diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm index c92d8f943..67e3fafd6 100644 --- a/Shorewall-docs/mailing_list.htm +++ b/Shorewall-docs/mailing_list.htm @@ -2,146 +2,151 @@ + + + + Shorewall Mailing Lists - + - + - - - + + - + - - +
+ Powered by Postfix    
+ + + - + +
+
- +

Vexira Logo -

+ - - +

 

- 		- + +

Shorewall Mailing Lists

- 		+ (Postfix Logo) -
- +
+
-
-
- + src="images/ninjalogo.png" alt="" width="110" height="42" align="right" + border="0"> + +
+

-
- Powered by Postfix    
-
-
- +

Not getting List Mail? -- Check Here

- -

If you experience problems with any of these lists, please - let me know

- + +

If you experience problems with any of these lists, please + let me know

+

Not able to Post Mail to shorewall.net?

- -

You can report such problems by sending mail to tom dot eastep + +

You can report such problems by sending mail to tom dot eastep at hp dot com.

- +

A Word about SPAM Filters 

- -

Before subscribing please read my policy - about list traffic that bounces. Also please note that the mail server + +

Before subscribing please read my policy + about list traffic that bounces. Also please note that the mail server at shorewall.net checks incoming mail:
-

- +

+
    -
  1. against Spamassassin +
  2. against Spamassassin (including Vipul's Razor).
    -
    3. -
  3. to ensure that the sender address is fully qualified.
    4. -
  4. to verify that the sender's domain has an A or MX record +
    5. +
  5. to ensure that the sender address is fully qualified.
    6. +
  6. to verify that the sender's domain has an A or MX record in DNS.
    7. -
  7. to ensure that the host name in the HELO/EHLO command -is a valid fully-qualified DNS name that resolves.
    8. - +
  8. to ensure that the host name in the HELO/EHLO command + is a valid fully-qualified DNS name that resolves.
    9. +
- +

Please post in plain text

- A growing number of MTAs serving list subscribers are rejecting all - HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net - "for continuous abuse" because it has been my policy to allow HTML in list - posts!!
-
- I think that blocking all HTML is a Draconian way to control spam - and that the ultimate losers here are not the spammers but the list subscribers - whose MTAs are bouncing all shorewall.net mail. As one list subscriber - wrote to me privately "These e-mail admin's need to get a (explitive -deleted) life instead of trying to rid the planet of HTML based e-mail". -Nevertheless, to allow subscribers to receive list posts as must as possible, -I have now configured the list server at shorewall.net to strip all HTML -from outgoing posts. This means that HTML-only posts will be bounced by -the list server.
- -

Note: The list server limits posts to 120kb.
-

+ A growing number of MTAs serving list subscribers are rejecting +all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net + "for continuous abuse" because it has been my policy to allow HTML in +list posts!!
+
+ I think that blocking all HTML is a Draconian way to control spam + and that the ultimate losers here are not the spammers but the list subscribers + whose MTAs are bouncing all shorewall.net mail. As one list subscriber + wrote to me privately "These e-mail admin's need to get a (explitive +deleted) life instead of trying to rid the planet of HTML based e-mail". +Nevertheless, to allow subscribers to receive list posts as must as possible, +I have now configured the list server at shorewall.net to strip all HTML +from outgoing posts. This means that HTML-only posts will be bounced by the +list server.
+

Note: The list server limits posts to 120kb.
+

+

Other Mail Delivery Problems

- If you find that you are missing an occasional list post, your e-mail - admin may be blocking mail whose Received: headers contain the names - of certain ISPs. Again, I believe that such policies hurt more than they -help but I'm not prepared to go so far as to start stripping Received: + If you find that you are missing an occasional list post, your e-mail + admin may be blocking mail whose Received: headers contain the +names of certain ISPs. Again, I believe that such policies hurt more than +they help but I'm not prepared to go so far as to start stripping Received: headers to circumvent those policies.
- +

Mailing Lists Archive Search

- -
- -

Match: - + + + +

Match: + - Format: - + Format: + - Sort by: - + Sort by: + -
- Search:

- - -

Please do not try to download the entire -Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't -stand the traffic. If I catch you, you will be blacklisted.
-

- + + +

Please do not try to download the +entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply +won't stand the traffic. If I catch you, you will be blacklisted.
+

+

Shorewall CA Certificate

- If you want to trust X.509 certificates issued by Shoreline - Firewall (such as the one used on my web site), you may download and install my CA certificate - in your browser. If you don't wish to trust my certificates then -you can either use unencrypted access when subscribing to Shorewall -mailing lists or you can use secure access (SSL) and accept the server's -certificate when prompted by your browser.
- + If you want to trust X.509 certificates issued by Shoreline + Firewall (such as the one used on my web site), you may download and install my CA certificate + in your browser. If you don't wish to trust my certificates then you + can either use unencrypted access when subscribing to Shorewall mailing + lists or you can use secure access (SSL) and accept the server's certificate + when prompted by your browser.
+

Shorewall Users Mailing List

- -

The Shorewall Users Mailing list provides a way for users - to get answers to questions and to report problems. Information -of general interest to the Shorewall user community is also posted -to this list.

- -

Before posting a problem report to this list, please see - the problem reporting + +

The Shorewall Users Mailing list provides a way for users + to get answers to questions and to report problems. Information of + general interest to the Shorewall user community is also posted to + this list.

+ +

Before posting a problem report to this list, please see + the problem reporting guidelines.

- -

To subscribe to the mailing list:
-

- - - -

To post to the list, post to shorewall-users@lists.shorewall.net.

- -

The list archives are at http://lists.shorewall.net/pipermail/shorewall-users.

- -

Note that prior to 1/1/2002, the mailing list was hosted -at Sourceforge. The archives from that -list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.

