mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-27 13:11:57 +02:00
Merge branch 'master' of ssh://judas_iscariote@shorewall.git.sourceforge.net/gitroot/shorewall
This commit is contained in:
commit
1967f9cbb4
@ -97,6 +97,9 @@ sub generate_script_1() {
|
|||||||
# Functions to execute the various user exits (extension scripts)
|
# Functions to execute the various user exits (extension scripts)
|
||||||
################################################################################
|
################################################################################
|
||||||
EOF
|
EOF
|
||||||
|
my $lib = find_file 'lib.private';
|
||||||
|
|
||||||
|
copy1 $lib, emit "\n" if -f $lib;
|
||||||
|
|
||||||
for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed restored findgw/ {
|
for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed restored findgw/ {
|
||||||
emit "\nrun_${exit}_exit() {";
|
emit "\nrun_${exit}_exit() {";
|
||||||
|
@ -79,6 +79,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
|
|||||||
push_indent
|
push_indent
|
||||||
pop_indent
|
pop_indent
|
||||||
copy
|
copy
|
||||||
|
copy1
|
||||||
create_temp_aux_config
|
create_temp_aux_config
|
||||||
finalize_aux_config
|
finalize_aux_config
|
||||||
set_shorewall_dir
|
set_shorewall_dir
|
||||||
@ -1088,6 +1089,8 @@ sub copy1( $ ) {
|
|||||||
|
|
||||||
close IF;
|
close IF;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$lastlineblank = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -115,7 +115,7 @@ sub do_ipsec_options($)
|
|||||||
#
|
#
|
||||||
sub process_one_masq( )
|
sub process_one_masq( )
|
||||||
{
|
{
|
||||||
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
|
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
|
||||||
|
|
||||||
if ( $interfacelist eq 'COMMENT' ) {
|
if ( $interfacelist eq 'COMMENT' ) {
|
||||||
process_comment;
|
process_comment;
|
||||||
@ -183,6 +183,7 @@ sub process_one_masq( )
|
|||||||
# Handle Mark
|
# Handle Mark
|
||||||
#
|
#
|
||||||
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
|
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
|
||||||
|
$baserule .= do_user( $user ) if $user ne '-';
|
||||||
|
|
||||||
for my $fullinterface (split_list $interfacelist, 'interface' ) {
|
for my $fullinterface (split_list $interfacelist, 'interface' ) {
|
||||||
my $rule = '';
|
my $rule = '';
|
||||||
|
@ -116,7 +116,15 @@ sub setup_route_marking() {
|
|||||||
my $mark = $providerref->{mark};
|
my $mark = $providerref->{mark};
|
||||||
my $base = uc chain_base $interface;
|
my $base = uc chain_base $interface;
|
||||||
|
|
||||||
add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
if ( $providerref->{optional} ) {
|
||||||
|
if ( $providerref->{shared} ) {
|
||||||
|
add_command( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
|
||||||
|
} else {
|
||||||
|
add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
|
||||||
|
}
|
||||||
|
|
||||||
|
incr_cmd_level( $chainref );
|
||||||
|
}
|
||||||
|
|
||||||
unless ( $marked_interfaces{$interface} ) {
|
unless ( $marked_interfaces{$interface} ) {
|
||||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||||
@ -391,22 +399,25 @@ sub add_a_provider( ) {
|
|||||||
|
|
||||||
my $realm = '';
|
my $realm = '';
|
||||||
|
|
||||||
if ( $optional && ! $shared ) {
|
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
|
||||||
start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
|
|
||||||
$provider_interfaces{$interface} = $table;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $shared ) {
|
if ( $shared ) {
|
||||||
fatal_error "Interface $interface is associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
|
|
||||||
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
|
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
|
||||||
$realm = "realm $number";
|
$realm = "realm $number";
|
||||||
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
|
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
|
||||||
} elsif ( $gatewaycase eq 'detect' ) {
|
|
||||||
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ) unless $optional;
|
|
||||||
} else {
|
} else {
|
||||||
start_provider( $table, $number, "if interface_is_usable $interface; then" ) unless $optional;
|
if ( $optional ) {
|
||||||
|
start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
|
||||||
|
} elsif ( $gatewaycase eq 'detect' ) {
|
||||||
|
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
|
||||||
|
} else {
|
||||||
|
start_provider( $table, $number, "if interface_is_usable $interface; then" );
|
||||||
|
}
|
||||||
|
|
||||||
|
$provider_interfaces{$interface} = $table;
|
||||||
|
|
||||||
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
|
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $mark ne '-' ) {
|
if ( $mark ne '-' ) {
|
||||||
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||||
@ -800,7 +811,7 @@ sub handle_optional_interfaces() {
|
|||||||
|
|
||||||
if ( $provider ) {
|
if ( $provider ) {
|
||||||
#
|
#
|
||||||
# This is a provider -- get the provider table entry
|
# This interface is associated with a non-shared provider -- get the provider table entry
|
||||||
#
|
#
|
||||||
my $providerref = $providers{$provider};
|
my $providerref = $providers{$provider};
|
||||||
|
|
||||||
@ -811,7 +822,7 @@ sub handle_optional_interfaces() {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
#
|
#
|
||||||
# Not a provider
|
# Not a provider interface
|
||||||
#
|
#
|
||||||
emit qq(if interface_is_usable $interface; then);
|
emit qq(if interface_is_usable $interface; then);
|
||||||
}
|
}
|
||||||
|
@ -14,6 +14,14 @@ Changes in Shorewall 4.4.0-Beta2
|
|||||||
|
|
||||||
5) Add 'upnpclient' interface option.
|
5) Add 'upnpclient' interface option.
|
||||||
|
|
||||||
|
6) Fix handling of optional interfaces.
|
||||||
|
|
||||||
|
7) Add 'iptrace' and 'noiptrace' command.
|
||||||
|
|
||||||
|
8) Add 'USER/GROUP' column to masq file.
|
||||||
|
|
||||||
|
9) Added lib.private.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.0-Beta1
|
Changes in Shorewall 4.4.0-Beta1
|
||||||
|
|
||||||
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
|
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.
|
||||||
|
14
Shorewall/configfiles/lib.private
Normal file
14
Shorewall/configfiles/lib.private
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4 - lib.private File
|
||||||
|
#
|
||||||
|
# /etc/shorewall/lib.private
|
||||||
|
#
|
||||||
|
# Use this file to declare shell functions to be called in the other
|
||||||
|
# run-time extension scripts. The file will be copied into the generated
|
||||||
|
# firewall script.
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
@ -7,5 +7,6 @@
|
|||||||
# http://www.shorewall.net/manpages/shorewall-masq.html
|
# http://www.shorewall.net/manpages/shorewall-masq.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
|
||||||
|
# GROUP
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -576,6 +576,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
|
|||||||
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
|
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
|
# Install the private library file
|
||||||
|
#
|
||||||
|
run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private
|
||||||
|
|
||||||
|
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
|
||||||
|
run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private
|
||||||
|
echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private"
|
||||||
|
fi
|
||||||
|
#
|
||||||
# Install the Started file
|
# Install the Started file
|
||||||
#
|
#
|
||||||
run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started
|
run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started
|
||||||
|
@ -149,6 +149,41 @@ None.
