Shorewall 2.0.0 Alpha 1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1109 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -1,4 +1,4 @@
-Changes since 1.4.9
+Changes since 1.4.10
 
 1) Remove 'unclean' support.
 
@@ -7,3 +7,15 @@ Changes since 1.4.9
 3) Remove HAVEROUTE column from ProxyARP.
 
 4) Change default for ALL INTERFACES in /etc/shorewall/nat.
+
+5) Rename the product to Shorewall2.
+
+6) Remove common chain.
+
+7) Add default action mechanism.
+
+8) Add USER/GROUP column to /etc/shorewall2/action.template.
+
+9) Get installer/uninstaller to work.
+
+

Shorewall2/releasenotes.txt

@@ -1,31 +1,163 @@
-This is a major release of Shorewall.
+Shorewall 2.0.0-Alpha1
 
-Problems Corrected since version 1.4.9:
+This is a major release of Shorewall. During the Alpha and Beta stages,
+the product name is changed to "Shoreall2" so that Shorewall version 1
+and Shorewall version 2 may coexist on a system.
 
-None.
+The following name changes have occured:
 
-Migration Issues/Incompatible Changes in this Release:
+       /sbin/shorewall       -> /sbin/shorewall2
+       /etc/shorewall        -> /etc/shorewall2
+       /etc/init.d/shorewall -> /etc/init.d/shorewall2
+       /usr/share/shorewall  -> /usr/share/shorewall2
+
+Shorewall2 continues to use /var/lib/shorewall as it's default state
+directory so that switching back and forth between Shorewall and
+Shorewall2 works properly.
+
+To switch from shorewall version 1 to shorewall version 2:
+
+   shorewall2 restart
+
+To switch back:
+
+   shoewall restart
+
+In the first release candidate, the product name will return to
+"Shorewall". The installer (install.sh) will only be able to upgrade
+to Shoreall 2.0 from Shorewall version 1.4.0 or later.
+
+During the Alpha and Beta periods, there will be no RPMs nor will there
+be any documentation tarballs. Note that the installer does NOT attempt
+to migrate your Shorewall version 1 configuration to version 2. When
+you install Shorewall2, you get a clean shorewall2 configuration in
+/etc/shorewall2; you must manually move files from /etc/shorewall to
+/etc/shorewall2 and modify them as described below.
+-----------------------------------------------------------------------
+Problems Corrected since prior version.
+
+	 None - this is the initial release.
+-----------------------------------------------------------------------
+Issues when migrating from Shorewall to Shorewall2:
 
 1) The 'dropunclean' and 'logunclean' interface options are no longer
    supported. If either option is specified in
-   /etc/shorewall/interfaces, an error message will be generated and
-   Shorewall will fail to start.
+   /etc/shorewall2/interfaces, an error message will be generated and
+   Shorewall2 will fail to start.
 
 2) The NAT_BEFORE_RULES option has been removed from
-   shorewall.conf. The behavior of Shorewall is as if
+   shorewall.conf. The behavior of Shorewall2 is as if
    NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
    now always take precidence over one-to-one NAT specifications.
 
 3) The HAVEROUTE column has been removed from
-   /etc/shorewall/proxyarp. Shorewall will no longer automatically add
+   /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add
    routes for Proxy ARP hosts. Use your distribution's static route
    capability to add these routes instead.
 
 4) The default value for the ALL INTERFACES column in
-   /etc/shorewall/nat has changed. In Shorewall 1.*, if the column was
+   /etc/shorewall2/nat has changed. In Shorewall, if the column was
    left empty, a value of "Yes" was assumed. This has been changed so
    that a value of "No" is now assumed.
 