- -

Shorewall Announce Mailing List

- -

This list is for announcements of general interest to the - Shorewall community. To subscribe:
-

- -

- - - -


- The list archives are at http://lists.shorewall.net/pipermail/shorewall-announce.

- -

Shorewall Development Mailing List

- -

The Shorewall Development Mailing list provides a forum for - the exchange of ideas about the future of Shorewall and for coordinating - ongoing Shorewall Development.

- +

To subscribe to the mailing list:

- + + +

To post to the list, post to shorewall-users@lists.shorewall.net.

+ +

The list archives are at http://lists.shorewall.net/pipermail/shorewall-users.

+ +

Note that prior to 1/1/2002, the mailing list was hosted at +Sourceforge. The archives from that list +may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.

+ +

Shorewall Announce Mailing List

+ +

This list is for announcements of general interest to the + Shorewall community. To subscribe:
+

+ +

+ + + +


+ The list archives are at http://lists.shorewall.net/pipermail/shorewall-announce.

+ +

Shorewall Development Mailing List

+ +

The Shorewall Development Mailing list provides a forum for + the exchange of ideas about the future of Shorewall and for coordinating + ongoing Shorewall Development.

+ +

To subscribe to the mailing list:
+

+ + - +

To post to the list, post to shorewall-devel@lists.shorewall.net

- +

The list archives are at http://lists.shorewall.net/pipermail/shorewall-devel.

- -

How to Unsubscribe from one of + +

How to Unsubscribe from one of the Mailing Lists

- -

There seems to be near-universal confusion about unsubscribing - from Mailman-managed lists although Mailman 2.1 has attempted to + +

There seems to be near-universal confusion about unsubscribing + from Mailman-managed lists although Mailman 2.1 has attempted to make this less confusing. To unsubscribe:

- +
    -
  • - -

    Follow the same link above that you used to subscribe +

  • + +

    Follow the same link above that you used to subscribe to the list.

    -
    • -
  • - -

    Down at the bottom of that page is the following text: - " To unsubscribe from <list name>, get a password - reminder, or change your subscription options enter your subscription - email address:". Enter your email address in the box and click +

    • +
  • + +

    Down at the bottom of that page is the following text: + " To unsubscribe from <list name>, get a password + reminder, or change your subscription options enter your subscription + email address:". Enter your email address in the box and click on the "Unsubscribe or edit options" button.

    -
    • -
  • - -

    There will now be a box where you can enter your password - and click on "Unsubscribe"; if you have forgotten your password, - there is another button that will cause your password to be emailed +

    • +
  • + +

    There will now be a box where you can enter your password + and click on "Unsubscribe"; if you have forgotten your password, + there is another button that will cause your password to be emailed to you.

    -
    • - + +
- -
+ +

Frustrated by having to Rebuild Mailman to use it with Postfix?

- +

Check out these instructions

- +

Last updated 2/3/2003 - Tom Eastep

- -

Copyright © -2001, 2002, 2003 Thomas M. Eastep.
-

-
-
-
-
-
-
-
-
-
+ +

Copyright2001, 2002, 2003 Thomas M. Eastep.
+

diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index 326e157b0..b205364d3 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -5,7 +5,7 @@ - + Shoreline Firewall (Shorewall) 1.3 @@ -13,22 +13,22 @@ - - + - + - + - + - + - + - +
+ @@ -36,15 +36,16 @@ - + +

Shorwall Logo - Shorewall - 1.3 - "iptables made -easy"

+ Shorewall + 1.3 - "iptables +made easy" @@ -53,41 +54,41 @@ easy" - + + -
+
-
- +
- +
- + - + - + - + - - + - + - +
+ @@ -96,7 +97,7 @@ easy" - +

What is it?

@@ -107,7 +108,7 @@ easy" - +

The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function @@ -121,26 +122,26 @@ easy" - +

This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.
-
+
- This program is distributed in the hope - that it will be useful, but WITHOUT ANY WARRANTY; - without even the implied warranty of MERCHANTABILITY - or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details.
+ This program is distributed in the + hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details.
-
+
- You should have received a copy of the - GNU General Public License along with -this program; if not, write to the Free Software -Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, + You should have received a copy of +the GNU General Public License along with + this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

@@ -151,7 +152,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, - +

Copyright 2001, 2002, 2003 Thomas M. Eastep

@@ -162,28 +163,29 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, - + +

- Jacques Nilo and Eric Wolzak - have a LEAF (router/firewall/gateway on a floppy, CD - or compact flash) distribution called Bering - that features Shorewall-1.3.10 and Kernel-2.4.18. + Jacques Nilo and Eric Wolzak + have a LEAF (router/firewall/gateway on a floppy, CD + or compact flash) distribution called Bering + that features Shorewall-1.3.10 and Kernel-2.4.18. You can find their work at: http://leaf.sourceforge.net/devel/jnilo
-

+

- +

Congratulations to Jacques and Eric on the recent release of Bering 1.0 Final!!!
-

+

- +

This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)

@@ -198,7 +200,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, - +

News

@@ -209,7 +211,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, - +

@@ -217,448 +219,456 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, - +

2/4/2003 - Shorewall 1.3.14-RC1 (New) -

- +

+

Includes the Beta 2 content plus support for OpenVPN tunnels.