|
|||||||
that, like all aspects of UPnP, this is a security hole so use this
|
that, like all aspects of UPnP, this is a security hole so use this
|
||||||
option at your own risk.
|
option at your own risk.
|
||||||
|
|
||||||
|
2) 'iptrace' and 'noiptrace' commands have been added to both
|
||||||
|
/sbin/shorewall and /sbin/shorewall6.
|
||||||
|
|
||||||
|
These are low-level debugging commands that cause
|
||||||
|
iptables/ip6tables TRACE log messages to be generated. See 'man
|
||||||
|
iptables' and 'man ip6tables' for details.
|
||||||
|
|
||||||
|
The syntax for the commands is:
|
||||||
|
|
||||||
|
iptrace <iptables/ip6tables match expression>
|
||||||
|
noiptrace <iptables/ip6tables match expression>
|
||||||
|
|
||||||
|
iptrace starts the trace; noiptrace turns it off.
|
||||||
|
|
||||||
|
The match expression must be an expression that is legal in both
|
||||||
|
the raw table OUTPUT and PREROUTING chains.
|
||||||
|
|
||||||
|
Examaple:
|
||||||
|
|
||||||
|
To trace all packets desinted for IP address 206.124.146.176:
|
||||||
|
|
||||||
|
shorewall iptrace -d 206.124.146.176
|
||||||
|
|
||||||
|
To turn that trace off:
|
||||||
|
|
||||||
|
shorewall noiptrace -d 206.124.146.176
|
||||||
|
|
||||||
|
3) A USER/GROUP column has been added to /etc/shorewall/masq. The
|
||||||
|
column works similarly to USER/GROUP columns in other Shorewall
|
||||||
|
configuration files. Only locally-generated traffic is matched.
|
||||||
|
|
||||||
|
4) A new extension script, 'lib.private' has been added. This file is
|
||||||
|
intended to include declarations of shell functions that will be
|
||||||
|
called by the other run-time extension scripts.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
N E W F E A T U R E S IN 4 . 4
|
N E W F E A T U R E S IN 4 . 4
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -1454,10 +1454,12 @@ usage() # $1 = exit status
|
|||||||
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
||||||
echo " ipdecimal { <address> | <integer> }"
|
echo " ipdecimal { <address> | <integer> }"
|
||||||
echo " iprange <address>-<address>"
|
echo " iprange <address>-<address>"
|
||||||
|
echo " iptrace <iptables match expression>"
|
||||||
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||||
echo " logdrop <address> ..."
|
echo " logdrop <address> ..."
|
||||||
echo " logreject <address> ..."
|
echo " logreject <address> ..."
|
||||||
echo " logwatch [<refresh interval>]"
|
echo " logwatch [<refresh interval>]"
|
||||||
|
echo " noiptrace <iptables match expression>"
|
||||||
echo " refresh [ <chain>... ]"
|
echo " refresh [ <chain>... ]"
|
||||||
echo " reject <address> ..."
|
echo " reject <address> ..."
|
||||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||||
@ -2012,6 +2014,26 @@ case "$COMMAND" in
|
|||||||
shift
|
shift
|
||||||
safe_commands $@
|
safe_commands $@
|
||||||
;;
|
;;
|
||||||
|
iptrace)
|
||||||
|
get_config
|
||||||
|
shift
|
||||||
|
if shorewall_is_started ; then
|
||||||
|
$IPTABLES -t raw -A PREROUTING $@ -j TRACE
|
||||||
|
$IPTABLES -t raw -A OUTPUT $@ -j TRACE
|
||||||
|
else
|
||||||
|
fatal_error "Shorewall is not started"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
noiptrace)
|
||||||
|
get_config
|
||||||
|
shift
|
||||||
|
if shorewall_is_started ; then
|
||||||
|
$IPTABLES -t raw -D PREROUTING $@ -j TRACE
|
||||||
|
$IPTABLES -t raw -D OUTPUT $@ -j TRACE
|
||||||
|
else
|
||||||
|
fatal_error "Shorewall is not started"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
usage 1
|
usage 1
|
||||||
;;
|
;;
|
||||||
|
@ -1371,10 +1371,12 @@ usage() # $1 = exit status
|
|||||||
echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]"
|
echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]"
|
||||||
echo " forget [ <file name> ]"
|
echo " forget [ <file name> ]"
|
||||||
echo " help"
|
echo " help"
|
||||||
|
echo " iptrace <ip6tables match expression>"
|
||||||
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||||
echo " logdrop <address> ..."
|
echo " logdrop <address> ..."
|
||||||
echo " logreject <address> ..."
|
echo " logreject <address> ..."
|
||||||
echo " logwatch [<refresh interval>]"
|
echo " logwatch [<refresh interval>]"
|
||||||
|
echo " noiptrace <ip6tables match expression>"
|
||||||
echo " refresh [ <chain>... ]"
|
echo " refresh [ <chain>... ]"
|
||||||
echo " reject <address> ..."
|
echo " reject <address> ..."
