected because of a protocol=all
+ rule in /etc/shorewall/rules are now replied
with a TCP RST packet.
-
-
-
- - A LOGFILE specification
- has been added to /etc/shorewall/shorewall.conf. LOGFILE is used
- to tell the /sbin/shorewall program where to look for Shorewall
- messages.
-
+
+
+
+ A LOGFILE specification
+ has been added to /etc/shorewall/shorewall.conf. LOGFILE is
+used to tell the /sbin/shorewall program where to look for
+Shorewall messages.
+
+
-
+
1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates
- to the previously-released samples. There are
+ target="_blank">version 1.2.0) released. These are minor updates
+ to the previously-released samples. There are
two new rules added:
-
+
- - Unless
-you have explicitly enabled Auth connections (tcp port
- 113) to your firewall, these connections will be REJECTED
- rather than DROPPED. This speeds up connection establishment
- to some servers.
- - Orphan
-DNS replies are now silently dropped.
-
-
-
-
-
-See the README file for upgrade instructions.
+ Unless
+ you have explicitly enabled Auth connections (tcp
+ port 113) to your firewall, these connections will be
+REJECTED rather than DROPPED. This speeds up connection
+ establishment to some servers.
+ Orphan
+ DNS replies are now silently dropped.
+
+
+
+See the README file for upgrade instructions.
+
+
1/1/2002 - Shorewall Mailing List Moving
-
-The Shorewall mailing list hosted at
- Sourceforge is moving to Shorewall.net.
- If you are a current subscriber to the list at Sourceforge,
- please see these
-instructions. If you would like to subscribe
-to the new list, visit The Shorewall mailing list hosted at
+ Sourceforge is moving to Shorewall.net.
+ If you are a current subscriber to the list at Sourceforge,
+ please see these instructions.
+ If you would like to subscribe to the new list,
+ visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
-
+
12/31/2001 - Shorewall 1.2.1 Released
-
+
In version 1.2.1:
-
+
+ 'shorewall
+ show tc' now correctly handles tunnels.
-12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist
-releasing 1.2 on 12/21/2001
-
-
-
-Version 1.2 contains the following new features:
-
-
-
-
-
-For the next month or so, I will continue to provide corrections to version
- 1.1.18 as necessary so that current version
- 1.1.x users will not be forced into a quick upgrade
- to 1.2.0 just to have access to bug fixes.
-
-
-For those of you who have installed one of the Beta RPMS, you will need
- to use the "--oldpackage" option when upgrading
- to 1.2.0:
-
-
-
-
-
- rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
-
-
-
-12/19/2001 - Thanks to Steve
- Cowles, there is now a Shorewall mirror
-in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall
- and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
-
-
-
-11/30/2001 - A new set of the parameterized Sample
- Configurations has been released. In this version:
-
-
-
-
- - Ping is
- now allowed between the zones.
- - In the
-three-interface configuration, it is now possible to
- configure the internet services that are to be available
- to servers in the DMZ.
-
-
-
-
-
-11/20/2001 - The current version of Shorewall is 1.1.18.
-
-
-
-In this version:
-
-
-
-
- - The spelling
- of ADD_IP_ALIASES has been corrected in the shorewall.conf
- file
- - The logic
- for deleting user-defined chains has been simplified
- so that it avoids a bug in the LRP version of the 'cut'
- utility.
- - The /var/lib/lrpkg/shorwall.conf
- file has been corrected to properly display
- the NAT entry in that file.
-
-
-
-
-
-
-11/19/2001 - Thanks to Juraj
- Ontkanin, there is now a Shorewall
- mirror in the Slovak Republic. The website is
-now mirrored at http://www.nrg.sk/mirror/shorewall
- and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
-
-
-
-11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
- There are three sample configurations:
-
-
-
-
- - One Interface
- -- for a standalone system.
- - Two Interfaces
- -- A masquerading firewall.
- - Three
-Interfaces -- A masquerading firewall with DMZ.
-
-
-
+
+12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing
+1.2 on 12/21/2001
+Version 1.2 contains the following new features:
+
+
+
+
+
+
+For the next month or so, I will continue to provide corrections to version
+ 1.1.18 as necessary so that current version
+ 1.1.x users will not be forced into a quick upgrade
+ to 1.2.0 just to have access to bug fixes.