- -

The beta may be downloaded from:
-

- + +

The release candidate may be downloaded from:
+

+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + ftp://ftp.shorewall.net/pub/shorewall/Beta
+ +

1/28/2003 - Shorewall 1.3.14-Beta2 (New) -

- +

+

Includes the Beta 1 content plus restores VLAN device names of the - form $dev.$vid (e.g., eth0.1)

- + form $dev.$vid (e.g., eth0.1)

+

The beta may be downloaded from:
-

- +

+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + ftp://ftp.shorewall.net/pub/shorewall/Beta
+ +

1/25/2003 - Shorewall 1.3.14-Beta1 (New) -  
-

- +  
+

+

The Beta includes the following changes:
-

- +

+
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and -policies just like any other connection request. The FORWARDPING=Yes option -in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces -will all generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create a "label" -such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes -and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of -just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. When an interface name is entered in the SUBNET column of -the /etc/shorewall/masq file, Shorewall previously masqueraded traffic from -only the first subnet defined on that interface. It did not masquerade traffic - from:
    -  
    -    a) The subnets associated with other addresses on the interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface name in the - SUBNET column, shorewall will use the firewall's routing table to construct - the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    - +
  4. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
    +
    + When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and + policies just like any other connection request. The FORWARDPING=Yes option + in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces + will all generate an error.
    +
    +
    5. +
  5. It is now possible to direct Shorewall to create a "label" + such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of + just the interface name:
    +  
    +    a) In the INTERFACE column of /etc/shorewall/masq
    +    b) In the INTERFACE column of /etc/shorewall/nat
    +  
    6. +
  6. When an interface name is entered in the SUBNET column of + the /etc/shorewall/masq file, Shorewall previously masqueraded traffic +from only the first subnet defined on that interface. It did not masquerade +traffic from:
    +  
    +    a) The subnets associated with other addresses on the interface.
    +    b) Subnets accessed through local routers.
    +  
    + Beginning with Shorewall 1.3.14, if you enter an interface name in +the SUBNET column, shorewall will use the firewall's routing table to +construct the masquerading/SNAT rules.
    +  
    + Example 1 -- This is how it works in 1.3.14.
    +   
    + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    - + 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos... 
    - When upgrading to Shorewall 1.3.14, if you have multiple local subnets - connected to an interface that is specified in the SUBNET column of an + When upgrading to Shorewall 1.3.14, if you have multiple local subnets + connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. In most cases, you will simply be able to remove redundant entries. In some cases though, you might want to change from using the interface name to listing specific subnetworks if the change described above will cause masquerading to occur on subnetworks that you don't wish to masquerade.
    -  
    - Example 2 -- Suppose that your current config is as follows:
    - +  
    + Example 2 -- Suppose that your current config is as follows:
    + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -    In this case, the second entry in /etc/shorewall/masq is no longer -required.
    -  
    - Example 3 -- What if your current configuration is like this?
    - +    In this case, the second entry in /etc/shorewall/masq is no longer + required.
    +  
    + Example 3 -- What if your current configuration is like this?
    + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -    In this case, you would want to change the entry in  /etc/shorewall/masq - to:
    - +    In this case, you would want to change the entry in  /etc/shorewall/masq + to:
    + 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    7. - + +
- The beta may be downloaded from:
- + The beta may be downloaded from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + ftp://ftp.shorewall.net/pub/shorewall/Beta
+ +

1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format -

+

- +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 - documenation. the PDF may be downloaded from

-     +     ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/ - +

1/17/2003 - shorewall.net has MOVED

- +

Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A big thanks to Alex for making this happen.
-

- +

+

1/13/2003 - Shorewall 1.3.13
-

- +

+

Just includes a few things that I had on the burner:
-

- +

+
    -
  1. A new 'DNAT-' action has been added for entries in the -/etc/shorewall/rules file. DNAT- is intended for advanced users who wish -to minimize the number of rules that connection requests must traverse.
    -
    - A Shorewall DNAT rule actually generates two iptables rules: a header - rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. - A DNAT- rule only generates the first of these rules. This is handy when - you have several DNAT rules that would generate the same ACCEPT rule.
    -
    -    Here are three rules from my previous rules file:
    -
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    -
    -    These three rules ended up generating _three_ copies of
    -
    -          ACCEPT net  dmz:206.124.146.177 tcp smtp
    -
    -    By writing the rules this way, I end up with only one copy of -the ACCEPT rule.
    -
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    -
    -
    2. -
  2. The 'shorewall check' command now prints out the applicable - policy between each pair of zones.
    -
    -
    3. -
  3. A new CLEAR_TC option has been added to shorewall.conf. - If this option is set to 'No' then Shorewall won't clear the current traffic - control rules during [re]start. This setting is intended for use by people - that prefer to configure traffic shaping when the network interfaces come - up rather than when the firewall is started. If that is what you want to - do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart - file. That way, your traffic shaping rules can still use the 'fwmark' classifier - based on packet marking defined in /etc/shorewall/tcrules.
    -
    -
    4. -
  4. A new SHARED_DIR variable has been added that allows distribution - packagers to easily move the shared directory (default /usr/lib/shorewall). - Users should never have a need to change the value of this shorewall.conf - setting.
    -
    5. - +
  5. A new 'DNAT-' action has been added for entries in the + /etc/shorewall/rules file. DNAT- is intended for advanced users who wish + to minimize the number of rules that connection requests must traverse.
    +
    + A Shorewall DNAT rule actually generates two iptables rules: a +header rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' +table. A DNAT- rule only generates the first of these rules. This is handy +when you have several DNAT rules that would generate the same ACCEPT rule.
    +
    +    Here are three rules from my previous rules file:
    +
    +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
    +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    +
    +    These three rules ended up generating _three_ copies of
    +
    +          ACCEPT net  dmz:206.124.146.177 tcp smtp
    +
    +    By writing the rules this way, I end up with only one copy of + the ACCEPT rule.
    +
    +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
    +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    +
    +
    6. +
  6. The 'shorewall check' command now prints out the applicable + policy between each pair of zones.
    +
    +
    7. +
  7. A new CLEAR_TC option has been added to shorewall.conf. + If this option is set to 'No' then Shorewall won't clear the current +traffic control rules during [re]start. This setting is intended for +use by people that prefer to configure traffic shaping when the network +interfaces come up rather than when the firewall is started. If that +is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not +supply an /etc/shorewall/tcstart file. That way, your traffic shaping +rules can still use the 'fwmark' classifier based on packet marking defined +in /etc/shorewall/tcrules.
    +
    +
    8. +
  8. A new SHARED_DIR variable has been added that allows +distribution packagers to easily move the shared directory (default /usr/lib/shorewall). + Users should never have a need to change the value of this shorewall.conf + setting.
    +
    9. +
- +