|
||||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||||
@ -1857,7 +1859,26 @@ case "$COMMAND" in
|
|||||||
shift
|
shift
|
||||||
safe_commands $@
|
safe_commands $@
|
||||||
;;
|
;;
|
||||||
*)
|
iptrace)
|
||||||
|
get_config
|
||||||
|
shift
|
||||||
|
if shorewall_is_started ; then
|
||||||
|
$IP6TABLES -t raw -A PREROUTING $@ -j TRACE
|
||||||
|
$IP6TABLES -t raw -A OUTPUT $@ -j TRACE
|
||||||
|
else
|
||||||
|
fatal_error "Shorewall6 is not started"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
noiptrace)
|
||||||
|
get_config
|
||||||
|
shift
|
||||||
|
if shorewall_is_started ; then
|
||||||
|
$IP6TABLES -t raw -D PREROUTING $@ -j TRACE
|
||||||
|
$IP6TABLES -t raw -D OUTPUT $@ -j TRACE
|
||||||
|
else
|
||||||
|
fatal_error "Shorewall6 is not started"
|
||||||
|
fi
|
||||||
|
;; *)
|
||||||
usage 1
|
usage 1
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -1321,9 +1321,10 @@ fi</programlisting></para>
|
|||||||
in the preceding section.</para>
|
in the preceding section.</para>
|
||||||
|
|
||||||
<para>Like many Open Source products, LSM is poorly documented. It's
|
<para>Like many Open Source products, LSM is poorly documented. It's
|
||||||
main configuration file is normally kept in /etc/lsm/lsm.conf, but the
|
main configuration file is normally kept in
|
||||||
file's name is passed as an argument to the lsm program so you can
|
<filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
|
||||||
name it anything you want.</para>
|
as an argument to the lsm program so you can name it anything you
|
||||||
|
want.</para>
|
||||||
|
|
||||||
<para>The sample <filename>lsm.conf</filename> included with the
|
<para>The sample <filename>lsm.conf</filename> included with the
|
||||||
product shows some of the possibilities for configuration. One feature
|
product shows some of the possibilities for configuration. One feature
|
||||||
@ -1332,50 +1333,86 @@ fi</programlisting></para>
|
|||||||
configuration file.</para>
|
configuration file.</para>
|
||||||
|
|
||||||
<para>I personally use LSM here at shorewall.net (configuration is
|
<para>I personally use LSM here at shorewall.net (configuration is
|
||||||
described <link linkend="Complete">below</link>). Here are my relevant
|
described <link linkend="Complete">below</link>). I have set things up
|
||||||
configuration files:</para>
|
so that Shorewall [re]starts lsm during processing of the
|
||||||
|
<command>start</command> and <command>restore</command> commands. I
|
||||||
|
don't have Shorewall restart lsm during Shorewall
|
||||||
|
<command>restart</command> because I restart Shorewall much more often
|
||||||
|
than the average user is likely to do. I have Shorewall start lsm
|
||||||
|
because I have a dynamic IP address from one of my providers
|
||||||
|
(Comcast); Shorewall detects the default gateway to that provider and
|
||||||
|
creates a secondary configuration file
|
||||||
|
(<filename>/etc/lsm/shorewall.conf</filename>) that contains the link
|
||||||
|
configurations. That file is included by
|
||||||
|
<filename>/etc/lsm/lsm.conf</filename>.B</para>
|
||||||
|
|
||||||
|
<para>Below are my relevant configuration files.</para>
|
||||||
|
|
||||||
|
<warning>
|
||||||
|
<para>These files only work with Shorewall-perl 4.4 Beta 2 and
|
||||||
|
later.</para>
|
||||||
|
</warning>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
||||||
|
|
||||||
|
<para>Note that <filename>/etc/lsm/script </filename>writes
|
||||||
|
a<filename> ${VARDIR}/xxx.status</filename> file when the status of an
|
||||||
|
interface changes.</para>
|
||||||
|
|
||||||
<programlisting>local status=0
|
<programlisting>local status=0
|
||||||
|
|
||||||
[ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
|
[ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
|
||||||
|
|
||||||
return $status</programlisting>
|
return $status</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/started</filename>:</para>
|
<para><filename>/etc/shorewall/lib.private</filename>:</para>
|
||||||
|
|
||||||
<programlisting>###############################################################################
|
<programlisting>###############################################################################
|
||||||
# My 'restored' script calls this one if there is no lsm process running
|
# Create /etc/lsm/shorewall.conf
|
||||||
|
# Remove the current interface status files
|
||||||
|
# Start lsm
|
||||||
###############################################################################
|
###############################################################################
|
||||||
if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then
|
start_lsm() {
|
||||||
killall lsm 2> /dev/null
|
killall lsm 2> /dev/null
|
||||||
cat <<EOF > /etc/lsm/shorewall.conf
|
cat <<EOF > /etc/lsm/shorewall.conf
|
||||||
connection {
|
connection {
|
||||||
name=Avvanta
|
name=Avvanta
|
||||||
checkip=206.124.146.254
|
checkip=206.124.146.254
|
||||||
device=eth0
|
device=$EXT_IF
|
||||||
ttl=2
|
ttl=2
|
||||||
}
|
}
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
name=Comcast
|
name=Comcast
|
||||||
checkip=$ETH3_GATEWAY
|
checkip=${ETH0_GATEWAY:-71.231.152.1}
|
||||||
device=eth3
|
device=$COM_IF
|
||||||
ttl=1
|
ttl=1
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
rm -f ${VARDIR}/*.status
|
rm -f /etc/shorewall/*.status
|
||||||
/usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
|
/usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
|
||||||
fi</programlisting>
|
}</programlisting>
|
||||||
|
|
||||||
<para>eth3 has a dynamic IP address so I need to use the
|
<para>eth3 has a dynamic IP address so I need to use the
|
||||||
Shorewall-detected gateway address ($ETH3_GATEWAY).</para>
|
Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
|
||||||
|
value in the event that detection fails.</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/started</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>##################################################################################
|
||||||
|
# [re]start lsm if this is a 'start' command or if lsm isn't running
|
||||||
|
##################################################################################
|
||||||
|
if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
|
||||||
|
start_lsm
|
||||||
|
fi</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/restored</filename>:</para>
|
<para><filename>/etc/shorewall/restored</filename>:</para>
|
||||||
|
|
||||||
<programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
|
<programlisting>##################################################################################
|
||||||
run_started_exit
|
# Start lsm if it isn't running
|
||||||
|
##################################################################################
|
||||||
|
if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
|
||||||
|
start_lsm
|
||||||
fi</programlisting>
|
fi</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/lsm/lsm.conf</filename>:</para>
|
<para><filename>/etc/lsm/lsm.conf</filename>:</para>
|
||||||
|
@ -51,7 +51,18 @@
|
|||||||
stored in the <emphasis>skb</emphasis> (socket buffer) structure used by
|
stored in the <emphasis>skb</emphasis> (socket buffer) structure used by
|
||||||
the Linux kernel to track packets; the mark value is not part of the
|
the Linux kernel to track packets; the mark value is not part of the
|
||||||
packet itself and cannot be seen with <command>tcpdump</command>,
|
packet itself and cannot be seen with <command>tcpdump</command>,
|
||||||
<command>ethereal</command> or any other packet sniffing program.</para>
|
<command>ethereal</command> or any other packet sniffing program. They can
|
||||||
|
be seen in an iptables/ip6tables trace -- see the
|
||||||
|
<command>iptrace</command> command in <ulink
|
||||||
|
url="manpages/shorewall.html">shorewal</ulink>(8) and <ulink
|
||||||
|
url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
|
||||||
|
|
||||||
|
<para>Example (output has been folded for display ):</para>
|
||||||
|
|
||||||
|
<programlisting>[11692.096077] TRACE: mangle:tcout:return:3 IN= OUT=eth0 SRC=172.20.1.130
|
||||||
|
DST=206.124.146.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64