+
+
+For those of you who have installed one of the Beta RPMS, you will need
+ to use the "--oldpackage" option when upgrading
+ to 1.2.0:
+
+
+
+
+
+ rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
+
+
+
+
+12/19/2001 - Thanks to Steve
+ Cowles, there is now a Shorewall mirror
+ in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall
+ and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
+
+
+
+11/30/2001 - A new set of the parameterized Sample
+Configurations has been released. In this version:
+
+
+
+
+ - Ping
+is now allowed between the zones.
+ - In the
+ three-interface configuration, it is now possible
+ to configure the internet services that are to be available
+ to servers in the DMZ.
+
+
+
+
+
+11/20/2001 - The current version of Shorewall is 1.1.18.
+
+
+
+In this version:
+
+
+
+
+ - The spelling
+ of ADD_IP_ALIASES has been corrected in the shorewall.conf
+ file
+ - The logic
+ for deleting user-defined chains has been simplified
+ so that it avoids a bug in the LRP version of the 'cut'
+ utility.
+ - The /var/lib/lrpkg/shorwall.conf
+ file has been corrected to properly display
+ the NAT entry in that file.
+
+
+
+
+
+
+11/19/2001 - Thanks to Juraj
+ Ontkanin, there is now a Shorewall
+ mirror in the Slovak Republic. The website is
+ now mirrored at http://www.nrg.sk/mirror/shorewall
+ and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
+
+
+
+11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
+ There are three sample configurations:
+
+
+
+
+ - One Interface
+ -- for a standalone system.
+ - Two Interfaces
+ -- A masquerading firewall.
+ - Three
+Interfaces -- A masquerading firewall with DMZ.
+
+
+
+
+
+
Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
- . See the README file for instructions.
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
+ . See the README file for instructions.
-
-11/1/2001 - The current version of Shorewall is 1.1.17. I intend
- this to be the last of the 1.1 Shorewall
- releases.
+
+11/1/2001 - The current version of Shorewall is 1.1.17. I intend
+ this to be the last of the 1.1 Shorewall
+ releases.
-
+
In this version:
-
+
-
-10/22/2001 - The current version of Shorewall is 1.1.16. In this
- version:
+
+10/22/2001 - The current version of Shorewall is 1.1.16. In this
+ version:
-
+
- - A new
+
- A new
"shorewall show connections" command has been added.
- - In the
-"shorewall monitor" output, the currently tracked
- connections are now shown on a separate page.
- - Prior
-to this release, Shorewall unconditionally added the
- external IP adddress(es) specified in /etc/shorewall/nat.
- Beginning with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be
- set to "no" (or "No") to inhibit this behavior.
- This allows IP aliases created using your distribution's
- network configuration tools to be used in static
- NAT.
+ - In the
+ "shorewall monitor" output, the currently tracked
+ connections are now shown on a separate page.
+ - Prior
+to this release, Shorewall unconditionally added the
+ external IP adddress(es) specified in /etc/shorewall/nat.
+ Beginning with version 1.1.16, a new parameter
+(ADD_IP_ALIASES) may
+be set to "no" (or "No") to inhibit this behavior.
+ This allows IP aliases created using your distribution's
+ network configuration tools to be used in static
+ NAT.
-
+
-
-10/15/2001 - The current version of Shorewall is 1.1.15. In this
- version:
+
+10/15/2001 - The current version of Shorewall is 1.1.15. In this
+ version:
+
+
+
+ - Support
+ for nested zones has been improved. See the documentation for
+details
+ - Shorewall
+ now correctly checks the alternate configuration
+ directory for the 'zones' file.
+
+
+
+
+
+10/4/2001 - The current version of Shorewall is 1.1.14. In this
+ version
- - Support
- for nested zones has been improved. See the documentation for details
- - Shorewall
- now correctly checks the alternate configuration
- directory for the 'zones' file.
-
-
-
-
-
-10/4/2001 - The current version of Shorewall is 1.1.14. In this
- version
-
-
-
- - Shorewall
- now supports alternate configuration directories.
- When an alternate directory is specified when starting
- or restarting Shorewall (e.g., "shorewall -c /etc/testconf
- restart"), Shorewall will first look for configuration files
- in the alternate directory then in /etc/shorewall. To
+
- Shorewall
+ now supports alternate configuration directories.
+ When an alternate directory is specified when starting
+ or restarting Shorewall (e.g., "shorewall -c /etc/testconf
+ restart"), Shorewall will first look for configuration files
+ in the alternate directory then in /etc/shorewall. To
create an alternate configuration simply:
- 1. Create
+ 1. Create
a New Directory
- 2. Copy
-to that directory any of your configuration files
-that you want to change.