1/6/2003 - BURNOUT -

+

- +

Until further notice, I will not be involved in either Shorewall - Development or Shorewall Support

+ Development or Shorewall Support

- +

-Tom Eastep
-

+

- +

12/30/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 - documenation. the PDF may be downloaded from

- + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 + documenation. the PDF may be downloaded from

+ + +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

+

- + +

12/27/2002 - Shorewall 1.3.12 Released

- +

Features include:
-

+

- +
    -
  1. "shorewall refresh" now reloads the traffic shaping - rules (tcrules and tcstart).
    2. -
  2. "shorewall debug [re]start" now turns off debugging - after an error occurs. This places the point of the failure near -the end of the trace rather than up in the middle of it.
    3. -
  3. "shorewall [re]start" has been speeded up by more - than 40% with my configuration. Your milage may vary.
    4. -
  4. A "shorewall show classifiers" command has been - added which shows the current packet classification filters. The -output from this command is also added as a separate page in "shorewall -monitor"
    5. -
  5. ULOG (must be all caps) is now accepted as a valid - syslog level and causes the subject packets to be logged using the - ULOG target rather than the LOG target. This allows you to run ulogd - (available from "shorewall refresh" now reloads the traffic +shaping rules (tcrules and tcstart).
    6. +
  6. "shorewall debug [re]start" now turns off debugging + after an error occurs. This places the point of the failure near + the end of the trace rather than up in the middle of it.
    7. +
  7. "shorewall [re]start" has been speeded up by +more than 40% with my configuration. Your milage may vary.
    8. +
  8. A "shorewall show classifiers" command has been + added which shows the current packet classification filters. The + output from this command is also added as a separate page in "shorewall + monitor"
    9. +
  9. ULOG (must be all caps) is now accepted as a +valid syslog level and causes the subject packets to be logged using +the ULOG target rather than the LOG target. This allows you to run +ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
    10. -
  10. If you are running a kernel that has a FORWARD -chain in the mangle table ("shorewall show mangle" will show you -the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes -in shorewall.conf. This allows for marking - input packets based on their destination even when you are using - Masquerading or SNAT.
    11. -
  11. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you already +
  12. If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show you + the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for +marking input packets based on their destination even when you are +using Masquerading or SNAT.
    13. +
  13. I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you already have a file with one of these names, don't worry -- the upgrade process won't overwrite your file.
    14. -
  14. I have added a new RFC1918_LOG_LEVEL variable -to shorewall.conf. This variable - specifies the syslog level at which packets are logged as a result -of entries in the /etc/shorewall/rfc1918 file. Previously, these packets - were always logged at the 'info' level.
    -
    15. +
  15. I have added a new RFC1918_LOG_LEVEL variable + to shorewall.conf. This +variable specifies the syslog level at which packets are logged as +a result of entries in the /etc/shorewall/rfc1918 file. Previously, +these packets were always logged at the 'info' level.
    +
    16. - +
- +

12/20/2002 - Shorewall 1.3.12 Beta 3
-

- This version corrects a problem with Blacklist logging. In - Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall - would fail to start and "shorewall refresh" would also fail.
+

+ This version corrects a problem with Blacklist logging. +In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the +firewall would fail to start and "shorewall refresh" would also fail.
- +

You may download the Beta from:
-

+

- +
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- - - -

12/20/2002 - Shorewall 1.3.12 Beta 2 -

- The first public Beta version of Shorewall 1.3.12 is -now available (Beta 1 was made available to a limited audience). -
-
- Features include:
-
- - - -
    -
  1. "shorewall refresh" now reloads the traffic - shaping rules (tcrules and tcstart).
    2. -
  2. "shorewall debug [re]start" now turns off -debugging after an error occurs. This places the point of the failure -near the end of the trace rather than up in the middle of it.
    3. -
  3. "shorewall [re]start" has been speeded up -by more than 40% with my configuration. Your milage may vary.
    4. -
  4. A "shorewall show classifiers" command has - been added which shows the current packet classification filters. - The output from this command is also added as a separate page in -"shorewall monitor"
    5. -
  5. ULOG (must be all caps) is now accepted as - a valid syslog level and causes the subject packets to be logged -using the ULOG target rather than the LOG target. This allows you to -run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
    6. -
  6. If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show you -the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows for marking input packets based on -their destination even when you are using Masquerading or SNAT.
    7. -
  7. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you already - have a file with one of these names, don't worry -- the upgrade process - won't overwrite your file.
    8. - - - -
- You may download the Beta from:
- - - -
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- - - -

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

- Shorewall is at the center of MandrakeSoft's recently-announced - Multi - Network Firewall (MNF) product. Here is the press - release.
+ +

12/20/2002 - Shorewall 1.3.12 Beta 2 +

+ The first public Beta version of Shorewall 1.3.12 is + now available (Beta 1 was made available to a limited audience). +
+
+ Features include:
+
+ + + +
    +
  1. "shorewall refresh" now reloads the traffic + shaping rules (tcrules and tcstart).
    2. +
  2. "shorewall debug [re]start" now turns off + debugging after an error occurs. This places the point of the failure + near the end of the trace rather than up in the middle of it.
    3. +
  3. "shorewall [re]start" has been speeded +up by more than 40% with my configuration. Your milage may vary.
    4. +
  4. A "shorewall show classifiers" command +has been added which shows the current packet classification filters. + The output from this command is also added as a separate page in + "shorewall monitor"
    5. +
  5. ULOG (must be all caps) is now accepted +as a valid syslog level and causes the subject packets to be logged + using the ULOG target rather than the LOG target. This allows you to + run ulogd (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a separate log file.
    6. +
  6. If you are running a kernel that has a +FORWARD chain in the mangle table ("shorewall show mangle" will +show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for marking input packets based on + their destination even when you are using Masquerading or SNAT.
    7. +
  7. I have cluttered up the /etc/shorewall +directory with empty 'init', 'start', 'stop' and 'stopped' files. +If you already have a file with one of these names, don't worry +-- the upgrade process won't overwrite your file.
    8. + + + +
+ You may download the Beta from:
+ + + +
http://www.shorewall.net/pub/shorewall/Beta
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
+
+ + + +