|
||||||
|
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7212 SEQ=3 UID=0
|
||||||
|
GID=1000 <emphasis role="bold">MARK=0x10082</emphasis></programlisting>
|
||||||
|
|
||||||
<para>Each active connection (even those that are not yet in ESTABLISHED
|
<para>Each active connection (even those that are not yet in ESTABLISHED
|
||||||
state) has a mark value that is distinct from the packet marks. Connection
|
state) has a mark value that is distinct from the packet marks. Connection
|
||||||
|
189
docs/Shorewall-4.xml
Normal file
189
docs/Shorewall-4.xml
Normal file
@ -0,0 +1,189 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||||
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||||
|
<article>
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
|
<articleinfo>
|
||||||
|
<title>Shorewall Version 4</title>
|
||||||
|
|
||||||
|
<authorgroup>
|
||||||
|
<author>
|
||||||
|
<firstname>Tom</firstname>
|
||||||
|
|
||||||
|
<surname>Eastep</surname>
|
||||||
|
</author>
|
||||||
|
</authorgroup>
|
||||||
|
|
||||||
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||||
|
|
||||||
|
<copyright>
|
||||||
|
<year>2007</year>
|
||||||
|
|
||||||
|
<year>2009</year>
|
||||||
|
|
||||||
|
<holder>Thomas M. Eastep</holder>
|
||||||
|
</copyright>
|
||||||
|
|
||||||
|
<legalnotice>
|
||||||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||||||
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
|
Texts. A copy of the license is included in the section entitled
|
||||||
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
|
</legalnotice>
|
||||||
|
</articleinfo>
|
||||||
|
|
||||||
|
<section id="Intro">
|
||||||
|
<title>Introduction</title>
|
||||||
|
|
||||||
|
<para>Shorewall version 4.0 represented a substantial shift in direction
|
||||||
|
for Shorewall. Up until then</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall had been written entirely in Bourne Shell.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall had run the <command>iptables</command> utility to add
|
||||||
|
each Netfilter rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>Shorewall version 4.0 offered you a choice. You could continue to
|
||||||
|
use the existing shell-based implementation or you could use a new
|
||||||
|
implementation of the Shorewall compiler written in the Perl programming
|
||||||
|
language. The new compiler:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>had a small disk footprint</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>was very fast.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>generateed a firewall script that uses
|
||||||
|
<command>iptables-restore</command>; so the script was very
|
||||||
|
fast.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>generated better and more consistent error messages.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>did a much more thorough job of checking the configuration to
|
||||||
|
avoid run-time errors.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>supported creating either Ipv4 or Ipv6 firewalls (Shorewall
|
||||||
|
4.2.4 and later).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para><ulink url="Shorewall-perl.html#Install">Both compilers could be
|
||||||
|
installed on your system</ulink> and you could <ulink
|
||||||
|
url="Shorewall-perl.html#CompilerSelection">use whichever one suited you
|
||||||
|
in a particular case</ulink>.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="Install">
|
||||||
|
<title>Shorewall 4.4</title>
|
||||||
|
|
||||||
|
<para>Shorewall 4.4 (currently in Beta testing) discontinues the
|
||||||
|
availability of the legacy shell-based compiler. All users must migrate to
|
||||||
|
the perl-based compiler before or during an upgrade to Shorewall version
|
||||||
|
4.4. We highly recommend that current users of the shell-based compiler
|
||||||
|
migrate before upgrading to 4.4 so that both compilers are available
|
||||||
|
during the migration.</para>
|
||||||
|
|
||||||
|
<para>Shorewall 4.4 contains four packages:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall</emphasis> - Everything needed
|
||||||
|
to create an IPv4 firewall.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall-lite</emphasis>- Can run scripts
|
||||||
|
generated by Shorewall on another system.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
|
||||||
|
creating and operating an Ipv6 firewall. Requires Shorewall.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
|
||||||
|
equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
|
||||||
|
another system.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="Prereqs">
|
||||||
|
<title>Prerequisites for using the Shorewall Version 4.2/4.4 Perl-based
|
||||||
|
Compiler</title>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Perl (I use Perl 5.8.10 but other 5.8 versions should work
|
||||||
|
fine). <note>
|
||||||
|
<para>If you want to be able to use DNS names in your Shorewall6
|
||||||
|
configuration files, then Perl 5.10 is required together with the
|
||||||
|
Perl <emphasis role="bold">Socket6</emphasis> module.</para>
|
||||||
|
</note></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">Cwd</emphasis> Module</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">File::Basename</emphasis>
|
||||||
|
Module</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">File::Temp</emphasis> Module</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">Getopt::Long</emphasis> Module</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">Carp</emphasis> Module</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">FindBin</emphasis> Module</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl <emphasis role="bold">Scalar::Util </emphasis>Module</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>Please note that there are <ulink url="IPv6Support.html">additional
|
||||||
|
requirements</ulink> if you plan to install and use Shorewall6.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="Incompatibilities">
|
||||||
|
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
|
||||||
|
Compiler</title>
|
||||||
|
|
||||||
|
<para>The Shorewall Perl-based compiler is not 100% compatible with the
|
||||||
|
Shorewall shell-based version. See <ulink url="Shorewall-perl.html">this
|
||||||
|
document</ulink> for details.</para>
|
||||||
|
</section>
|
||||||
|
</article>
|
@ -108,9 +108,10 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>DYNAMIC_ZONES=Yes is not supported. <ulink
|
<para>DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2.
|
||||||
url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
|
<ulink url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
|
||||||
dytnamic zones.</para>
|
dytnamic zones. In Shorewall 4.4, dynamic zone support based on
|
||||||
|
ipsets was added to Shorewall.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -534,6 +535,20 @@ DNAT- net loc:192.168.1.3 tcp 21</programl
|
|||||||
<para>you instead want:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para>you instead want:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
DNAT- net 192.168.1.3 tcp 21</programlisting></para>
|
DNAT- net 192.168.1.3 tcp 21</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Supplying an interface name in the SOURCE column of
|
||||||
|
/etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the
|
||||||
|
name of an interface there will result in a compile-time
|
||||||
|
warning:</para>
|
||||||
|
|
||||||
|
<para>WARNING: Using an interface as the masq SOURCE requires the
|
||||||
|
interface to be up and configured when Shorewall
|
||||||
|
starts/restarts</para>
|
||||||
|
|
||||||
|
<para>To avoid this warning, replace interface names by the
|
||||||
|
corresponding network addresses (e.g., 192.168.144.0/24).</para>
|
||||||
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -545,10 +560,100 @@ DNAT- net 192.168.1.3 tcp 21</programl
|
|||||||
environment. The best way to work around this limitation is to install
|
environment. The best way to work around this limitation is to install
|
||||||
Shorewall-perl on an administrative system and employ Shorewall-lite on
|
Shorewall-perl on an administrative system and employ Shorewall-lite on
