Minor updates for 1.4.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2004-01-09 20:18:40 +00:00 · 2004-01-09 20:18:40 +00:00 · 5338cb48b0
commit 5338cb48b0
parent 1046e55633
5 changed files with 45 additions and 6 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -17,3 +17,7 @@ Changes since 1.4.8
 8) Add /etc/shorewall/actions and /etc/shorewall/action.template
 9) Fix SNAT handling in DNAT rules.
 10) Change default to NEWNOTSYN=Yes
 11) Add rule to drop null source addressed ICMPs.
--- a/Shorewall/common.def
+++ b/Shorewall/common.def
@ -37,7 +37,12 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
 #
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
 ############################################################################
 # ICMP -- Silently drop null-address ICMPs
 #
 run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -26,16 +26,19 @@ None.
 New Features:
-1) To cut down on the number of "Why are these ports closed rather than
+1) The documentation has been completely rebased to Docbook XML. The
   documentation is now released as separate HTML and XML packages.
 2) To cut down on the number of "Why are these ports closed rather than
   stealthed?" questions, the SMB-related rules in
   /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
-2) For easier identification, packets logged under the 'norfc1918'
+3) For easier identification, packets logged under the 'norfc1918'
   interface option are now logged out of chains named
   'rfc1918'. Previously, such packets were logged under chains named
   'logdrop'.
-3) Distributors and developers seem to be regularly inventing new
+4) Distributors and developers seem to be regularly inventing new
   naming conventions for kernel modules. To avoid the need to change
   Shorewall code for each new convention, the MODULE_SUFFIX option has
   been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
@ -55,7 +58,7 @@ New Features:
 	    If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
 	    If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
-4) Support for user defined rule ACTIONS has been implemented through
+5) Support for user defined rule ACTIONS has been implemented through
   two new files:
   /etc/shorewall/actions         - used to list the user-defined ACTIONS.
@ -80,3 +83,22 @@ New Features:
 	LOG:info
 	ACCEPT
 6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
   (non-syn TCP packets that are not part of an existing connection are
   filtered according to the rules and policies rather than being
   dropped). I have made this change for two reasons:
   a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
   any timeout during TCP session tear down results in the firewall
   dropping all of the retries.
   b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
   lots of confusing messages when a connection got "stuck". While I
   could have changed the default value of LOGNEWNOTSYN to suppress
   logging, I dislike defaults that silently throw away packets.
 7) The common.def file now contains an entry that silently drops ICMP
   packets with a null source address. Ad Koster reported a case where
   these were occuring frequently as a result of a broken system on his
   external network.    
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -448,8 +448,15 @@ MUTEX_TIMEOUT=60
 #
 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
 # using the 'newnotsyn' option in /etc/shorewall/interfaces.
 #
 # I find that NEWNOTSYN=No tends to result in lots of "stuck"
 # connections because any network timeout during TCP session tear down
 # results in retries being dropped (Netfilter has removed the
 # connection from the conntrack table but the end-points haven't
 # completed shutting down the connection).  I therefore have chosen
 # NEWNOTSYN=Yes as the default value.
-NEWNOTSYN=No
+NEWNOTSYN=Yes
 #
 # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -106,10 +106,11 @@ fi
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
 %attr(0544,root,root) /usr/share/shorewall/help
 %doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
 - Remove Documentation from this RPM
 * Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
 - Updated for Beta 2
 * Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>