mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-20 12:39:06 +01:00
Documentation update
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8185 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
22d1a535a0
commit
667e76f8bf
@ -1,3 +1,7 @@
|
|||||||
|
Changes in 4.1.5
|
||||||
|
|
||||||
|
1) More ruleset optimization.
|
||||||
|
|
||||||
Changes in 4.1.4
|
Changes in 4.1.4
|
||||||
|
|
||||||
1) Fix do_test() to accept 0 and to use the same mask as
|
1) Fix do_test() to accept 0 and to use the same mask as
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
Shorewall 4.1 Patch Release 4.
|
Shorewall 4.1 Patch Release 6.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
R E L E A S E 4 . 1 H I G H L I G H T S
|
R E L E A S E 4 . 1 H I G H L I G H T S
|
||||||
@ -12,171 +12,6 @@ Shorewall 4.1 Patch Release 4.
|
|||||||
|
|
||||||
4) The tarball installers now work under Cygwin.
|
4) The tarball installers now work under Cygwin.
|
||||||
|
|
||||||
Problems corrected in Shorewall 4.1.4.
|
|
||||||
|
|
||||||
1) Previously, a value of 0 was ignored in the TEST column of tcrules
|
|
||||||
and the MARK column of the rules files.
|
|
||||||
|
|
||||||
Also, the default mask for entries in these columns has been
|
|
||||||
changed from 0xFF to 0xFFFF for compatibility with Shorewall-shell.
|
|
||||||
|
|
||||||
2) The compilation date recorded in the firewall.conf file produced by
|
|
||||||
Shorewall-perl was previously mangled.
|
|
||||||
|
|
||||||
3) The following situation would result in unexpected behavior.
|
|
||||||
|
|
||||||
/etc/shorewall/zones:
|
|
||||||
|
|
||||||
#ZONE TYPE
|
|
||||||
fw firewall
|
|
||||||
net ipv4
|
|
||||||
loc ipv4
|
|
||||||
dmz ipv4
|
|
||||||
|
|
||||||
/etc/shorewall/interfaces:
|
|
||||||
|
|
||||||
#ZONE INTERFACE BROADCAST OPTIONS
|
|
||||||
net ppp0
|
|
||||||
loc eth1
|
|
||||||
loc ppp+
|
|
||||||
dmz eth2
|
|
||||||
|
|
||||||
/etc/shorewall/rules:
|
|
||||||
|
|
||||||
#ACTION SOURCE DEST PROTO DEST
|
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz tcp 80
|
|
||||||
REDIRECT loc 3128 tcp 80
|
|
||||||
|
|
||||||
The web server in the dmz (implied by the first rule) is
|
|
||||||
inaccessible from the 'net' zone because the REDIRECT rule
|
|
||||||
redirects all traffic arriving on 'ppp+' to local port 3128.
|
|
||||||
|
|
||||||
Shorewall 4.1.4 includes a fix for this problem that also requires
|
|
||||||
a configuration change.
|
|
||||||
|
|
||||||
The basic problem with the above configuration is that 'net' is a
|
|
||||||
sub-zone of 'loc' (since ppp0 is a subset of ppp+) but Shorewall
|
|
||||||
isn't able to recognize that fact.
|
|
||||||
|
|
||||||
By changing the /etc/shorewall/zones file to make the parent/child
|
|
||||||
relationship explicit, Shorewall will now know that 'net' is a
|
|
||||||
sub-zone of 'loc'.
|
|
||||||
|
|
||||||
/etc/shorewall/zones:
|
|
||||||
|
|
||||||
#ZONE TYPE
|
|
||||||
fw firewall
|
|
||||||
loc ipv4
|
|
||||||
net:loc ipv4
|
|
||||||
dmz ipv4
|
|
||||||
|
|
||||||
Be sure that there are no CONTINUE policies from net to another
|
|
||||||
zone and that IMPLICIT_CONTINUE=No (to prevent implicit CONTINUE
|
|
||||||
policies from 'net' to all other zones).
|
|
||||||
|
|
||||||
Other changes in Shorewall 4.1.4.
|
|
||||||
|
|
||||||
1) When installing on Cygwin, /etc/shorewall is no longer fully
|
|
||||||
populated. Rather, only the shorewall.conf and params files are
|
|
||||||
installed. As always, the full configuration file set is installed
|
|
||||||
in /usr/share/shorewall/configfiles.
|
|
||||||
|
|
||||||
2) Specifying a destination zone in a NAT-only rule now generates a
|
|
||||||
warning and the destination zone is ignored. NAT-only rules are:
|
|
||||||
|
|
||||||
NONAT
|
|
||||||
REDIRECT-
|
|
||||||
DNAT-
|
|
||||||
|
|
||||||
3) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
|
|
||||||
comma-separated list of interface names where before only a single
|
|
||||||
interface name could be listed (Shorewall-perl only).