- 3. Modify
+ 2. Copy
+to that directory any of your configuration files that
+ you want to change.
+ 3. Modify
the copied files as needed.
- 4. Restart
- Shorewall specifying the new directory.
- - The rules
- for allowing/disallowing icmp echo-requests (pings)
- are now moved after rules created when processing
-the rules file. This allows you to add rules that selectively
+ 4. Restart
+ Shorewall specifying the new directory.
+ - The rules
+ for allowing/disallowing icmp echo-requests (pings)
+ are now moved after rules created when processing the
+ rules file. This allows you to add rules that selectively
allow/deny ping based on source or destination address.
- - Rules
-that specify multiple client ip addresses or subnets
- no longer cause startup failures.
- - Zone names
- in the policy file are now validated against the
-zones file.
- - If you
-have packet mangling
- support enabled, the "norfc1918"
-interface option now logs and drops any incoming packets on
-the interface that have an RFC 1918 destination address.
+ - Rules
+that specify multiple client ip addresses or subnets
+ no longer cause startup failures.
+ - Zone
+names in the policy file are now validated against
+ the zones file.
+ - If you
+ have packet mangling
+ support enabled, the "norfc1918" interface
+option now logs and drops any incoming packets on the interface
+ that have an RFC 1918 destination address.
-
+
-
-9/12/2001 - The current version of Shorewall is 1.1.13. In this
+
+
9/12/2001 - The current version of Shorewall is 1.1.13. In this
version
-
+
- - Shell
-variables can now be used to parameterize Shorewall
- rules.
- - The second
- column in the hosts file may now contain a comma-separated
- list.
-
- Example:
- sea
- eth0:130.252.100.0/24,206.191.149.0/24
- - Handling
- of multi-zone interfaces has been improved. See the
- documentation for the
- /etc/shorewall/interfaces file.
+ - Shell
+variables can now be used to parameterize Shorewall
+ rules.
+ - The second
+ column in the hosts file may now contain a comma-separated
+ list.
+
+ Example:
+ sea
+ eth0:130.252.100.0/24,206.191.149.0/24
+ - Handling
+ of multi-zone interfaces has been improved. See the
+ documentation for the
+ /etc/shorewall/interfaces file.
-
+
-
-8/28/2001 - The current version of Shorewall is 1.1.12. In this
+
+
8/28/2001 - The current version of Shorewall is 1.1.12. In this
version
-
+
- - Several
- columns in the rules file may now contain comma-separated
+
- Several
+ columns in the rules file may now contain comma-separated
lists.
- - Shorewall
- is now more rigorous in parsing the options in
- /etc/shorewall/interfaces.
- - Complementation
+
- Shorewall
+ is now more rigorous in parsing the options in
+/etc/shorewall/interfaces.
+ - Complementation
using "!" is now supported in rules.
-
+
-
-7/28/2001 - The current version of Shorewall is 1.1.11. In this
+
+
7/28/2001 - The current version of Shorewall is 1.1.11. In this
version
-
+
- - A "shorewall
- refresh" command has been added to allow for refreshing
- the rules associated with the broadcast address on a
-dynamic interface. This command should be used in place
-of "shorewall restart" when the internet interface's IP
- address changes.
- - The /etc/shorewall/start
- file (if any) is now processed after all temporary
- rules have been deleted. This change prevents the accidental
- removal of rules added during the processing of
-that file.
- - The "dhcp"
- interface option is now applicable to firewall
-interfaces used by a DHCP server running on the firewall.
- - The RPM
+
- A "shorewall
+ refresh" command has been added to allow for
+ refreshing the rules associated with the broadcast address
+ on a dynamic interface. This command should be used
+ in place of "shorewall restart" when the internet interface's
+ IP address changes.
+ - The /etc/shorewall/start
+ file (if any) is now processed after all
+temporary rules have been deleted. This change prevents
+ the accidental removal of rules added during
+ the processing of that file.
+ - The "dhcp"
+ interface option is now applicable to firewall
+ interfaces used by a DHCP server running on the firewall.
+ - The RPM
can now be built from the .tgz file using "rpm -tb"
-
+
-
-7/6/2001 - The current version of Shorewall is 1.1.10. In this
-version
+
+7/6/2001 - The current version of Shorewall is 1.1.10. In this version
-
+
- - Shorewall
- now enables Ipv4 Packet Forwarding by default. Packet
- forwarding may be disabled by specifying IP_FORWARD=Off
- in /etc/shorewall/shorewall.conf. If you don't
- want Shorewall to enable or disable packet forwarding,
- add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
- file.