|
||||||
your embedded systems. Shorewall-perl will run on Windows under <ulink
|
your embedded systems. Shorewall-perl will run on Windows under <ulink
|
||||||
url="http://www.cygwin.com/">Cygwin</ulink>.</para>
|
url="http://www.cygwin.com/">Cygwin</ulink>. Install using the
|
||||||
|
install.sh script.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section id="Install">
|
||||||
|
<title>Installing Shorewall Version 4.0 or 4.2</title>
|
||||||
|
|
||||||
|
<para>Shorewall 4.2 contains six packages, four of which are also included
|
||||||
|
in Shorewall 4.0:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall-shell</emphasis> - the old
|
||||||
|
shell-based compiler and related components.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall-perl</emphasis> - the new
|
||||||
|
Perl-based compiler.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall-common</emphasis> - the part of
|
||||||
|
Shorewall common to both compilers.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall-lite</emphasis>- same as the 3.4
|
||||||
|
version of Shorewall Lite. Can run scripts generated by either
|
||||||
|
Shorewall-perl or Shorewall-shell.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
|
||||||
|
creating and operating an Ipv6 firewall. Requires Shorewall-perl and
|
||||||
|
Shorewall-common. Introduced in Shorewall 4.2.4.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
|
||||||
|
equivalent of Shorewall Lite. Can run scripts generated by
|
||||||
|
Shoreall-perl 4.2.4 and later.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>If you upgrade to Shorewall Version 4.0 or 4.2, you must install
|
||||||
|
Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
|
||||||
|
tarball for your installation, you must install Shorewall-shell and/or
|
||||||
|
Shorewall-perl <emphasis role="bold">before</emphasis> you upgrade
|
||||||
|
Shorewall. See the <ulink url="upgrade_issues.htm">upgrade issues</ulink>
|
||||||
|
for details.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="CompilerSelection">
|
||||||
|
<title>Compiler Selection (Shorewall 4.0-4.2)</title>
|
||||||
|
|
||||||
|
<para>If you only install one compiler, then that compiler will be
|
||||||
|
used.</para>
|
||||||
|
|
||||||
|
<para>If you install both compilers, then the compiler actually used for
|
||||||
|
IPv4 depends on the SHOREWALL_COMPILER setting in
|
||||||
|
<filename>shorewall.conf</filename>.</para>
|
||||||
|
|
||||||
|
<para>The value of this new option can be either 'perl' or 'shell'.</para>
|
||||||
|
|
||||||
|
<para>If you add 'SHOREWALL_COMPILER=perl' to
|
||||||
|
<filename>/etc/shorewall/shorewall.conf</filename> then by default, the
|
||||||
|
new compiler will be used on the system. If you add it to
|
||||||
|
<filename>shorewall.conf</filename> in a separate directory (such as a
|
||||||
|
Shorewall-lite export directory) then the new compiler will only be used
|
||||||
|
when you compile from that directory.</para>
|
||||||
|
|
||||||
|
<para>If you only install one compiler, it is suggested that you do not
|
||||||
|
set SHOREWALL_COMPILER.</para>
|
||||||
|
|
||||||
|
<para>If both compilers are installed, you can select the compiler to use
|
||||||
|
on the command line using the 'C option:<simplelist>
|
||||||
|
<member>'-C shell' means use the shell compiler</member>
|
||||||
|
|
||||||
|
<member>'-C perl' means use the perl compiler</member>
|
||||||
|
</simplelist>The -C option overrides the setting in
|
||||||
|
shorewall.conf.</para>
|
||||||
|
|
||||||
|
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting></para>
|
||||||
|
|
||||||
|
<para>When the Shorewall-perl compiler has been selected, the
|
||||||
|
<filename>params</filename> file is processed using the shell
|
||||||
|
<option>-a</option> option which causes all variables set within the file
|
||||||
|
to be exported automatically by the shell. The Shorewall-perl compiler
|
||||||
|
uses the current environmental variables to perform variable expansion
|
||||||
|
within the other Shorewall configuration files.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section id="Modules">
|
<section id="Modules">
|
||||||
<title>The Shorewall Perl Modules</title>
|
<title>The Shorewall Perl Modules</title>
|
||||||
|
|
||||||
|
@ -69,6 +69,13 @@
|
|||||||
<para>The following scripts can be supplied:</para>
|
<para>The following scripts can be supplied:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para><filename>lib.private</filename> -- Intended to contain
|
||||||
|
declarations of shell functions to be called by other run-time
|
||||||
|
extension scripts. See<ulink url="MultiISP.html#lsm"> this
|
||||||
|
article</ulink> for an example of its use.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>compile</filename> -- Invoked by the rules compiler
|
<para><filename>compile</filename> -- Invoked by the rules compiler
|
||||||
early in the compilation process. Must be written in Perl.</para>
|
early in the compilation process. Must be written in Perl.</para>
|
||||||
@ -184,6 +191,15 @@ esac</programlisting><caution>
|
|||||||
completion of a successful <command>shorewall restore</command> and
|
completion of a successful <command>shorewall restore</command> and
|
||||||
<command>shorewall-lite restore</command>.</para>
|
<command>shorewall-lite restore</command>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>findgw -- This script is invoked when Shorewall is attempting to
|
||||||
|
discover the gateway through a dynamic interface. The script is most
|
||||||
|
often used when the interface is managed by dhclient which has no
|
||||||
|
standardized location/name for its lease database. Scripts for use
|
||||||
|
with dhclient on several distributions are available at <ulink
|
||||||
|
url="http://www.shorewall.net/pub/shorewall/contrib/findgw/">http://www.shorewall.net/pub/shorewall/contrib/findgw/</ulink></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para><emphasis role="bold">If your version of Shorewall doesn't have the
|
<para><emphasis role="bold">If your version of Shorewall doesn't have the
|
||||||
|
@ -119,9 +119,11 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Set of hosts that you wish to masquerade. You can specify this
|
<para>Set of hosts that you wish to masquerade. You can specify this
|
||||||
as an <emphasis>address</emphasis> (net or host) or as an
|
as an <emphasis>address</emphasis> (net or host) or as an
|
||||||
<emphasis>interface</emphasis>. If you give the name of an
|
<emphasis>interface</emphasis> (use of an
|
||||||
interface, the interface must be up before you start the firewall
|
<emphasis>interface</emphasis> is deprecated). If you give the name
|
||||||
(Shorewall will use your main routing table to determine the
|
of an interface, the interface must be up before you start the
|
||||||
|
firewall and the Shorewall rules compiler will warn you of that
|
||||||
|
fact. (Shorewall will use your main routing table to determine the
|
||||||
appropriate addresses to masquerade).</para>
|
appropriate addresses to masquerade).</para>
|
||||||
|
|
||||||
<para>In order to exclude a address of the specified SOURCE, you may
|
<para>In order to exclude a address of the specified SOURCE, you may
|
||||||
@ -384,6 +386,67 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||||
|
[<emphasis
|
||||||
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||||
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Only locally-generated connections will match if this column
|
||||||
|
is non-empty.</para>
|
||||||
|
|
||||||
|
<para>When this column is non-empty, the rule applies only if the
|
||||||
|
program generating the output is running under the effective
|
||||||
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
||||||
|
specified (or is NOT running under that id if "!" is given).</para>
|
||||||
|
|
||||||
|
<para>Examples:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>joe</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>program must be run by joe</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>:kids</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>program must be run by a member of the 'kids'
|