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux +

+ Shorewall is at the center of MandrakeSoft's recently-announced + Multi + Network Firewall (MNF) product. Here is the press + release.
+ + +

12/7/2002 - Shorewall Support for Mandrake 9.0

- +

Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally - delivered. I have installed 9.0 on one of my systems and I am -now in a position to support Shorewall users who run Mandrake 9.0.

+ delivered. I have installed 9.0 on one of my systems and I am + now in a position to support Shorewall users who run Mandrake 9.0.

- +

12/6/2002 -  Debian 1.3.11a Packages Available
-

+

- +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- +

12/3/2002 - Shorewall 1.3.11a

- + +

This is a bug-fix roll up which includes Roger Aich's fix for DNAT - with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 - users who don't need rules of this type need not upgrade to 1.3.11.

+ with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 + users who don't need rules of this type need not upgrade to 1.3.11.

- + +

11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format -

+

- +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 - documenation. the PDF may be downloaded from

+ documenation. the PDF may be downloaded from

- +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

+

- +

11/24/2002 - Shorewall 1.3.11 

- +

In this version:

- +
    -
  • A 'tcpflags' option has been added - to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP - packet header flags.
    • -
  • It is now allowed to use 'all' -in the SOURCE or DEST column in a A 'tcpflags' option has been +added to entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP +packet header flags.
    • +
  • It is now allowed to use 'all' + in the SOURCE or DEST column in a rule. When used, 'all' must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule
    -
    -     ACCEPT loc all tcp 80
    -
    - does not enable http traffic from 'loc' to -'loc'.
    • -
  • Shorewall's use of the 'echo' command - is now compatible with bash clones such as ash and dash.
    • -
  • fw->fw policies now generate -a startup error. fw->fw rules generate a warning and are -ignored
    • +
    +     ACCEPT loc all tcp 80
    +
    + does not enable http traffic from 'loc' +to 'loc'. +
  • Shorewall's use of the 'echo' +command is now compatible with bash clones such as ash and dash.
    • +
  • fw->fw policies now generate + a startup error. fw->fw rules generate a warning and are + ignored
    • - +
- +

More News

@@ -669,40 +679,41 @@ ignored - + +

Donations

- 		M
-
+ -
+ - + - + - + - + - + - + - +
+ @@ -710,12 +721,13 @@ ignored - + +

-   -

+ +  

@@ -725,31 +737,33 @@ ignored - +

Shorewall is free but if you try it and find it useful, please consider making a donation - to Starlight Children's Foundation. Thanks!

-
- +

Updated 2/4/2003 - Tom Eastep -
-

+
+

+
+


diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index 3e742f202..1bf7bb132 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -6,7 +6,7 @@ - + Shoreline Firewall (Shorewall) 1.3 @@ -15,22 +15,22 @@ - + - + - + - + - - + + - + - +
+ @@ -39,15 +39,16 @@ - +

Shorwall Logo - Shorewall - 1.3 - "iptables - made easy"

+ Shorewall + 1.3 - "iptables + made easy" + @@ -57,34 +58,34 @@ - + -
- +
- +
- + - + - + - - + - + - - + + - +
+ @@ -93,7 +94,8 @@ - + +

What is it?

@@ -105,11 +107,11 @@ - +

The Shoreline Firewall, more commonly known as  "Shorewall", is - a Netfilter (iptables) based - firewall that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.

+ a Netfilter (iptables) based + firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

@@ -120,29 +122,29 @@ - +

This program is free software; you can redistribute it and/or modify - it under the terms of - Version 2 of + it under the terms of + Version 2 of the GNU General Public License as published by the Free Software Foundation.
-
+
- This program is distributed in -the hope that it will be useful, but WITHOUT - ANY WARRANTY; without even the implied warranty - of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. See the GNU General Public License for + This program is distributed in + the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty + of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more details.
-
+
- You should have received a copy - of the GNU General Public License along - with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA - 02139, USA

+ You should have received a copy + of the GNU General Public License along + with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, +MA 02139, USA

@@ -153,7 +155,7 @@ the hope that it will be useful, but WITHOUT - +

Copyright 2001, 2002, 2003 Thomas M. Eastep

@@ -165,22 +167,22 @@ the hope that it will be useful, but WITHOUT - +

- Jacques Nilo and Eric - Wolzak have a LEAF (router/firewall/gateway on a floppy, - CD or compact flash) distribution called Bering - that features Shorewall-1.3.10 and Kernel-2.4.18. - You can find their work at: Jacques Nilo and Eric + Wolzak have a LEAF (router/firewall/gateway on a floppy, + CD or compact flash) distribution called Bering + that features Shorewall-1.3.10 and Kernel-2.4.18. + You can find their work at: http://leaf.sourceforge.net/devel/jnilo

- Congratulations to Jacques and Eric - on the recent release of Bering 1.0 Final!!!
- + Congratulations to Jacques and +Eric on the recent release of Bering 1.0 Final!!!
+ - +

