diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 438530bbd..5ea2dd89a 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,7 +2,10 @@ Changes since 1.2.12 1. Added whitelist support 2. Added SYN Flood Protection - +3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more + like what people expect. +4. Merged shorewall.conf file patch that adds the kernel config help + text for TCPMSS to the description of the Shorewall parameter. diff --git a/Shorewall/firewall b/Shorewall/firewall index 87fad16a1..9ffbcc3fb 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1096,7 +1096,7 @@ setup_nat() { # # Now get the VLSM, "brd" and the broadcast address # - val=`echo $val | cut -d' ' -f1,2,3` + val=${val%% scope*} fi run_ip addr add ${external}${val} dev $interface @@ -2006,7 +2006,7 @@ setup_masq() val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null if [ -n "$val" ] ; then val="/${val#*/}" - val=`echo $val | cut -d' ' -f1,2,3` + val=${val%% scope*} fi run_ip addr add ${address}${val} dev $interface diff --git a/Shorewall/nat b/Shorewall/nat index a13504bb3..ce1020b8e 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -14,7 +14,7 @@ # # EXTERNAL External IP Address - this should NOT be the primary # IP address of the interface named in the next -# column +# column. # INTERFACE Interface that we want to EXTERNAL address to appear # on # INTERNAL Internal Address diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 30ce758e5..a2b4ea757 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -3,14 +3,10 @@ This is a minor release of Shorewall. In this release: 1. Whitelist support has been added. -2. Optional SYN Flood protection is now available - - - - - - - - - +2. Optional SYN Flood protection is now available. +3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES + now use the VLSM and broadcast address of the interface's + primary address. +4. Port forwarding rules may now optionally override the + contents of the /etc/shorewall/nat file. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 6e9df879f..aa84062df 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -165,6 +165,24 @@ BLACKLIST_LOGLEVEL= # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet # interface is some variant of PPP (PPTP or PPPoE). Your kernel must +# have CONFIG_IP_NF_TARGET_TCPMSS set. +# +# [From the kernel help: +# +# This option adds a `TCPMSS' target, which allows you to alter the +# MSS value of TCP SYN packets, to control the maximum size for that +# connection (usually limiting it to your outgoing interface's MTU +# minus 40). +# +# This is used to overcome criminally braindead ISPs or servers which +# block ICMP Fragmentation Needed packets. The symptoms of this +# problem are that everything works fine from your Linux +# firewall/router, but machines behind it can never exchange large +# packets: +# 1) Web browsers connect, then hang with no data received. +# 2) Small mail works fine, but large emails hang. +# 3) ssh works fine, but scp hangs after initial handshaking. +# ] # # If left blank, or set to "No" or "no", the option is not enabled. # @@ -176,6 +194,8 @@ CLAMPMSS="No" # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces (anti-spoofing measure). # +# If this variable is not set or is set to the empty value, "No" is assumed. + ROUTE_FILTER="No" # @@ -183,6 +203,8 @@ ROUTE_FILTER="No" # # Shorewall has traditionally processed static NAT rules before port forwarding # rules. If you would like to reverse the order, set this variable to "No". +# +# If this variable is not set or is set to the empty value, "Yes" is assumed. NAT_BEFORE_RULES="Yes"