mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 02:41:01 +01:00
Shorewall 2.0.0 Alpha 1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1109 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c95c514add
commit
44bbb674a0
@ -1,4 +1,4 @@
|
||||
Changes since 1.4.9
|
||||
Changes since 1.4.10
|
||||
|
||||
1) Remove 'unclean' support.
|
||||
|
||||
@ -7,3 +7,15 @@ Changes since 1.4.9
|
||||
3) Remove HAVEROUTE column from ProxyARP.
|
||||
|
||||
4) Change default for ALL INTERFACES in /etc/shorewall/nat.
|
||||
|
||||
5) Rename the product to Shorewall2.
|
||||
|
||||
6) Remove common chain.
|
||||
|
||||
7) Add default action mechanism.
|
||||
|
||||
8) Add USER/GROUP column to /etc/shorewall2/action.template.
|
||||
|
||||
9) Get installer/uninstaller to work.
|
||||
|
||||
|
||||
|
@ -1,31 +1,163 @@
|
||||
This is a major release of Shorewall.
|
||||
Shorewall 2.0.0-Alpha1
|
||||
|
||||
Problems Corrected since version 1.4.9:
|
||||
This is a major release of Shorewall. During the Alpha and Beta stages,
|
||||
the product name is changed to "Shoreall2" so that Shorewall version 1
|
||||
and Shorewall version 2 may coexist on a system.
|
||||
|
||||
None.
|
||||
The following name changes have occured:
|
||||
|
||||
Migration Issues/Incompatible Changes in this Release:
|
||||
/sbin/shorewall -> /sbin/shorewall2
|
||||
/etc/shorewall -> /etc/shorewall2
|
||||
/etc/init.d/shorewall -> /etc/init.d/shorewall2
|
||||
/usr/share/shorewall -> /usr/share/shorewall2
|
||||
|
||||
Shorewall2 continues to use /var/lib/shorewall as it's default state
|
||||
directory so that switching back and forth between Shorewall and
|
||||
Shorewall2 works properly.
|
||||
|
||||
To switch from shorewall version 1 to shorewall version 2:
|
||||
|
||||
shorewall2 restart
|
||||
|
||||
To switch back:
|
||||
|
||||
shoewall restart
|
||||
|
||||
In the first release candidate, the product name will return to
|
||||
"Shorewall". The installer (install.sh) will only be able to upgrade
|
||||
to Shoreall 2.0 from Shorewall version 1.4.0 or later.
|
||||
|
||||
During the Alpha and Beta periods, there will be no RPMs nor will there
|
||||
be any documentation tarballs. Note that the installer does NOT attempt
|
||||
to migrate your Shorewall version 1 configuration to version 2. When
|
||||
you install Shorewall2, you get a clean shorewall2 configuration in
|
||||
/etc/shorewall2; you must manually move files from /etc/shorewall to
|
||||
/etc/shorewall2 and modify them as described below.
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected since prior version.
|
||||
|
||||
None - this is the initial release.
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall to Shorewall2:
|
||||
|
||||
1) The 'dropunclean' and 'logunclean' interface options are no longer
|
||||
supported. If either option is specified in
|
||||
/etc/shorewall/interfaces, an error message will be generated and
|
||||
Shorewall will fail to start.
|
||||
/etc/shorewall2/interfaces, an error message will be generated and
|
||||
Shorewall2 will fail to start.
|
||||
|
||||
2) The NAT_BEFORE_RULES option has been removed from
|
||||
shorewall.conf. The behavior of Shorewall is as if
|
||||
shorewall.conf. The behavior of Shorewall2 is as if
|
||||
NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
|
||||
now always take precidence over one-to-one NAT specifications.
|
||||
|
||||
3) The HAVEROUTE column has been removed from
|
||||
/etc/shorewall/proxyarp. Shorewall will no longer automatically add
|
||||
/etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add
|
||||
routes for Proxy ARP hosts. Use your distribution's static route
|
||||
capability to add these routes instead.
|
||||
|
||||
4) The default value for the ALL INTERFACES column in
|
||||
/etc/shorewall/nat has changed. In Shorewall 1.*, if the column was
|
||||
/etc/shorewall2/nat has changed. In Shorewall, if the column was
|
||||
left empty, a value of "Yes" was assumed. This has been changed so
|
||||
that a value of "No" is now assumed.