|
|
||||||
|
|
||||||
This feature is not for beginners. It iterates over the
|
|
||||||
list of interfaces, substituting each interface in place of the
|
|
||||||
list and processing the resulting entry according to the semantics
|
|
||||||
of earlier Shorewall versions. If you don't know where to use this,
|
|
||||||
don't try.
|
|
||||||
|
|
||||||
Example 1:
|
|
||||||
|
|
||||||
/etc/shorewall/masq:
|
|
||||||
|
|
||||||
#INTERFACE SOURCE ADDRESS
|
|
||||||
eth0,eth1 eth2 1.2.3.4
|
|
||||||
|
|
||||||
equivalent to:
|
|
||||||
|
|
||||||
#INTERFACE SOURCE ADDRESS
|
|
||||||
eth0 eth2 1.2.3.4
|
|
||||||
eth1 eth2 1.2.3.4
|
|
||||||
|
|
||||||
Example 2:
|
|
||||||
|
|
||||||
/etc/shorewall/masq:
|
|
||||||
|
|
||||||
#INTERFACE SOURCE ADDRESS
|
|
||||||
eth0,eth1::192.168.1.0/24 eth2 1.2.3.4
|
|
||||||
|
|
||||||
equivalent to:
|
|
||||||
|
|
||||||
#INTERFACE SOURCE ADDRESS
|
|
||||||
eth0::192.168.1.0/24 eth2 1.2.3.4
|
|
||||||
eth1::192.168.1.0/24 eth2 1.2.3.4
|
|
||||||
|
|
||||||
Example 3:
|
|
||||||
|
|
||||||
/etc/shorewall/nat:
|
|
||||||
|
|
||||||
#EXTERNAL INTERFACE INTERNAL
|
|
||||||
206.124.146.178 eth0,wlan0 192.168.1.3
|
|
||||||
|
|
||||||
equivalent to:
|
|
||||||
|
|
||||||
#EXTERNAL INTERFACE INTERNAL
|
|
||||||
206.124.146.178 eth0 192.168.1.3
|
|
||||||
206.124.146.178 wlan0 192.168.1.3
|
|
||||||
|
|
||||||
4) Previously, the INTERFACE name used in the masq, nat and netmap
|
|
||||||
files had to exactly match the name of an interface from the
|
|
||||||
interfaces file. Beginning with Shorewall-perl 4.1.4, the
|
|
||||||
interface may loosely match a wildcard entry in the interfaces
|
|
||||||
file.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
/etc/shorewall/interfaces:
|
|
||||||
|
|
||||||
vpn tun+
|
|
||||||
|
|
||||||
/etc/shorewall/masq:
|
|
||||||
|
|
||||||
tun1 192.168.4.0/24
|
|
||||||
|
|
||||||
5) Previously, Shorewall classified non-firewall zones as either
|
|
||||||
'simple' or 'complex'. Attributes of a zone which made it 'complex'
|
|
||||||
included:
|
|
||||||
|
|
||||||
- The zone was of type 'ipsec' or 'ipsec4' or it had a hosts
|
|
||||||
entry with the 'ipsec' options.
|
|
||||||
- The zone had OPTIONS, IN OPTIONS or OUT OPTIONS
|
|
||||||
- The zone had more than one network on a given interface
|
|
||||||
- The zone had a hosts file entry with an exclusion.
|
|
||||||
- The zone had a hosts file entry specifying an ipset.
|
|
||||||
|
|
||||||
The handling of 'simple' and 'complex' zones was different.
|
|
||||||
|
|
||||||
- complex zones had their own 'forward' chain (named
|
|
||||||
'<zone>_frwd').
|
|
||||||
- complex zones with exclusions had their own 'input' and
|
|
||||||
'output' chains.
|
|
||||||
|
|
||||||
Beginning with Shorewall-perl 4.1.4, all non-firewall zones will be
|
|
||||||
treated as 'complex'. This will have the effect of one additional
|
|
||||||
filter chain per zone but in most cases, the average number of
|
|
||||||
filter rules traversed by a connection request will be reduced.
|
|
||||||
|
|
||||||
Migration Issues.
|
Migration Issues.
|
||||||
|
|
||||||
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||||
@ -199,6 +34,17 @@ Migration Issues.
|
|||||||
REDIRECT-
|
REDIRECT-
|
||||||
DNAT-
|
DNAT-
|
||||||
|
|
||||||
|
Problems corrected in 4.1.5.