News

@@ -194,458 +196,480 @@ the hope that it will be useful, but WITHOUT - + +

2/4/2003 - Shorewall 1.3.14-RC1 (New) +

+ +

Includes the Beta 2 content plus support for OpenVPN tunnels.
+

+

The release candidate may be downloaded from:
+

+ +
http://www.shorewall.net/pub/shorewall/Beta
+ftp://ftp.shorewall.net/pub/shorewall/Beta
+ +

1/28/2003 - Shorewall 1.3.14-Beta2 (New) -

- +

+

Includes the Beta 1 content plus restores VLAN device names of the -form $dev.$vid (e.g., eth0.1)

- + form $dev.$vid (e.g., eth0.1)

+

The beta may be downloaded from:
-

- +

+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + ftp://ftp.shorewall.net/pub/shorewall/Beta
+ +

1/25/2003 - Shorewall 1.3.14-Beta1 (New) -  
-

- +  
+

+

The Beta includes the following changes:
-

- +

+
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies - just like any other connection request. The FORWARDPING=Yes option in shorewall.conf - and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will - all generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create a "label" -such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes -and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of -just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. When an interface name is entered in the SUBNET column of the - /etc/shorewall/masq file, Shorewall previously masqueraded traffic from -only the first subnet defined on that interface. It did not masquerade traffic - from:
    -  
    -    a) The subnets associated with other addresses on the interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface name in the -SUBNET column, shorewall will use the firewall's routing table to construct -the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    - +
  4. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been (see +http://www.shorewall.net/ping.html).
    +
    + When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and +policies just like any other connection request. The FORWARDPING=Yes option +in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces +will all generate an error.
    +
    +
    5. +
  5. It is now possible to direct Shorewall to create a "label" + such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead +of just the interface name:
    +  
    +    a) In the INTERFACE column of /etc/shorewall/masq
    +    b) In the INTERFACE column of /etc/shorewall/nat
    +  
    6. +
  6. When an interface name is entered in the SUBNET column of +the /etc/shorewall/masq file, Shorewall previously masqueraded traffic from + only the first subnet defined on that interface. It did not masquerade +traffic from:
    +  
    +    a) The subnets associated with other addresses on the interface.
    +    b) Subnets accessed through local routers.
    +  
    + Beginning with Shorewall 1.3.14, if you enter an interface name in the + SUBNET column, shorewall will use the firewall's routing table to construct + the masquerading/SNAT rules.
    +  
    + Example 1 -- This is how it works in 1.3.14.
    +   
    + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    - + 
       [root@gateway test]# shorewall start
       ...
       Masqueraded Subnets and Hosts:
           To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
           To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
       Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple local subnets -connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq - entry, your /etc/shorewall/masq file will need changing. In most cases, you - will simply be able to remove redundant entries. In some cases though, you - might want to change from using the interface name to listing specific subnetworks - if the change described above will cause masquerading to occur on subnetworks - that you don't wish to masquerade.
    -  
    - Example 2 -- Suppose that your current config is as follows:
    -   
    - +  
    + When upgrading to Shorewall 1.3.14, if you have multiple local subnets + connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq + entry, your /etc/shorewall/masq file will need changing. In most cases, +you will simply be able to remove redundant entries. In some cases though, +you might want to change from using the interface name to listing specific +subnetworks if the change described above will cause masquerading to occur +on subnetworks that you don't wish to masquerade.
    +  
    + Example 2 -- Suppose that your current config is as follows:
    +   
    + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       eth0                    192.168.10.0/24         206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]#
    -    In this case, the second entry in /etc/shorewall/masq is no longer -required.
    -  
    - Example 3 -- What if your current configuration is like this?
    -  
    - +    In this case, the second entry in /etc/shorewall/masq is no longer + required.
    +  
    + Example 3 -- What if your current configuration is like this?
    +  
    + 
       [root@gateway test]# cat /etc/shorewall/masq
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    eth2                    206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - + 
       [root@gateway test]# ip route show dev eth2
       192.168.1.0/24  scope link
       192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
       [root@gateway test]# 
    -    In this case, you would want to change the entry in  /etc/shorewall/masq - to:
    - +    In this case, you would want to change the entry in  /etc/shorewall/masq + to:
    + 
       #INTERFACE              SUBNET                  ADDRESS
       eth0                    192.168.1.0/24          206.124.146.176
       #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    7. - + +
- The beta may be downloaded from:
- + The beta may be downloaded from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- + ftp://ftp.shorewall.net/pub/shorewall/Beta
+ +

1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format  -

- +

+ +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 - documenation. the PDF may be downloaded from

-     +     ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/ - +

1/17/2003 - shorewall.net has MOVED   

- +

Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A big thanks to Alex for making this happen.
-

