Update versions to 2.5.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2566 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-14 19:54:06 +01:00 · 2005-08-26 22:42:35 +00:00 · 2005-08-26 22:42:35 +00:00 · 2ac7b97dde
commit 2ac7b97dde
parent 86c837bf48
5 changed files with 78 additions and 6 deletions
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=2.5.2
+VERSION=2.5.3

 usage() # $1 = exit status
 {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #

-VERSION=2.5.2
+VERSION=2.5.3

 usage() # $1 = exit status
 {
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -72,6 +72,13 @@ New Features in Shorewall 2.5.3
    Macros may be used in these sections provided that they expand to
    only these ACTIONs.

+    At the end of the ESTABLISHED and RELATED sections, there is an
+    implicit "ALLOW   all	  all all" rule.
+
+    RESTRICTION: If you specify FASTACCEPT=Yes in
+    /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
+    sections must be empty.
+
 6)  The value 'ipp2p' is once again allowed in the PROTO column of
    the rules file. It is recommended that rules specifying 'ipp2p'
    only be included in the ESTABLISHED section of the file.
@ -410,8 +417,8 @@ New Features in Shorewall 2.5.*

    If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
    accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
-    FASTACCEPT=Yes then you may not specify ESTABLISHED policies in 
-    /etc/shorewall/policy (see above).
+    FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or
+    RELATED sections of /etc/shorewall/rules.

 9)  Shorewall now generates an error if the 'norfc1918' option is
    specified for an interface with an RFC 1918 address.
@ -450,4 +457,67 @@ New Features in Shorewall 2.5.*
    scripts. The value of this variable is sometimes of interest to
    programmers providing custom /etc/shorewall/tcstart scripts.

+14) Previously, if you defined any intra-zone rule(s) then any traffic
+    not matching the rule(s) was subject to normal policies (which
+    usually turned out to involve the all->all REJECT policy). Now, the
+    intra-zone ACCEPT policy will still be in effect in the presense of
+    intra-zone rules. That policy can still be overridden by an
+    explicit policy in your /etc/shorewall/policy file.
+
+    Example:
+
+    /etc/shorewall/rules:
+
+    DNAT	loc:!192.168.1.4  loc:192.168.1.4:3128	tcp	80
+
+    Any other loc->loc traffic will still be accepted. If you want to
+    also log that other loc->loc traffic at the info log level then
+    insert this into /etc/shorewall/policy:
+
+    #SOURCE	DEST	POLICY	LOG LEVEL
+    loc		loc	ACCEPT	info
+
+15) Prior to Shorewall 2.5.3, the rules file only controlled packets in
+    the Netfilter states NEW and INVALID. Beginning with this release,
+    the rules file can also deal with packets in the ESTABLISHED and
+    RELATED states. 
+
+    The /etc/shorewall/rules file may now be divided into
+    "sections". Each section is introduced by a line that begins with
+    the keyword SECTION which is followed by the section name. Sections
+    are as listed below and must appear in the order shown.
+
+    ESTABLISHED
+
+	Rules in this section apply to packets in the ESTABLISHED
+	state.
+
+    RELATED
+
+	Rules in this section apply to packets in the RELATED state.
+
+    NEW
+
+	Rules in this section apply to packets in the NEW and INVALID
+	states.
+
+    Rules in the ESTABLISHED and RELATED sections are limited to the
+    following ACTIONs:
+
+	ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.
+
+    Macros may be used in these sections provided that they expand to
+    only these ACTIONs.
+
+    At the end of the ESTABLISHED and RELATED sections, there is an
+    implicit "ALLOW   all	  all all" rule.
+
+    RESTRICTION: If you specify FASTACCEPT=Yes in
+    /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
+    sections must be empty.
+
+16) The value 'ipp2p' is once again allowed in the PROTO column of
+    the rules file. It is recommended that rules specifying 'ipp2p'
+    only be included in the ESTABLISHED section of the file.
+

--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.5.2
+%define version 2.5.3
 %define release 1
 %define prefix /usr

@ -155,6 +155,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn

 %changelog
+* Fri Aug 26 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.5.3-1
 * Tue Aug 16 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.5.2-1
 * Sun Aug 07 2005 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=2.5.2
+VERSION=2.5.3

 usage() # $1 = exit status
 {