extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6408 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-19 14:41:19 +00:00
parent 6170fc114d
commit 436ec8559d
3 changed files with 84 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.9.8 Shorewall 4.0.0 Beta 1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S R E L E A S E H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -15,7 +15,7 @@ Shorewall 3.9.8
You must install Shorewall and at least one of the compiler packages You must install Shorewall and at least one of the compiler packages
(you may install them both). (you may install them both).
Problems corrected in 3.9.8. Problems corrected in 4.0.0 Beta 1.
1) The commands "shorewall add/delete <interface> <zone>" no longer 1) The commands "shorewall add/delete <interface> <zone>" no longer
case lots of error messages to be issued. case lots of error messages to be issued.
@ -26,7 +26,7 @@ Problems corrected in 3.9.8.
3) A run-time error no longer occurs when an IP address is specified 3) A run-time error no longer occurs when an IP address is specified
in the GATEWAY column of /etc/shorewall/providers. in the GATEWAY column of /etc/shorewall/providers.
Other changes in Shorewall 3.9.8. Other changes in Shorewall 4.0.0 Beta 1.
1) The "shorewall show zones" command now flags zone members that have 1) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign been added using "shorewall add" by preceding them with a plus sign

68
docs/Shorewall-4.xml
View File

@ -38,7 +38,7 @@
<title>Introduction</title> <title>Introduction</title>
<para>Shorewall version 4 is currently in development and is available for <para>Shorewall version 4 is currently in development and is available for
testing as the 3.9.x series.</para> beta testing.</para>
<para>Shorewall version 4 represents a substantial shift in direction for <para>Shorewall version 4 represents a substantial shift in direction for
Shorewall. Up to now</para> Shorewall. Up to now</para>
@ -85,7 +85,7 @@
<para>You can download the development version of Shorewall Version 4 from <para>You can download the development version of Shorewall Version 4 from
any of the download sites with the exception of SourceForge. It is any of the download sites with the exception of SourceForge. It is
contained in the <filename contained in the <filename
class="directory">/pub/shorewall/development/3.9/</filename> class="directory">/pub/shorewall/development/4.0</filename>
directory.</para> directory.</para>
<para>Shorewall 4 contains four packages:</para> <para>Shorewall 4 contains four packages:</para>
@ -98,7 +98,7 @@
<listitem> <listitem>
<para>Shorewall-perl - the new Perl-based compiler. May be installed <para>Shorewall-perl - the new Perl-based compiler. May be installed
under Shorewall 3.4.2 or later or 3.9.x.</para> under Shorewall 3.4.2 or later or 4.0.x.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -397,6 +397,28 @@ fi</programlisting>
combination doesn't work in previous versions of Shorewall so the combination doesn't work in previous versions of Shorewall so the
Perl-based compiler simply rejects it.</para> Perl-based compiler simply rejects it.</para>
</listitem> </listitem>
<listitem>
<para>Shorewall-perl has a single rule generator that is used for all
rule-oriented files. So it is important that the syntax is consistent
between files.</para>
<para>With shorewall-shell, there is a special syntax in the SOURCE
column of /etc/shorewall/masq to designate "all traffic entering the
firewall on this interface except...".</para>
<para>Example:<programlisting>#INTERFACE SOURCE ADDRESSES
eth0 eth1!192.168.4.9 ...</programlisting>Shorewall-perl
uses syntax that is consistent with the rest of
Shorewall:<programlisting>#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...</programlisting> </para>
</listitem>
<listitem>
<para>The 'allowoutUPnP' built-in action is no longer supported. In
kernel 2.6.14, the Netfilter team have removed support for '-m owner
--owner-cmd' which that action depended on.</para>
</listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -408,24 +430,36 @@ fi</programlisting>
<para>If you install both compilers, then the compiler actually used <para>If you install both compilers, then the compiler actually used
depends on the SHOREWALL_COMPILER setting in depends on the SHOREWALL_COMPILER setting in
<filename>shorewall.conf</filename>. The value of this new option can be <filename>shorewall.conf</filename>.</para>
either 'perl' or 'shell'.</para>
<para>If you add 'SHOREWALL_COMPILER=shell' to <para>The value of this new option can be either 'perl' or 'shell'.</para>
<para>If you add 'SHOREWALL_COMPILER=perl' to
<filename>/etc/shorewall/shorewall.conf</filename> then by default, the <filename>/etc/shorewall/shorewall.conf</filename> then by default, the
new compiler will be used on the system. If you add it to new compiler will be used on the system. If you add it to
<filename>shorewall.conf</filename> in a separate directory (such as a <filename>shorewall.conf</filename> in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be used Shorewall-lite export directory) then the new compiler will only be used
when you compile from that directory. If you only install one compiler, it when you compile from that directory.</para>
is suggested that you do not set SHOREWALL_COMPILER. Regardless of the
setting of SHOREWALL_COMPILER, there is one change in Shorewall operation <para>If you only install one compiler, it is suggested that you do not
that is triggered simply by installing shorewall-perl. Your set SHOREWALL_COMPILER.</para>
<filename>params</filename> file will be processed during compilation with
the shell's '-a' option which causes any variables that you set or create <para>You can select the compiler to use on the command line using the 'C
in that file to be automatically exported. Since the params file is option:<simplelist>
processed before <filename>shorewall.conf</filename>, using -a insures <member>'-C shell' means use the shell compiler</member>
that the settings of your params variables are available to the new
compiler should it's use be specified in <member>'-C perl' means use the perl compiler</member>
<filename>shorewall.conf</filename>.</para> </simplelist>The -C option overrides the setting in
shorewall.conf.</para>
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting>Regardless
of the setting of SHOREWALL_COMPILER, there is one change in Shorewall
operation that is triggered simply by installing shorewall-perl. Your
params file will be processed during compilation with the shell's '-a'
option which causes any variables that you set or create in that file to
be automatically exported. Since the params file is processed before
shorewall.conf, using -a insures that the settings of your params
variables are available to the new compiler should its use be specified in
shorewall.conf.</para>
</section> </section>
</article> </article>