- - The "shorewall
- hits" command no longer lists extraneous service
- names in its last report.
- - Erroneous
- instructions in the comments at the head of the firewall
+
- Shorewall
+ now enables Ipv4 Packet Forwarding by default. Packet
+ forwarding may be disabled by specifying IP_FORWARD=Off
+ in /etc/shorewall/shorewall.conf. If you don't
+ want Shorewall to enable or disable packet forwarding,
+ add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
+ file.
+ - The "shorewall
+ hits" command no longer lists extraneous service
+ names in its last report.
+ - Erroneous
+ instructions in the comments at the head of the firewall
script have been corrected.
-
+
-
-6/23/2001 - The current version of Shorewall is 1.1.9. In this
-version
+
+6/23/2001 - The current version of Shorewall is 1.1.9. In this version
-
+
- - The "tunnels"
+
- The "tunnels"
file really is in the RPM now.
- - SNAT can
- now be applied to port-forwarded connections.
- - A bug
-which would cause firewall start failures in some
-dhcp configurations has been fixed.
- - The firewall
- script now issues a message if you have the name
-of an interface in the second column in an entry in /etc/shorewall/masq
- and that interface is not up.
- - You can
+
- SNAT
+can now be applied to port-forwarded connections.
+ - A bug
+which would cause firewall start failures in some dhcp
+ configurations has been fixed.
+ - The firewall
+ script now issues a message if you have the name
+ of an interface in the second column in an entry in
+/etc/shorewall/masq and that interface is not up.
+ - You can
now configure Shorewall so that it doesn't require the NAT and/or
+ href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or
mangle netfilter modules.
- - Thanks
-to Alex Polishchuk, the "hits" command from seawall
+
- Thanks
+ to Alex Polishchuk, the "hits" command from seawall
is now in shorewall.
- - Support
+
- Support
for IPIP tunnels has been added.
-
+
-
-6/18/2001 - The current version of Shorewall is 1.1.8. In this
-version
+
+6/18/2001 - The current version of Shorewall is 1.1.8. In this version
-
+
-
+
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
-
+
- - The TOS
+
- The TOS
rules are now deleted when the firewall is stopped.
- - The .rpm
- will now install regardless of which version of iptables
+
- The .rpm
+ will now install regardless of which version of iptables
is installed.
- - The .rpm
- will now install without iproute2 being installed.
- - The documentation
+
- The .rpm
+ will now install without iproute2 being installed.
+ - The documentation
has been cleaned up.
- - The sample
- configuration files included in Shorewall have been
- formatted to 80 columns for ease of editing on a VGA
- console.
+ - The sample
+ configuration files included in Shorewall have been
+ formatted to 80 columns for ease of editing on a VGA
+ console.
-
+
-
-5/25/2001 - The current version of Shorewall is 1.1.6. In this
-version
+
+5/25/2001 - The current version of Shorewall is 1.1.6. In this version
-
+
- - You may now rate-limit the
-packet log.
- - Previous
- versions of Shorewall have an implementation of Static
- NAT which violates the principle of least surprise.
- NAT only occurs for packets arriving at (DNAT) or
-send from (SNAT) the interface named in the INTERFACE column
- of /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
- regardless of which interface packets come from or are
-destined to. To get compatibility with prior versions, I
-have added a new "ALL "ALL INTERFACES"
- column to /etc/shorewall/nat. By placing "no" or
-"No" in the new column, the NAT behavior of prior versions
-may be retained.
- - The treatment
- of IPSEC Tunnels where the
- remote gateway is a standalone system has been improved.
- Previously, it was necessary to include an additional rule
-allowing UDP port 500 traffic to pass through the tunnel. Shorewall
- will now create this rule automatically when you place the
-name of the remote peer's zone in a new GATEWAY ZONE column in
-/etc/shorewall/tunnels.
+ - You may now rate-limit the
+ packet log.
+ - Previous
+ versions of Shorewall have an implementation of Static
+ NAT which violates the principle of least surprise.
+ NAT only occurs for packets arriving at (DNAT) or send
+ from (SNAT) the interface named in the INTERFACE column of
+ /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
+ regardless of which interface packets come from or are destined
+ to. To get compatibility with prior versions, I have added
+ a new "ALL "ALL INTERFACES"
+ column to /etc/shorewall/nat. By placing "no" or "No"
+ in the new column, the NAT behavior of prior versions may
+ be retained.