|
||||
|
||||
5) The following files don't exist in Shorewall2:
|
||||
|
||||
/etc/shorewall2/common.def
|
||||
/etc/shorewall2/common
|
||||
/etc/shorewall2/icmpdef
|
||||
|
||||
The /etc/shorewall2/action file now allows an action to be
|
||||
designated as the "common" action for a particular policy type by
|
||||
following the action name with ":" and the policy (DROP, REJECT or
|
||||
ACCEPT).
|
||||
|
||||
The file /etc/shorewall2/actions.std has been added to define those
|
||||
actions that are released as part of Shorewall2. In that file are
|
||||
two actions as follows:
|
||||
|
||||
Drop:DROP
|
||||
Reject:REJECT
|
||||
|
||||
The "Drop" action is the common action for DROP policies while the
|
||||
"Reject" action is the default action for "REJECT" policies. These
|
||||
actions will be performed on packets prior to applying the DROP or
|
||||
REJECT policy respectively. In the first release, the difference
|
||||
between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic
|
||||
while "Drop" silently drops such traffic.
|
||||
|
||||
As described above, Shorewall2 allows a common action for ACCEPT
|
||||
policies but does not specify such an action in the default
|
||||
configuration.
|
||||
|
||||
/etc/shorewall/actions contains an INCLUDE for
|
||||
/etc/shorewall/actions.std. This causes a large number of actions to
|
||||
be defined; in the current release:
|
||||
|
||||
DropBcast #Silently Drops Broadcast Traffic
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||
DropUPnP #Silently Drop UPnP Probes
|
||||
DropNonSyn #Silently Drop Non-syn TCP packets
|
||||
RejectAuth #Silently Reject Auth
|
||||
DropPing #Silently Drop Ping
|
||||
DropDNSrep #Silently Drop DNS Replies
|
||||
|
||||
AllowPing #Accept Ping
|
||||
AllowFTP #Accept FTP
|
||||
AllowDNS #Accept DNS
|
||||
AllowSSH #Accept SSH
|
||||
AllowWeb #Allow Web Browsing
|
||||
AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
AllowVNC #Allow VNC, Displays 0-9
|
||||
AllowNTP #Allow Network Time Protocol (ntpd)
|
||||
AllowRdate #Allow remote time (rdate).
|
||||
AllowNNTP #Allow network news (Usenet).
|
||||
AllowTrcrt #Allows Traceroute (20 hops)
|
||||
|
||||
Drop:DROP #Common rules for DROP policy
|
||||
Reject:REJECT #Common Action for Reject policy
|
||||
|
||||
If you don't want to create all of the action chains, you can remove
|
||||
the INCLUDE and only include those actions that you need. Here's my
|
||||
/etc/shorewall2/actions file:
|
||||
|
||||
DropBcast #Silently Drops Broadcast Traffic
|
||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||
DropUPnP #Silently Drop UPnP Probes
|
||||
DropNonSyn #Silently Drop Non-syn TCP packets
|
||||
RejectAuth #Silently Reject Auth
|
||||
DropPing #Silently Drop Ping
|
||||
DropDNSrep #Silently Drop DNS Replies
|
||||
AllowPing #Accept Ping
|
||||
|
||||
Mirrors #Accept traffic from Shorewall Mirrors
|
||||
|
||||
Drop:DROP
|
||||
Reject:REJECT
|
||||
|
||||
6) The /etc/shorewall2 directory no longer contains a 'users' file or a
|
||||
'usersets' file. Similar functionality is now available using
|
||||
user-defined actions.
|
||||
|
||||
Now, action files created by copying /etc/shorewall2/action.template
|
||||
may now specify a USER and or GROUP name/id in the final column just
|
||||
like in the rules file. It is thus possible to create actions that
|
||||
ACCEPT traffic from a list of users and/or groups.
|
||||
|
||||
New Features:
|
||||
|
||||
None.
|
||||
1) The INCLUDE directive now allows absolute file names.
|
||||
|
||||
2) A 'nosmurfs' interface option has been added to
|
||||
/etc/shorewall2/interfaces. When specified for an interface, this
|
||||
option causes smurfs (packets with a broadcast address as their
|
||||
source) to be dropped and optionally logged (based on the setting of
|
||||
a new SMURF_LOG_LEVEL option in shorewall.conf).
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user