- +

+

1/13/2003 - Shorewall 1.3.13 (New) -
-

- +
+

+

Just includes a few things that I had on the burner:
-

- +

+
    -
  1. A new 'DNAT-' action has been added for entries in the -/etc/shorewall/rules file. DNAT- is intended for advanced users who wish -to minimize the number of rules that connection requests must traverse.
    -
    - A Shorewall DNAT rule actually generates two iptables rules: a header - rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. - A DNAT- rule only generates the first of these rules. This is handy when - you have several DNAT rules that would generate the same ACCEPT rule.
    -
    -    Here are three rules from my previous rules file:
    -
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
    -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    -
    -    These three rules ended up generating _three_ copies of
    -
    -          ACCEPT net  dmz:206.124.146.177 tcp smtp
    -
    -    By writing the rules this way, I end up with only one copy of the - ACCEPT rule.
    -
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
    -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
    -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    -
    -
    2. -
  2. The 'shorewall check' command now prints out the applicable - policy between each pair of zones.
    -
    -
    3. -
  3. A new CLEAR_TC option has been added to shorewall.conf. -If this option is set to 'No' then Shorewall won't clear the current traffic - control rules during [re]start. This setting is intended for use by people - that prefer to configure traffic shaping when the network interfaces come - up rather than when the firewall is started. If that is what you want -to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart - file. That way, your traffic shaping rules can still use the 'fwmark' +
  4. A new 'DNAT-' action has been added for entries in the + /etc/shorewall/rules file. DNAT- is intended for advanced users who wish + to minimize the number of rules that connection requests must traverse.
    +
    + A Shorewall DNAT rule actually generates two iptables rules: a header + rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' +table. A DNAT- rule only generates the first of these rules. This is +handy when you have several DNAT rules that would generate the same ACCEPT +rule.
    +
    +    Here are three rules from my previous rules file:
    +
    +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
    +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
    +
    +    These three rules ended up generating _three_ copies of
    +
    +          ACCEPT net  dmz:206.124.146.177 tcp smtp
    +
    +    By writing the rules this way, I end up with only one copy of +the ACCEPT rule.
    +
    +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
    +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
    +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
    +
    +
    5. +
  5. The 'shorewall check' command now prints out the applicable + policy between each pair of zones.
    +
    +
    6. +
  6. A new CLEAR_TC option has been added to shorewall.conf. + If this option is set to 'No' then Shorewall won't clear the current traffic + control rules during [re]start. This setting is intended for use by people + that prefer to configure traffic shaping when the network interfaces +come up rather than when the firewall is started. If that is what you +want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart + file. That way, your traffic shaping rules can still use the 'fwmark' classifier based on packet marking defined in /etc/shorewall/tcrules.
    -
    -
    7. -
  7. A new SHARED_DIR variable has been added that allows distribution - packagers to easily move the shared directory (default /usr/lib/shorewall). - Users should never have a need to change the value of this shorewall.conf - setting.
    8. - +
    + +
  8. A new SHARED_DIR variable has been added that allows +distribution packagers to easily move the shared directory (default /usr/lib/shorewall). + Users should never have a need to change the value of this shorewall.conf + setting.
    9. +
- +

1/6/2003 - BURNOUT -

+

- +

Until further notice, I will not be involved in either Shorewall - Development or Shorewall Support

+ Development or Shorewall Support

- +

-Tom Eastep
-

+

- +

12/30/2002 - Shorewall Documentation in PDF Format

- +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 - documenation. the PDF may be downloaded from

+ documenation. the PDF may be downloaded from

- +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

+

- +

12/27/2002 - Shorewall 1.3.12 Released

- +

Features include:
-

+

- +
    -
  1. "shorewall refresh" now reloads the traffic shaping - rules (tcrules and tcstart).
    2. -
  2. "shorewall debug [re]start" now turns off debugging - after an error occurs. This places the point of the failure near the - end of the trace rather than up in the middle of it.
    3. -
  3. "shorewall [re]start" has been speeded up by more - than 40% with my configuration. Your milage may vary.
    4. -
  4. A "shorewall show classifiers" command has been -added which shows the current packet classification filters. The output -from this command is also added as a separate page in "shorewall monitor"
    5. -
  5. ULOG (must be all caps) is now accepted as a valid - syslog level and causes the subject packets to be logged using the - ULOG target rather than the LOG target. This allows you to run ulogd - (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to - a separate log file.
    6. -
  6. If you are running a kernel that has a FORWARD -chain in the mangle table ("shorewall show mangle" will show you -the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes -in shorewall.conf. This allows for -marking input packets based on their destination even when you are -using Masquerading or SNAT.
    7. -
  7. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you already - have a file with one of these names, don't worry -- the upgrade process - won't overwrite your file.
    8. -
  8. I have added a new RFC1918_LOG_LEVEL variable to - shorewall.conf. This variable - specifies the syslog level at which packets are logged as a result -of entries in the /etc/shorewall/rfc1918 file. Previously, these packets - were always logged at the 'info' level.
    9. - - -
- - -

12/20/2002 - Shorewall 1.3.12 Beta 3
-

- This version corrects a problem with Blacklist logging. In - Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall - would fail to start and "shorewall refresh" would also fail.
- - -

You may download the Beta from:
-

- - -
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- - - -

12/20/2002 - Shorewall 1.3.12 Beta 2 -

- The first public Beta version of Shorewall 1.3.12 is now - available (Beta 1 was made available only to a limited audience). -
-
- Features include:
-
- - - -
    -
  1. "shorewall refresh" now reloads the traffic - shaping rules (tcrules and tcstart).
    2. -
  2. "shorewall debug [re]start" now turns off -debugging after an error occurs. This places the point of the failure -near the end of the trace rather than up in the middle of it.
    3. -
  3. "shorewall [re]start" has been speeded up -by more than 40% with my configuration. Your milage may vary.
    4. -
  4. A "shorewall show classifiers" command has -been added which shows the current packet classification filters. -The output from this command is also added as a separate page in "shorewall +
  5. "shorewall refresh" now reloads the traffic shaping + rules (tcrules and tcstart).
    6. +
  6. "shorewall debug [re]start" now turns off debugging + after an error occurs. This places the point of the failure near +the end of the trace rather than up in the middle of it.
    7. +
  7. "shorewall [re]start" has been speeded up by +more than 40% with my configuration. Your milage may vary.
    8. +
  8. A "shorewall show classifiers" command has been + added which shows the current packet classification filters. The +output from this command is also added as a separate page in "shorewall monitor"
    9. -
  9. ULOG (must be all caps) is now accepted as -a valid syslog level and causes the subject packets to be logged using - the ULOG target rather than the LOG target. This allows you to run ulogd - (available from ULOG (must be all caps) is now accepted as a +valid syslog level and causes the subject packets to be logged using +the ULOG target rather than the LOG target. This allows you to run +ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to - a separate log file.
    10. -
  10. If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show you the - chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes -in shorewall.conf. This allows for marking input packets based on their - destination even when you are using Masquerading or SNAT.
    11. -
  11. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you already - have a file with one of these names, don't worry -- the upgrade process - won't overwrite your file.
    12. + and log all Shorewall messages to a separate log file. +
  12. If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show you + the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for + marking input packets based on their destination even when you are +using Masquerading or SNAT.
    13. +
  13. I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you +already have a file with one of these names, don't worry -- the upgrade +process won't overwrite your file.
    14. +
  14. I have added a new RFC1918_LOG_LEVEL variable +to shorewall.conf. This variable + specifies the syslog level at which packets are logged as a result + of entries in the /etc/shorewall/rfc1918 file. Previously, these packets + were always logged at the 'info' level.
    15. - - +
- You may download the Beta from:
- - + +