||||||
|
group</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>!:kids</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>program must not be run by a member of the 'kids'
|
||||||
|
group</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>+upnpd</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>#program named upnpd</para>
|
||||||
|
|
||||||
|
<important>
|
||||||
|
<para>The ability to specify a program name was removed from
|
||||||
|
Netfilter in kernel version 2.6.14.</para>
|
||||||
|
</important>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
@ -266,10 +266,7 @@
|
|||||||
<para>This lets you define a classifier for the given
|
<para>This lets you define a classifier for the given
|
||||||
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
|
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
|
||||||
combination of the IP packet's TOS/Precedence/DiffSrv octet
|
combination of the IP packet's TOS/Precedence/DiffSrv octet
|
||||||
(aka the TOS byte). Please note that classifiers override all
|
(aka the TOS byte). </para>
|
||||||
mark settings, so if you define a classifer for a class, all
|
|
||||||
traffic having that mark will go in it regardless of any mark
|
|
||||||
set on the packet by a firewall/mangle filter.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -1,4 +1,6 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||||
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||||
<refentry>
|
<refentry>
|
||||||
<refmeta>
|
<refmeta>
|
||||||
<refentrytitle>shorewall-tos</refentrytitle>
|
<refentrytitle>shorewall-tos</refentrytitle>
|
||||||
@ -26,38 +28,11 @@
|
|||||||
<para>The columns in the file are as follows.</para>
|
<para>The columns in the file are as follows.</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
|
||||||
{<emphasis>zone</emphasis>[<emphasis
|
|
||||||
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
|
|
||||||
role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
|
|
||||||
(Shorewall-shell)</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Name of a <replaceable>zone</replaceable> declared in <ulink
|
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
|
|
||||||
role="bold">all</emphasis> or <emphasis
|
|
||||||
role="bold">$FW</emphasis>.</para>
|
|
||||||
|
|
||||||
<para>If not <emphasis role="bold">all</emphasis> or <emphasis
|
|
||||||
role="bold">$FW</emphasis>, may optionally be followed by ":" and an
|
|
||||||
IP address, a MAC address, a subnet specification or the name of an
|
|
||||||
interface.</para>
|
|
||||||
|
|
||||||
<para>Example: loc:192.168.2.3</para>
|
|
||||||
|
|
||||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
|
||||||
separator.</para>
|
|
||||||
|
|
||||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||||
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
|
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
|
||||||
role="bold">$FW</emphasis>} (Shorewall-perl)</term>
|
role="bold">$FW</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If <emphasis role="bold">all</emphasis>, may optionally be
|
<para>If <emphasis role="bold">all</emphasis>, may optionally be
|
||||||
@ -73,29 +48,10 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">DEST</emphasis> -
|
|
||||||
{<emphasis>zone</emphasis>[<emphasis
|
|
||||||
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
|
|
||||||
role="bold">all</emphasis>} (Shorewall-shell)</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Name of a zone declared in <ulink
|
|
||||||
url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
|
|
||||||
role="bold">all</emphasis>.</para>
|
|
||||||
|
|
||||||
<para>If not <emphasis role="bold">all</emphasis>, may optionally be
|
|
||||||
followed by ":" and an IP address or a subnet specification</para>
|
|
||||||
|
|
||||||
<para>Example: loc:192.168.2.3</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||||
role="bold">all</emphasis>:<emphasis>address</emphasis>}
|
role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
|
||||||
(Shorewall-perl)</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Example: 192.168.2.3</para>
|
<para>Example: 192.168.2.3</para>
|
||||||
@ -213,4 +169,4 @@
|
|||||||
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||||
shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
||||||
|
@ -219,6 +219,19 @@
|
|||||||
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
|
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>shorewall</command>
|
||||||
|
|
||||||
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||||
|
|
||||||
|
<arg>-<replaceable>options</replaceable></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><option>iptrace</option></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><replaceable>iptables match
|
||||||
|
expression</replaceable></arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
<command>shorewall</command>
|
<command>shorewall</command>
|
||||||
|
|
||||||
@ -279,6 +292,19 @@
|
|||||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>shorewall</command>
|
||||||
|
|
||||||
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||||
|
|
||||||
|
<arg>-<replaceable>options</replaceable></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><option>noiptrace</option></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><replaceable>iptables match
|
||||||
|
expression</replaceable></arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
<command>shorewall</command>
|
<command>shorewall</command>
|
||||||
|
|
||||||
@ -835,6 +861,25 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This is a low-level debugging command that causes iptables
|
||||||
|
TRACE log records to be created. See iptables(8) for details.</para>
|
||||||
|
|
||||||
|
<para>The <replaceable>iptables match expression</replaceable> must
|
||||||
|
be one or more matches that may appear in both the raw table OUTPUT
|
||||||
|
and raw table PREROUTING chains.</para>
|
||||||
|
|
||||||
|
<para>The trace records are written to the kernel's log buffer with
|
||||||
|
faciility = kernel and priority = warning, and they are routed from
|
||||||
|
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
|
||||||
|
Shorewall has no control over where the messages go; consult your
|
||||||
|
logging daemon's documentation.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">load</emphasis></term>
|
<term><emphasis role="bold">load</emphasis></term>
|
||||||
|
|
||||||
@ -919,6 +964,19 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This is a low-level debugging command that cancels a trace
|
||||||
|
started by a preceding <command>iptrace</command> command.</para>
|
||||||
|
|
||||||
|
<para>The <replaceable>iptables match expression</replaceable> must
|
||||||
|
be one given in the <command>iptrace</command> command being
|
||||||
|
cancelled.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">refresh</emphasis></term>
|
<term><emphasis role="bold">refresh</emphasis></term>
|
||||||
|
|
||||||
@ -1350,9 +1408,9 @@
|
|||||||
<term><emphasis role="bold">version</emphasis></term>
|
<term><emphasis role="bold">version</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Displays Shorewall's version. If the <option>-a</option>
|
<para>Displays Shorewall's version. The <option>-a</option> option
|
||||||
option is included, the versions of Shorewall-shell and/or
|
is included for compatibility with earlier Shorewall releases and is
|
||||||
Shorewall-perl will also be displayed.</para>
|
ignored.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -260,10 +260,7 @@
|
|||||||
<para>This lets you define a classifier for the given
|
<para>This lets you define a classifier for the given
|
||||||
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
|
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
|
||||||
combination of the IP packet's TOS/Precedence/DiffSrv octet
|
combination of the IP packet's TOS/Precedence/DiffSrv octet
|
||||||
(aka the TOS byte). Please note that classifiers override all
|
(aka the TOS byte).</para>
|
||||||
mark settings, so if you define a classifer for a class, all
|
|
||||||
traffic having that mark will go in it regardless of any mark
|
|
||||||
