mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Minor updates for 1.4.9
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1046e55633
commit
5338cb48b0
@ -17,3 +17,7 @@ Changes since 1.4.8
|
||||
8) Add /etc/shorewall/actions and /etc/shorewall/action.template
|
||||
|
||||
9) Fix SNAT handling in DNAT rules.
|
||||
|
||||
10) Change default to NEWNOTSYN=Yes
|
||||
|
||||
11) Add rule to drop null source addressed ICMPs.
|
||||
|
@ -37,7 +37,12 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
run_iptables -A common -p tcp --dport 113 -j reject
|
||||
############################################################################
|
||||
# DNS -- Silenty drop late replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||
############################################################################
|
||||
# ICMP -- Silently drop null-address ICMPs
|
||||
#
|
||||
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
|
||||
|
||||
|
||||
|
||||
|
@ -26,16 +26,19 @@ None.
|
||||
|
||||
New Features:
|
||||
|
||||
1) To cut down on the number of "Why are these ports closed rather than
|
||||
1) The documentation has been completely rebased to Docbook XML. The
|
||||
documentation is now released as separate HTML and XML packages.
|
||||
|
||||
2) To cut down on the number of "Why are these ports closed rather than
|
||||
stealthed?" questions, the SMB-related rules in
|
||||
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
|
||||
|
||||
2) For easier identification, packets logged under the 'norfc1918'
|
||||
3) For easier identification, packets logged under the 'norfc1918'
|
||||
interface option are now logged out of chains named
|
||||
'rfc1918'. Previously, such packets were logged under chains named
|
||||
'logdrop'.
|
||||
|
||||
3) Distributors and developers seem to be regularly inventing new
|
||||
4) Distributors and developers seem to be regularly inventing new
|
||||
naming conventions for kernel modules. To avoid the need to change
|
||||
Shorewall code for each new convention, the MODULE_SUFFIX option has
|
||||
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
|
||||
@ -55,7 +58,7 @@ New Features:
|
||||
If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
|
||||
If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
|
||||
|
||||
4) Support for user defined rule ACTIONS has been implemented through
|
||||
5) Support for user defined rule ACTIONS has been implemented through
|
||||
two new files:
|
||||
|
||||
/etc/shorewall/actions - used to list the user-defined ACTIONS.
|
||||
@ -80,3 +83,22 @@ New Features:
|
||||
|
||||
LOG:info
|
||||
ACCEPT
|
||||
|
||||
6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
|
||||
(non-syn TCP packets that are not part of an existing connection are
|
||||
filtered according to the rules and policies rather than being
|
||||
dropped). I have made this change for two reasons:
|
||||
|
||||
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
|
||||
any timeout during TCP session tear down results in the firewall
|
||||
dropping all of the retries.
|
||||
|
||||
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
|
||||
lots of confusing messages when a connection got "stuck". While I
|
||||
could have changed the default value of LOGNEWNOTSYN to suppress
|
||||
logging, I dislike defaults that silently throw away packets.
|
||||
|
||||
7) The common.def file now contains an entry that silently drops ICMP
|
||||
packets with a null source address. Ad Koster reported a case where
|
||||
these were occuring frequently as a result of a broken system on his
|
||||
external network.
|
||||
|
@ -448,8 +448,15 @@ MUTEX_TIMEOUT=60
|
||||
#
|
||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
|
||||
#
|
||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
||||
# connections because any network timeout during TCP session tear down
|
||||
# results in retries being dropped (Netfilter has removed the
|
||||
# connection from the conntrack table but the end-points haven't
|
||||
# completed shutting down the connection). I therefore have chosen
|
||||
# NEWNOTSYN=Yes as the default value.
|
||||
|
||||
NEWNOTSYN=No
|
||||
NEWNOTSYN=Yes
|
||||
|
||||
#
|
||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
||||
|
@ -106,10 +106,11 @@ fi
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
%attr(0544,root,root) /usr/share/shorewall/firewall
|
||||
%attr(0544,root,root) /usr/share/shorewall/help
|
||||
%doc documentation
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Remove Documentation from this RPM
|
||||
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Updated for Beta 2
|
||||
* Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
|
Loading…
Reference in New Issue
Block a user