|
|
|
|
@ -72,6 +72,13 @@ New Features in Shorewall 2.5.3
|
|
|
|
|
Macros may be used in these sections provided that they expand to
|
|
|
|
|
only these ACTIONs.
|
|
|
|
|
|
|
|
|
|
At the end of the ESTABLISHED and RELATED sections, there is an
|
|
|
|
|
implicit "ALLOW all all all" rule.
|
|
|
|
|
|
|
|
|
|
RESTRICTION: If you specify FASTACCEPT=Yes in
|
|
|
|
|
/etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
|
|
|
|
|
sections must be empty.
|
|
|
|
|
|
|
|
|
|
6) The value 'ipp2p' is once again allowed in the PROTO column of
|
|
|
|
|
the rules file. It is recommended that rules specifying 'ipp2p'
|
|
|
|
|
only be included in the ESTABLISHED section of the file.
|
|
|
|
|
@ -410,8 +417,8 @@ New Features in Shorewall 2.5.*
|
|
|
|
|
|
|
|
|
|
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
|
|
|
|
|
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
|
|
|
|
|
FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
|
|
|
|
|
/etc/shorewall/policy (see above).
|
|
|
|
|
FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or
|
|
|
|
|
RELATED sections of /etc/shorewall/rules.
|
|
|
|
|
|
|
|
|
|
9) Shorewall now generates an error if the 'norfc1918' option is
|
|
|
|
|
specified for an interface with an RFC 1918 address.
|
|
|
|
|
@ -450,4 +457,67 @@ New Features in Shorewall 2.5.*
|
|
|
|
|
scripts. The value of this variable is sometimes of interest to
|
|
|
|
|
programmers providing custom /etc/shorewall/tcstart scripts.
|
|
|
|
|
|
|
|
|
|
14) Previously, if you defined any intra-zone rule(s) then any traffic
|
|
|
|
|
not matching the rule(s) was subject to normal policies (which
|
|
|
|
|
usually turned out to involve the all->all REJECT policy). Now, the
|
|
|
|
|
intra-zone ACCEPT policy will still be in effect in the presense of
|
|
|
|
|
intra-zone rules. That policy can still be overridden by an
|
|
|
|
|
explicit policy in your /etc/shorewall/policy file.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
/etc/shorewall/rules:
|
|
|
|
|
|
|
|
|
|
DNAT loc:!192.168.1.4 loc:192.168.1.4:3128 tcp 80
|
|
|
|
|
|
|
|
|
|
Any other loc->loc traffic will still be accepted. If you want to
|
|
|
|
|
also log that other loc->loc traffic at the info log level then
|
|
|
|
|
insert this into /etc/shorewall/policy:
|
|
|
|
|
|
|
|
|
|
#SOURCE DEST POLICY LOG LEVEL
|
|
|
|
|
loc loc ACCEPT info
|
|
|
|
|
|
|
|
|
|
15) Prior to Shorewall 2.5.3, the rules file only controlled packets in
|
|
|
|
|
the Netfilter states NEW and INVALID. Beginning with this release,
|
|
|
|
|
the rules file can also deal with packets in the ESTABLISHED and
|
|
|
|
|
RELATED states.
|
|
|
|
|
|
|
|
|
|
The /etc/shorewall/rules file may now be divided into
|
|
|
|
|
"sections". Each section is introduced by a line that begins with
|
|
|
|
|
the keyword SECTION which is followed by the section name. Sections
|
|
|
|
|
are as listed below and must appear in the order shown.
|
|
|
|
|
|
|
|
|
|
ESTABLISHED
|
|
|
|
|
|
|
|
|
|
Rules in this section apply to packets in the ESTABLISHED
|
|
|
|
|
state.
|
|
|
|
|
|
|
|
|
|
RELATED
|
|
|
|
|
|
|
|
|
|
Rules in this section apply to packets in the RELATED state.
|
|
|
|
|
|
|
|
|
|
NEW
|
|
|
|
|
|
|
|
|
|
Rules in this section apply to packets in the NEW and INVALID
|
|
|
|
|
states.
|
|
|
|
|
|
|
|
|
|
Rules in the ESTABLISHED and RELATED sections are limited to the
|
|
|
|
|
following ACTIONs:
|
|
|
|
|
|
|
|
|
|
ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.
|
|
|
|
|
|
|
|
|
|
Macros may be used in these sections provided that they expand to
|
|
|
|
|
only these ACTIONs.
|
|
|
|
|
|
|
|
|
|
At the end of the ESTABLISHED and RELATED sections, there is an
|
|
|
|
|
implicit "ALLOW all all all" rule.
|
|
|
|
|
|
|
|
|
|
RESTRICTION: If you specify FASTACCEPT=Yes in
|
|
|
|
|
/etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
|
|
|
|
|
sections must be empty.
|
|
|
|
|
|
|
|
|
|
16) The value 'ipp2p' is once again allowed in the PROTO column of
|
|
|
|
|
the rules file. It is recommended that rules specifying 'ipp2p'
|
|
|
|
|
only be included in the ESTABLISHED section of the file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
teastep