set on the packet by a firewall/mangle filter.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -144,6 +144,19 @@
|
|||||||
<arg choice="plain"><option>help</option></arg>
|
<arg choice="plain"><option>help</option></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>shorewall6</command>
|
||||||
|
|
||||||
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||||
|
|
||||||
|
<arg>-<replaceable>options</replaceable></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><option>iptrace</option></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><replaceable>iptables match
|
||||||
|
expression</replaceable></arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
<command>shorewall6</command>
|
<command>shorewall6</command>
|
||||||
|
|
||||||
@ -204,6 +217,19 @@
|
|||||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>shorewall6</command>
|
||||||
|
|
||||||
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||||
|
|
||||||
|
<arg>-<replaceable>options</replaceable></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><option>noiptrace</option></arg>
|
||||||
|
|
||||||
|
<arg choice="plain"><replaceable>iptables match
|
||||||
|
expression</replaceable></arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
<command>shorewall6</command>
|
<command>shorewall6</command>
|
||||||
|
|
||||||
@ -670,12 +696,22 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">hits</emphasis></term>
|
<term><emphasis role="bold">iptrace</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Generates several reports from Shorewall6 log messages in the
|
<para>This is a low-level debugging command that causes iptables
|
||||||
current log file. If the <option>-t</option> option is included, the
|
TRACE log records to be created. See ip6tables(8) for
|
||||||
reports are restricted to log messages generated today.</para>
|
details.</para>
|
||||||
|
|
||||||
|
<para>The <replaceable>ip6tables match expression</replaceable> must
|
||||||
|
be one or more matches that may appear in both the raw table OUTPUT
|
||||||
|
and raw table PREROUTING chains.</para>
|
||||||
|
|
||||||
|
<para>The trace records are written to the kernel's log buffer with
|
||||||
|
faciility = kernel and priority = warning, and they are routed from
|
||||||
|
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
|
||||||
|
Shorewall has no control over where the messages go; consult your
|
||||||
|
logging daemon's documentation.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -763,6 +799,19 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">noiptrace</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This is a low-level debugging command that cancels a trace
|
||||||
|
started by a preceding <command>iptrace</command> command.</para>
|
||||||
|
|
||||||
|
<para>The <replaceable>iptables match expression</replaceable> must
|
||||||
|
be one given in the <command>iptrace</command> command being
|
||||||
|
cancelled.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">refresh</emphasis></term>
|
<term><emphasis role="bold">refresh</emphasis></term>
|
||||||
|
|
||||||
@ -1163,7 +1212,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Displays Shorewall6's version. If the <option>-a</option>
|
<para>Displays Shorewall6's version. If the <option>-a</option>
|
||||||
option is included, the version of Shorewall-perl will also be
|
option is included, the version of Shorewall will also be
|
||||||
displayed.</para>
|
displayed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -23,9 +23,13 @@ license is included in the section entitled <span
|
|||||||
href="GnuCopyright.htm" target="_self">GNU Free Documentation
|
href="GnuCopyright.htm" target="_self">GNU Free Documentation
|
||||||
License</a></span>".
|
License</a></span>".
|
||||||
</p>
|
</p>
|
||||||
<p>June 14, 2009<br>
|
<p>June 18, 2009<br>
|
||||||
</p>
|
</p>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
|
<p><span style="font-weight: bold;">2009-06-18 Shorewall 4.2.10<br>
|
||||||
|
</span><span style="font-weight: bold;"></span></p>
|
||||||
|
<pre>Problems corrected in Shorewall 4.2.10<br><br>1) A 'large quantum' warning log message during restart has been<br> eliminated. The log message occurred when an interface with a large<br> OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.<br><br>2) When a REJECT rule included a log entry, the disposition in the log<br> message was incorrectly shown as 'reject' rather than 'REJECT'.<br><br>3) When 'forward' was specified on one or more interfaces in<br> /etc/shorewall6/interfaces, the progress message "Compiling<br> Interface forwarding..." was issued multiple times. Now, only one<br> instance of the message is generated.<br><br>4) A typing error in the IPv6 two-interface sample shorewall6.conf<br> file has been corrected. This error prevented the compiler from<br> being able to find macros in /usr/share/shorewall/.<br><br>Known Problems Remaining:<br><br>1) When exclusion is used in an entry in /etc/shorewall/hosts, then<br> Shorewall-shell produces an invalid iptables rule if any of the <br> following OPTIONS are also specified in the entry: <br><br> blacklist<br> maclist<br> norfc1918<br> tcpflags<br><br>2) Shorewall-shell generates inversion rules which produce<br> warnings with iptables 1.4.3. <br><br> Example:<br><br> iptables -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT<br><br> with iptables 1.4.3.1 the following information message is produced:<br><br> Using intrapositioned negation (`--option ! this`) is deprecated in<br> favor of extrapositioned (`! --option this`).<br><br> We don't intend to fix this. It's time to migrate to Shorewall-perl<br> anyway.<br><br>New Features in Shorewall 4.2.10<br><br>1) Shorewall's suppport for dynamic gateways on interfaces managed by<br> dhclient works on OpenSuSE systems but not on some other<br> distributions.<br><br> In order to generalize support for learning the gateway for dynamic<br> interfaces, a new 'findgw' extension script (user exit) has been<br> added.<br><br> The exit will be invoked in a function that has a single argument:<br><br> $1 = <name of an interface><br><br> If the function can determine the gateway for the passed interface,<br> it should write the gateway to standard out. Here is a sample<br> /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian<br> Lenny:<br><br> if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then<br> grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\<br> tail -n 1 |\<br> while read j1 j2 gateway; do\<br> echo $gateway | sed 's/;//';\<br> done<br> fi<br><br> The same code works on Ubuntu Jaunty if you replace the first '.'<br> with '-' and replace '.leases' with '.lease' (don't you just love<br> the consistency between distributions?).<br><br> That code also works on CentOS if you replace 'dhcp3' by<br> 'dhclient'.<br><br> 'findgw' files that have been customized for various distributions<br> may be found at<br> http://www.shorewall.net/pub/shorewall/contrib/findgw.<br></pre>
|
||||||
|
<p><strong></strong></p>
|
||||||
<p><strong>2009-06-13 Shorewall 4.4.0 Beta 1</strong></p>
|
<p><strong>2009-06-13 Shorewall 4.4.0 Beta 1</strong></p>
|
||||||
<pre>Read the details at <a
|
<pre>Read the details at <a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt</a><br><strong></strong></pre>
|
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt</a><br><strong></strong></pre>
|
||||||
|
@ -38,7 +38,7 @@
|
|||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<p> </p>
|
<p> </p>
|
||||||
<hr><span style="font-weight: bold;">2009-06-14</span>
|
<hr><span style="font-weight: bold;">2009-06-19</span>
|
||||||
<h2><a name="Which"></a>Package Information</h2>
|
<h2><a name="Which"></a>Package Information</h2>
|
||||||
<p><b>Before trying to install, we strongly urge you to read and print
|
<p><b>Before trying to install, we strongly urge you to read and print
|
||||||
a
|
a
|
||||||
@ -66,7 +66,8 @@ shake out the bugs in the next stable release. <span
|
|||||||
</ul>
|
</ul>
|
||||||
For additional information, see this article about the <a
|
For additional information, see this article about the <a
|
||||||
href="ReleaseModel.html">Shorewall Release Model</a>.
|
href="ReleaseModel.html">Shorewall Release Model</a>.