12/20/2002 - Shorewall 1.3.12 Beta 3
+

+ This version corrects a problem with Blacklist logging. +In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the +firewall would fail to start and "shorewall refresh" would also fail.
+ + +

You may download the Beta from:
+

+ +
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- - - -

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

- Shorewall is at the center of MandrakeSofts's recently-announced - Multi - Network Firewall (MNF) product. Here is the press - release.
+ +

12/20/2002 - Shorewall 1.3.12 Beta 2 +

+ The first public Beta version of Shorewall 1.3.12 is +now available (Beta 1 was made available only to a limited audience). +
+
+ Features include:
+
+ + + +
    +
  1. "shorewall refresh" now reloads the traffic + shaping rules (tcrules and tcstart).
    2. +
  2. "shorewall debug [re]start" now turns off + debugging after an error occurs. This places the point of the failure + near the end of the trace rather than up in the middle of it.
    3. +
  3. "shorewall [re]start" has been speeded up + by more than 40% with my configuration. Your milage may vary.
    4. +
  4. A "shorewall show classifiers" command has + been added which shows the current packet classification filters. + The output from this command is also added as a separate page in +"shorewall monitor"
    5. +
  5. ULOG (must be all caps) is now accepted +as a valid syslog level and causes the subject packets to be logged +using the ULOG target rather than the LOG target. This allows you to +run ulogd (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a separate log file.
    6. +
  6. If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show you +the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for marking input packets based on +their destination even when you are using Masquerading or SNAT.
    7. +
  7. I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you already + have a file with one of these names, don't worry -- the upgrade process + won't overwrite your file.
    8. + + + +
+ You may download the Beta from:
+ + + +
http://www.shorewall.net/pub/shorewall/Beta
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
+
+ + + +

12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux +

+ Shorewall is at the center of MandrakeSofts's recently-announced + Multi + Network Firewall (MNF) product. Here is the press + release.
+ + +

12/7/2002 - Shorewall Support for Mandrake 9.0

- +

Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally - delivered. I have installed 9.0 on one of my systems and I am -now in a position to support Shorewall users who run Mandrake 9.0.

+ delivered. I have installed 9.0 on one of my systems and I am + now in a position to support Shorewall users who run Mandrake 9.0.

- +

12/6/2002 -  Debian 1.3.11a Packages Available
-

- - - - -

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- - - -

12/3/2002 - Shorewall 1.3.11a -

- - - -

This is a bug-fix roll up which includes Roger Aich's fix for DNAT - with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 - users who don't need rules of this type need not upgrade to 1.3.11.

- - - -

11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format -

- - - - -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 - documenation. the PDF may be downloaded from

- - - - -

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/

- + +

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ + + + +

12/3/2002 - Shorewall 1.3.11a +

+ + + + +

This is a bug-fix roll up which includes Roger Aich's fix for DNAT + with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 + users who don't need rules of this type need not upgrade to 1.3.11.

+ + + + +

11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format +

+ + + + +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 + documenation. the PDF may be downloaded from

+ + + + +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+     http://slovakia.shorewall.net/pub/shorewall/pdf/
+

+ + + +

11/24/2002 - Shorewall 1.3.11

- +

In this version:

- +
    -
  • A 'tcpflags' option has been added - to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP - packet header flags.
    • -
  • It is now allowed to use 'all' -in the SOURCE or DEST column in a A 'tcpflags' option has been +added to entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP +packet header flags.
    • +
  • It is now allowed to use 'all' + in the SOURCE or DEST column in a rule. When used, 'all' must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule
    -
    -     ACCEPT loc all tcp 80
    -
    - does not enable http traffic from 'loc' to -'loc'.
    • -
  • Shorewall's use of the 'echo' command - is now compatible with bash clones such as ash and dash.
    • -
  • fw->fw policies now generate -a startup error. fw->fw rules generate a warning and are -ignored
    • +
    +     ACCEPT loc all tcp 80
    +
    + does not enable http traffic from 'loc' +to 'loc'. +
  • Shorewall's use of the 'echo' +command is now compatible with bash clones such as ash and dash.
    • +
  • fw->fw policies now generate + a startup error. fw->fw rules generate a warning and are + ignored
    • - +
- +

11/14/2002 - Shorewall Documentation in PDF Format

- +

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 - documenation. the PDF may be downloaded from

+ documenation. the PDF may be downloaded from

- +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-     http://slovakia.shorewall.net/pub/shorewall/pdf/
-

+

- +

- +
    @@ -653,7 +677,7 @@ ignored - +
@@ -661,7 +685,7 @@ ignored - +

More News

@@ -673,69 +697,72 @@ ignored - +

- +

SourceForge Logo -

+ - +

- +

This site is hosted by the generous folks at SourceForge.net

- +

Donations

- 		+ +
-
-
+ -
+ - + + - + - + - + - + - + + - +
+ + @@ -743,13 +770,12 @@ ignored - - +

-

+

@@ -759,31 +785,35 @@ ignored - + +

Shorewall is free but if you try it and find it useful, please consider making a donation - to Starlight Children's Foundation. Thanks!

-
- -

Updated 1/28/2003 - Tom Eastep + +

Updated 2/4/2003 - Tom Eastep -
-

+
+

+
+