+5) The following files don't exist in Shorewall2:
+
+       /etc/shorewall2/common.def
+       /etc/shorewall2/common
+       /etc/shorewall2/icmpdef
+
+   The /etc/shorewall2/action file now allows an action to be
+   designated as the "common" action for a particular policy type by
+   following the action name with ":" and the policy (DROP, REJECT or
+   ACCEPT).
+
+   The file /etc/shorewall2/actions.std has been added to define those
+   actions that are released as part of Shorewall2. In that file are
+   two actions as follows:
+
+       Drop:DROP
+       Reject:REJECT
+
+   The "Drop" action is the common action for DROP policies while the
+   "Reject" action is the default action for "REJECT" policies. These
+   actions will be performed on packets prior to applying the DROP or
+   REJECT policy respectively. In the first release, the difference
+   between "Reject" and "Drop" is that "Reject" REJECTs SMB traffic
+   while "Drop" silently drops such traffic.
+
+   As described above, Shorewall2 allows a common action for ACCEPT
+   policies but does not specify such an action in the default
+   configuration.
+
+   /etc/shorewall/actions contains an INCLUDE for
+   /etc/shorewall/actions.std. This causes a large number of actions to
+   be defined; in the current release:
+
+      DropBcast       #Silently Drops Broadcast Traffic
+      DropSMB         #Silently Drops Microsoft SMB Traffic
+      RejectSMB       #Silently Reject Microsoft SMB Traffic
+      DropUPnP        #Silently Drop UPnP Probes
+      DropNonSyn      #Silently Drop Non-syn TCP packets
+      RejectAuth      #Silently Reject Auth
+      DropPing        #Silently Drop Ping
+      DropDNSrep      #Silently Drop DNS Replies
+
+      AllowPing       #Accept Ping
+      AllowFTP        #Accept FTP
+      AllowDNS        #Accept DNS
+      AllowSSH        #Accept SSH
+      AllowWeb        #Allow Web Browsing
+      AllowSMB        #Allow MS Networking
+      AllowAuth       #Allow Auth (identd)
+      AllowSMTP       #Allow SMTP (Email)
+      AllowPOP3       #Allow reading mail via POP3
+      AllowIMAP       #Allow reading mail via IMAP
+      AllowTelnet     #Allow Telnet Access (not recommended for use over the
+                      #Internet)
+      AllowVNC        #Allow VNC, Displays 0-9
+      AllowNTP        #Allow Network Time Protocol (ntpd)
+      AllowRdate      #Allow remote time (rdate).
+      AllowNNTP       #Allow network news (Usenet).
+      AllowTrcrt      #Allows Traceroute (20 hops)
+
+      Drop:DROP       #Common rules for DROP policy
+      Reject:REJECT   #Common Action for Reject policy
+
+   If you don't want to create all of the action chains, you can remove
+   the INCLUDE and only include those actions that you need. Here's my
+   /etc/shorewall2/actions file:
+
+      DropBcast       #Silently Drops Broadcast Traffic
+      DropSMB         #Silently Drops Microsoft SMB Traffic
+      RejectSMB       #Silently Reject Microsoft SMB Traffic
+      DropUPnP        #Silently Drop UPnP Probes
+      DropNonSyn      #Silently Drop Non-syn TCP packets
+      RejectAuth      #Silently Reject Auth
+      DropPing        #Silently Drop Ping
+      DropDNSrep      #Silently Drop DNS Replies
+      AllowPing       #Accept Ping
+
+      Mirrors         #Accept traffic from Shorewall Mirrors
+
+      Drop:DROP
+      Reject:REJECT
+
+6) The /etc/shorewall2 directory no longer contains a 'users' file or a
+   'usersets' file. Similar functionality is now available using
+   user-defined actions.
+
+   Now, action files created by copying /etc/shorewall2/action.template
+   may now specify a USER and or GROUP name/id in the final column just
+   like in the rules file. It is thus possible to create actions that
+   ACCEPT traffic from a list of users and/or groups.
+
 New Features:
 
-None.
+1) The INCLUDE directive now allows absolute file names.
+
+2) A 'nosmurfs' interface option has been added to
+   /etc/shorewall2/interfaces. When specified for an interface, this
+   option causes smurfs (packets with a broadcast address as their
+   source) to be dropped and optionally logged (based on the setting of
+   a new SMURF_LOG_LEVEL option in shorewall.conf).
+