+ - The treatment
+ of IPSEC Tunnels where the
+ remote gateway is a standalone system has been improved.
+ Previously, it was necessary to include an additional rule allowing
+ UDP port 500 traffic to pass through the tunnel. Shorewall
+will now create this rule automatically when you place the name
+of the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels.
-
+
-
-5/20/2001 - The current version of Shorewall is 1.1.5. In this
-version
+
+5/20/2001 - The current version of Shorewall is 1.1.5. In this version
-
+
-
-5/10/2001 - The current version of Shorewall is 1.1.4. In this
-version
+
+5/10/2001 - The current version of Shorewall is 1.1.4. In this version
-
+
- - Accepting RELATED connections
- is now optional.
- - Corrected
- problem where if "shorewall start" aborted early
- (due to kernel configuration errors for example), superfluous
+
- Accepting RELATED connections
+ is now optional.
+ - Corrected
+ problem where if "shorewall start" aborted early
+ (due to kernel configuration errors for example), superfluous
'sed' error messages were reported.
- - Corrected
+
- Corrected
rules generated for port redirection.
- - The order
- in which iptables kernel modules are loaded has been
+
- The order
+ in which iptables kernel modules are loaded has been
corrected (Thanks to Mark Pavlidis).
-
+
-
-4/28/2001 - The current version of Shorewall is 1.1.3. In this
-version
+
+4/28/2001 - The current version of Shorewall is 1.1.3. In this version
-
+
- - Correct
- message issued when Proxy ARP address added (Thanks
+
- Correct
+ message issued when Proxy ARP address added (Thanks
to Jason Kirtland).
- - /tmp/shorewallpolicy-$$
- is now removed if there is an error while starting
+
- /tmp/shorewallpolicy-$$
+ is now removed if there is an error while starting
the firewall.
- - /etc/shorewall/icmp.def
- and /etc/shorewall/common.def are now used
- to define the icmpdef and common chains unless overridden
- by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
- - In the
-.lrp, the file /var/lib/lrpkg/shorwall.conf has been
- corrected. An extra space after "/etc/shorwall/policy"
- has been removed and "/etc/shorwall/rules" has been added.
- - When a
-sub-shell encounters a fatal error and has stopped
- the firewall, it now kills the main shell so that the
-main shell will not continue.
- - A problem
- has been corrected where a sub-shell stopped the
- firewall and main shell continued resulting in a perplexing
+
- /etc/shorewall/icmp.def
+ and /etc/shorewall/common.def are now used
+ to define the icmpdef and common chains unless overridden
+ by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
+ - In the
+ .lrp, the file /var/lib/lrpkg/shorwall.conf has been
+ corrected. An extra space after "/etc/shorwall/policy"
+ has been removed and "/etc/shorwall/rules" has been added.
+ - When
+a sub-shell encounters a fatal error and has stopped
+ the firewall, it now kills the main shell so that
+ the main shell will not continue.
+ - A problem
+ has been corrected where a sub-shell stopped the
+ firewall and main shell continued resulting in a perplexing
error message referring to "common.so" resulted.
- - Previously,
- placing "-" in the PORT(S) column in /etc/shorewall/rules
- resulted in an error message during start. This
-has been corrected.
- - The first
- line of "install.sh" has been corrected -- I had
- inadvertently deleted the initial "#".
-
-
-
+ Previously,
+ placing "-" in the PORT(S) column in /etc/shorewall/rules
+ resulted in an error message during start. This has
+ been corrected.
+ The first
+ line of "install.sh" has been corrected -- I had
+ inadvertently deleted the initial "#".
-4/12/2001 - The current version of Shorewall is 1.1.2. In this
-version
+
-
+
+4/12/2001 - The current version of Shorewall is 1.1.2. In this version
+
+
- - Port redirection
- now works again.
- - The icmpdef
- and common chains may
- now be user-defined.
- - The firewall
- no longer fails to start if "routefilter" is
-specified for an interface that isn't started. A warning message
- is now issued in this case.
- - The LRP
- Version is renamed "shorwall" for 8,3 MSDOS file
- system compatibility.
- - A couple
- of LRP-specific problems were corrected.
-
-
-
+ Port
+redirection now works again.
+ The icmpdef
+ and common chains may
+ now be user-defined.
+ The firewall
+ no longer fails to start if "routefilter" is
+ specified for an interface that isn't started. A warning
+ message is now issued in this case.
+ The LRP
+ Version is renamed "shorwall" for 8,3 MSDOS file
+ system compatibility.