32
docs/Shorewall-perl.xml
View File

@ -338,6 +338,34 @@ fi</programlisting>
supported; neither is the supported; neither is the
<filename>/etc/shorewall/ipsec</filename> file.</para> <filename>/etc/shorewall/ipsec</filename> file.</para>
</listitem> </listitem>
<listitem>
<para>BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes.
This combination doesn't work in previous versions of Shorewall so
the Perl-based compiler simply rejects it.</para>
</listitem>
<listitem>
<para>Shorewall-perl has a single rule generator that is used for
all rule-oriented files. So it is important that the syntax is
consistent between files.</para>
<para>With shorewall-shell, there is a special syntax in the
SOURCE column of /etc/shorewall/masq to designate "all traffic
entering the firewall on this interface except...".</para>
<para>Example:<programlisting>#INTERFACE SOURCE ADDRESSES
eth0 eth1!192.168.4.9 ...</programlisting>Shorewall-perl
uses syntax that is consistent with the rest of
Shorewall:<programlisting>#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...</programlisting></para>
</listitem>
<listitem>
<para>The 'allowoutUPnP' built-in action is no longer supported.
In kernel 2.6.14, the Netfilter team have removed support for '-m
owner --owner-cmd' which that action depended on.</para>
</listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -451,8 +479,8 @@ fi</programlisting>
<member>'-C shell' means use the shell compiler</member> <member>'-C shell' means use the shell compiler</member>
<member>'-C perl' means use the perl compiler</member> <member>'-C perl' means use the perl compiler</member>
</simplelist>The -C option overrides the setting in shorewall.conf. </simplelist>The -C option overrides the setting in
</para> shorewall.conf.</para>
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting>Regardless <para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting>Regardless
of the setting of SHOREWALL_COMPILER, there is one change in Shorewall of the setting of SHOREWALL_COMPILER, there is one change in Shorewall