Final 1.2.13 Update

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@15 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-05-04 18:38:49 +00:00
parent 9ba6a48354
commit 4f01c2b3ed
5 changed files with 35 additions and 14 deletions

View File

@ -2,7 +2,10 @@ Changes since 1.2.12
1. Added whitelist support
2. Added SYN Flood Protection
3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more
like what people expect.
4. Merged shorewall.conf file patch that adds the kernel config help
text for TCPMSS to the description of the Shorewall parameter.

View File

@ -1096,7 +1096,7 @@ setup_nat() {
#
# Now get the VLSM, "brd" and the broadcast address
#
val=`echo $val | cut -d' ' -f1,2,3`
val=${val%% scope*}
fi
run_ip addr add ${external}${val} dev $interface
@ -2006,7 +2006,7 @@ setup_masq()
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
if [ -n "$val" ] ; then
val="/${val#*/}"
val=`echo $val | cut -d' ' -f1,2,3`
val=${val%% scope*}
fi
run_ip addr add ${address}${val} dev $interface

View File

@ -14,7 +14,7 @@
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column
# column.
# INTERFACE Interface that we want to EXTERNAL address to appear
# on
# INTERNAL Internal Address

View File

@ -3,14 +3,10 @@ This is a minor release of Shorewall.
In this release:
1. Whitelist support has been added.
2. Optional SYN Flood protection is now available
2. Optional SYN Flood protection is now available.
3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES
now use the VLSM and broadcast address of the interface's
primary address.
4. Port forwarding rules may now optionally override the
contents of the /etc/shorewall/nat file.

View File

@ -165,6 +165,24 @@ BLACKLIST_LOGLEVEL=
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
@ -176,6 +194,8 @@ CLAMPMSS="No"
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
ROUTE_FILTER="No"
#
@ -183,6 +203,8 @@ ROUTE_FILTER="No"
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is assumed.
NAT_BEFORE_RULES="Yes"