diff --git a/Shorewall-docs/releasenotes.xml b/Shorewall-docs/releasenotes.xml new file mode 100644 index 000000000..07e31f7df --- /dev/null +++ b/Shorewall-docs/releasenotes.xml @@ -0,0 +1,120 @@ + + +
+ Shorewall 1.4.9 + + + Problems Corrected + + These are the problems corrected since Shorewall 1.4.8 + + + + There has been a low continuing level of confusion over the + terms "Source NAT" (SNAT) and "Static NAT". To avoid + future confusion, all instances of "Static NAT" have been + replaced with "One-to-one NAT" in the documentation and + configuration files. + + + + The description of NEWNOTSYN in shorewall.conf has been reworded + for clarity. + + + + Wild-card rules (those involving "all" as SOURCE or + DEST) will no longer produce an error if they attempt to add a rule + that would override a NONE policy. The logic for expanding these + wild-card rules now simply skips those (SOURCE,DEST) pairs that have a + NONE policy. + + + + + + Migration Considerations + + None. + + + + New Features + + These are the new features added since Shorewall 1.4.8 + + + + To cut down on the number of "Why are these ports closed + rather than stealthed?" questions, the SMB-related rules in + /etc/shorewall/common.def have been changed from 'reject' to + 'DROP'. + + + + For easier identification, packets logged under the + 'norfc1918' interface option are now logged out of chains + named 'rfc1918'. Previously, such packets were logged under + chains named 'logdrop'. + + + + Distributors and developers seem to be regularly inventing new + naming conventions for kernel modules. To avoid the need to change + Shorewall code for each new convention, the MODULE_SUFFIX option has + been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix + for module names in your particular distribution. If MODULE_SUFFIX is + not set in shorewall.conf, Shorewall will use the list "o gz ko + o.gz". To see what suffix is used by your distribution: + + ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + + All of the files listed should have the same suffix (extension). + Set MODULE_SUFFIX to that suffix. Examples: + + + + If all files end in ".kzo" then set + MODULE_SUFFIX="kzo" + + + + If all files end in ".kz.o" then set + MODULE_SUFFIX="kz.o" + + + + + + Support for user defined rule ACTIONS has been implemented + through two new files: /etc/shorewall/actions + - used to list the user-defined ACTIONS./etc/shorewall/action.template + - For each user defined <action>:copy + this file to /etc/shorewall/action.<action>Add + the appropriate rules in that file for the <action>.Once + an <action> has been defined, it may be used like any of the + builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules. + + Example: You want an action that logs a packet at the + 'info' level and accepts the connection. + + In /etc/shorewall/actions, you would add: + + + LogAndAccept + + + You would then copy /etc/shorewall/action.template to + /etc/shorewall/action.LogAndAccept and in that file, you would add the + two rules: + + + LOG:info + + ACCEPT + + + + +
\ No newline at end of file