+ A couple
+ of LRP-specific problems were corrected.
+
+
+
4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
+
-
+
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
-
+
- - The common
- chain is traversed from INPUT, OUTPUT and FORWARD
- before logging occurs
- - The source
- has been cleaned up dramatically
- - DHCP DISCOVER
- packets with RFC1918 source addresses no longer
- generate log messages. Linux DHCP clients generate such
- packets and it's annoying to see them logged.
-
-
-
+ The common
+ chain is traversed from INPUT, OUTPUT and FORWARD
+ before logging occurs
+ The source
+ has been cleaned up dramatically
+ DHCP
+DISCOVER packets with RFC1918 source addresses no
+longer generate log messages. Linux DHCP clients generate
+ such packets and it's annoying to see them logged.
+
+
+
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
-
+
- - Log messages
- now indicate the packet disposition.
- - Error
+
- Log messages
+ now indicate the packet disposition.
+ - Error
messages have been improved.
- - The ability
- to define zones consisting of an enumerated set of
+
- The ability
+ to define zones consisting of an enumerated set of
hosts and/or subnetworks has been added.
- - The zone-to-zone
- chain matrix is now sparse so that only those chains
- that contain meaningful rules are defined.
- - 240.0.0.0/4
- and 169.254.0.0/16 have been added to the source
- subnetworks whose packets are dropped under the norfc1918
+
- The zone-to-zone
+ chain matrix is now sparse so that only those chains
+ that contain meaningful rules are defined.
+ - 240.0.0.0/4
+ and 169.254.0.0/16 have been added to the source
+ subnetworks whose packets are dropped under the norfc1918
interface option.
- - Exits
-are now provided for executing an user-defined script
- when a chain is defined, when the firewall is initialized,
- when the firewall is started, when the firewall
+
- Exits
+are now provided for executing an user-defined script
+ when a chain is defined, when the firewall is initialized,
+ when the firewall is started, when the firewall
is stopped and when the firewall is cleared.
- - The Linux
- kernel's route filtering facility can now be specified
+
- The Linux
+ kernel's route filtering facility can now be specified
selectively on network interfaces.
-
+
-
+
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
-
+
- - Allows
-user-defined zones. Shorewall now has only one pre-defined
- zone (fw) with the remaining zones being defined in
- the new configuration file /etc/shorewall/zones.
- The /etc/shorewall/zones file released in this version
- provides behavior that is compatible with Shorewall 1.0.3.
- - Adds the
- ability to specify logging in entries in the /etc/shorewall/rules
- file.
- - Correct
- handling of the icmp-def chain so that only ICMP packets
+
- Allows
+ user-defined zones. Shorewall now has only one pre-defined
+ zone (fw) with the remaining zones being defined
+ in the new configuration file /etc/shorewall/zones.
+ The /etc/shorewall/zones file released in this version
+ provides behavior that is compatible with Shorewall 1.0.3.
+ - Adds
+the ability to specify logging in entries in the
+ /etc/shorewall/rules file.
+ - Correct
+ handling of the icmp-def chain so that only ICMP packets
are sent through the chain.
- - Compresses
- the output of "shorewall monitor" if awk is installed.
- Allows the command to work if awk isn't installed (although
- it's not pretty).
-
-
-
+ Compresses
+ the output of "shorewall monitor" if awk is installed.
+ Allows the command to work if awk isn't installed (although
+ it's not pretty).
-3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
- release with no new features.
+
-
+
+3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
+ release with no new features.
+
+
- - The PATH
- variable in the firewall script now includes /usr/local/bin
- and /usr/local/sbin.
- - DMZ-related
+
- The PATH
+ variable in the firewall script now includes /usr/local/bin
+ and /usr/local/sbin.
+ - DMZ-related
chains are now correctly deleted if the DMZ is deleted.
- - The interface
+
- The interface
OPTIONS for "gw" interfaces are no longer ignored.
-
+
-
-3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
- additional "gw" (gateway) zone for tunnels
- and it supports IPSEC tunnels with end-points on the
- firewall. There is also a .lrp available now.
+
+3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
+ additional "gw" (gateway) zone for tunnels
+ and it supports IPSEC tunnels with end-points on
+the firewall. There is also a .lrp available now.
-
-Updated 5/18/2003 - Tom Eastep
+
+Updated 5/19/2003 - Tom Eastep
-
+
Copyright © 2001, 2002 Thomas M. Eastep.
-
-
+
+