From 3d0ec74fde53c781d9d8a242d44cf9d4ad8fab34 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 1 Dec 2005 22:27:18 +0000 Subject: [PATCH] Clarifications and minor documentation corrections git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3108 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/releasenotes.txt | 10 +++------- Shorewall/shorewall.conf | 6 ++---- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f80545503..e961ea941 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -664,11 +664,7 @@ New Features in Shorewall 3.0.* must have restarted Shorewall using this release before this feature will work correctly. -25) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This is done to ensure that "shorewall refresh" will - work correctly. - -26) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p" +25) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p" keyword in the PROTOCOL column of the relevant files, the following values may be specified: @@ -678,7 +674,7 @@ New Features in Shorewall 3.0.* ipp2p:all Matches both UDP and TCP traffic. You may not specify a SOURCE PORT with this PROTOCOL. -27) Normally MAC verification triggered by the 'maclist' interface and host +26) Normally MAC verification triggered by the 'maclist' interface and host options is done out of the INPUT and FORWARD chains of the filter table. Users have reported that under some circumstances, MAC verification is failing for forwarded packets when the packets are being forwarded out @@ -691,7 +687,7 @@ New Features in Shorewall 3.0.* the REJECT target may not be used in the PREROUTING chain, the settings MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible. -28) The sample configurations are now packaged with the product. They are +27) The sample configurations are now packaged with the product. They are in the Samples directory on the tarball and are in the RPM they are in the Samples sub-directory of the Shorewall documentation directory. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 5c646762a..43df9a668 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -368,6 +368,8 @@ IPSECFILE=zones # Name of the firewall zone -- if not set or if set to an empty string, then # you must include a definition of the firewall zone in /etc/shorewall/zones. # +# Note: If IPSECFILE=zones above then you must NOT set FW and you must define +# the firewall zone in /etc/shorewall/zones. FW= @@ -483,10 +485,6 @@ CLEAR_TC=No # Note: Older kernels do not support marking packets in the FORWARD chain and # setting this variable to Yes may cause startup problems. # -# Note: If you connect to the internet through more than one ISP and thus have -# entries in /etc/shorewall/providers then you must set -# MARK_IN_FORWARD_CHAIN=Yes. -# MARK_IN_FORWARD_CHAIN=No