|
||||||
<p>In Shorewall version 4.0.*, there are four related
|
<p>In Shorewall version <span style="font-weight: bold;">4.0.*</span>,
|
||||||
|
there are four related
|
||||||
packages:</p>
|
packages:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li><span style="font-weight: bold;">Shorewall-shell</span> -- the
|
<li><span style="font-weight: bold;">Shorewall-shell</span> -- the
|
||||||
@ -87,7 +88,8 @@ light-weight Shorewall version that will run
|
|||||||
compiled firewall scripts generated on a system with one of the
|
compiled firewall scripts generated on a system with one of the
|
||||||
compiler packages installed.</li>
|
compiler packages installed.</li>
|
||||||
</ul>
|
</ul>
|
||||||
In Shorewall version 4.2.*, there are two additional
|
In Shorewall version <span style="font-weight: bold;">4.2.*</span>,
|
||||||
|
there are two additional
|
||||||
packages that provide IPv6 support:<br>
|
packages that provide IPv6 support:<br>
|
||||||
<ul>
|
<ul>
|
||||||
<li><span style="font-weight: bold;">Shorewall6</span> -- Provides
|
<li><span style="font-weight: bold;">Shorewall6</span> -- Provides
|
||||||
@ -101,7 +103,8 @@ run compiled firewall scripts generated on a system with Shorewall6
|
|||||||
installed.<br>
|
installed.<br>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
In Shorewall version 4.4.*, the Shorewall-common, Shorewall-shell and
|
In Shorewall version <span style="font-weight: bold;">4.4.*</span>,
|
||||||
|
the Shorewall-common, Shorewall-shell and
|
||||||
Shorewall-perl packages are discontinued and replaced with a single <span
|
Shorewall-perl packages are discontinued and replaced with a single <span
|
||||||
style="font-weight: bold;">Shorewall</span> package which combined the
|
style="font-weight: bold;">Shorewall</span> package which combined the
|
||||||
functions of Shorewall-common and Shorewall-perl. The shell-based
|
functions of Shorewall-common and Shorewall-perl. The shell-based
|
||||||
@ -137,6 +140,11 @@ or both of the compilers on a single <em>administrative</em> system
|
|||||||
and install Shorewall-lite and/or Shorewall6-lite on the firewalls.
|
and install Shorewall-lite and/or Shorewall6-lite on the firewalls.
|
||||||
Doing so will allow for
|
Doing so will allow for
|
||||||
centralized administration and configuration of the firewalls.</li>
|
centralized administration and configuration of the firewalls.</li>
|
||||||
|
<li>When RPM is used to install Shorewall, the compiler
|
||||||
|
(shorewall-shell
|
||||||
|
and/or shorewall-perl) and shorewall-common must be installed in a
|
||||||
|
single execution of the
|
||||||
|
rpm utility.</li>
|
||||||
</ul>
|
</ul>
|
||||||
<li>If you are installing Shorewall 4.4 or later:</li>
|
<li>If you are installing Shorewall 4.4 or later:</li>
|
||||||
<ul>
|
<ul>
|
||||||
@ -153,11 +161,6 @@ configuration of the firewalls.<br>
|
|||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</ul>
|
</ul>
|
||||||
<p>When RPM is used to install Shorewall, the compiler (shorewall-shell
|
|
||||||
and/or shorewall-perl) and shorewall-common must be installed in a
|
|
||||||
single execution of the
|
|
||||||
rpm utility.<br>
|
|
||||||
</p>
|
|
||||||
<p>Here are the <a href="Install.htm">installation instructions</a>.</p>
|
<p>Here are the <a href="Install.htm">installation instructions</a>.</p>
|
||||||
<h2><a name="Distros"></a>Distribution-specific Download Sites</h2>
|
<h2><a name="Distros"></a>Distribution-specific Download Sites</h2>
|
||||||
<p>Once you've printed the appropriate QuickStart Guide, download the
|
<p>Once you've printed the appropriate QuickStart Guide, download the
|
||||||
@ -215,7 +218,7 @@ stable release are available from the package maintainer's <a
|
|||||||
<li>If you run <a style="font-weight: bold;" href="Ubuntu">Ubuntu,</a>
|
<li>If you run <a style="font-weight: bold;" href="Ubuntu">Ubuntu,</a>
|
||||||
Benjamin Montgomery maintains a <a
|
Benjamin Montgomery maintains a <a
|
||||||
href="https://launchpad.net/%7Ebmonty/+archive/ppa">repository for
|
href="https://launchpad.net/%7Ebmonty/+archive/ppa">repository for
|
||||||
Hardy Heron</a>.<br>
|
Hardy Heron and Jaunty Jackalope</a>.<br>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p style="margin-bottom: 0in;">If you run <a
|
<p style="margin-bottom: 0in;">If you run <a
|
||||||
|
@ -47,7 +47,9 @@
|
|||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-14</span><br>
|
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-20</span><br>
|
||||||
|
<h3><a href="Notices.html#Shell-EOL">Attention Shorewall-shell users</a><br>
|
||||||
|
</h3>
|
||||||
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
|
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
|
||||||
<table style="text-align: left; width: 100%;" border="0" cellpadding="2"
|
<table style="text-align: left; width: 100%;" border="0" cellpadding="2"
|
||||||
cellspacing="0">
|
cellspacing="0">
|
||||||
@ -58,13 +60,13 @@
|
|||||||
Stable Release</span><br>
|
Stable Release</span><br>
|
||||||
</div>
|
</div>
|
||||||
</td>
|
</td>
|
||||||
<td style="vertical-align: top;"><span style="font-weight: bold;">4.2.9</span>
|
<td style="vertical-align: top;"><span style="font-weight: bold;">4.2.10</span>
|
||||||
(includes <a href="IPv6Support.html">IPv6 support.</a>)</td>
|
(includes <a href="IPv6Support.html">IPv6 support.</a>)</td>
|
||||||
<td style="vertical-align: top;"><a
|
<td style="vertical-align: top;"><a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/releasenotes.txt">Release
|
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release
|
||||||
notes</a> </td>
|
notes</a> </td>
|
||||||
<td style="vertical-align: top;"><a
|
<td style="vertical-align: top;"><a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/known_problems.txt">Known
|
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known
|
||||||
Problems</a></td>
|
Problems</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
@ -91,14 +93,14 @@ Release</span><br>
|
|||||||
</div>
|
</div>
|
||||||
</td>
|
</td>
|
||||||
<td style="vertical-align: top;"><span style="font-weight: bold;">4.4.0
|
<td style="vertical-align: top;"><span style="font-weight: bold;">4.4.0
|
||||||
Beta 1</span><br>
|
Beta 2</span><br>
|
||||||
</td>
|
</td>
|
||||||
<td style="vertical-align: top;"><a
|
<td style="vertical-align: top;"><a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">Release
|
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/releasenotes.txt">Release
|
||||||
Notes<br>
|
Notes<br>
|
||||||
</a> </td>
|
</a> </td>
|
||||||
<td style="vertical-align: top;"><a
|
<td style="vertical-align: top;"><a
|
||||||
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/known_problems.txt">Known
|
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/known_problems.txt">Known
|
||||||
Problems</a> </td>
|
Problems</a> </td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user