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
New Features in 4.1.5.
|
||||||
|
|
||||||
|
1) The need for interface-specific chains (such as eth0_in, eth4_fwd,
|
||||||
|
etc.) in the filter table has been drastically reduced. This has
|
||||||
|
the effect of reducing the average number of rules that each packet
|
||||||
|
must traverse.
|
||||||
|
|
||||||
New Features in Shorewall 4.1.
|
New Features in Shorewall 4.1.
|
||||||
|
|
||||||
1) Shorewall 4.1 contains experimental support for multiple Internet
|
1) Shorewall 4.1 contains experimental support for multiple Internet
|
||||||
@ -414,7 +260,7 @@ New Features in Shorewall 4.1.
|
|||||||
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
||||||
changed so that only high mark values may be assigned
|
changed so that only high mark values may be assigned
|
||||||
there. Packet marking rules for traffic shaping of packets
|
there. Packet marking rules for traffic shaping of packets
|
||||||
originating on the firewall must be coded in the POSTROUTING table.
|
originating on the firewall must be coded in the POSTROUTING chain.
|
||||||
|
|
||||||
8) Previously, Shorewall did not range-check the value of the
|
8) Previously, Shorewall did not range-check the value of the
|
||||||
VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1:
|
VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1:
|
||||||
@ -519,3 +365,105 @@ New Features in Shorewall 4.1.
|
|||||||
$ USER=<your user id> GROUP=None ./install.sh
|
$ USER=<your user id> GROUP=None ./install.sh
|
||||||
|
|
||||||
The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/).
|
The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/).
|
||||||
|
|
||||||
|
15) When installing on Cygwin, /etc/shorewall is no longer fully
|
||||||
|
populated. Rather, only the shorewall.conf and params files are
|
||||||
|
installed. As always, the full configuration file set is installed
|
||||||
|
in /usr/share/shorewall/configfiles.
|
||||||
|
|
||||||
|
16) Specifying a destination zone in a NAT-only rule now generates a
|
||||||
|
warning and the destination zone is ignored. NAT-only rules are:
|
||||||
|
|
||||||
|
NONAT
|
||||||
|
REDIRECT-
|
||||||
|
DNAT-
|
||||||
|
|
||||||
|
17) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
|
||||||
|
comma-separated list of interface names where before only a single
|
||||||
|
interface name could be listed (Shorewall-perl only).
|
||||||
|
|
||||||
|
This feature is not for beginners. It iterates over the
|
||||||
|
list of interfaces, substituting each interface in place of the
|
||||||
|
list and processing the resulting entry according to the semantics
|
||||||
|
of earlier Shorewall versions. If you don't know where to use this,
|
||||||
|
don't try.
|
||||||
|
|
||||||
|
Example 1:
|
||||||
|
|
||||||
|
/etc/shorewall/masq:
|
||||||
|
|
||||||
|
#INTERFACE SOURCE ADDRESS
|
||||||
|
eth0,eth1 eth2 1.2.3.4
|
||||||
|
|
||||||
|
equivalent to:
|
||||||
|
|
||||||
|
#INTERFACE SOURCE ADDRESS
|
||||||
|
eth0 eth2 1.2.3.4
|
||||||
|
eth1 eth2 1.2.3.4
|
||||||
|
|
||||||
|
Example 2:
|
||||||
|
|
||||||
|
/etc/shorewall/masq:
|
||||||
|
|
||||||
|
#INTERFACE SOURCE ADDRESS
|
||||||
|
eth0,eth1::192.168.1.0/24 eth2 1.2.3.4
|
||||||
|
|
||||||
|
equivalent to:
|
||||||
|
|
||||||
|
#INTERFACE SOURCE ADDRESS
|
||||||
|
eth0::192.168.1.0/24 eth2 1.2.3.4
|
||||||
|
eth1::192.168.1.0/24 eth2 1.2.3.4
|
||||||
|
|
||||||
|
Example 3:
|
||||||
|
|
||||||
|
/etc/shorewall/nat:
|
||||||
|
|
||||||
|
#EXTERNAL INTERFACE INTERNAL
|
||||||
|
206.124.146.178 eth0,wlan0 192.168.1.3
|
||||||
|
|
||||||
|
equivalent to:
|
||||||
|
|
||||||
|
#EXTERNAL INTERFACE INTERNAL
|
||||||
|
206.124.146.178 eth0 192.168.1.3
|
||||||
|
206.124.146.178 wlan0 192.168.1.3
|
||||||
|
|
||||||
|
18) Previously, the INTERFACE name used in the masq, nat and netmap
|
||||||
|
files had to exactly match the name of an interface from the
|
||||||
|
interfaces file. Beginning with Shorewall-perl 4.1.4, the
|
||||||
|
interface may loosely match a wildcard entry in the interfaces
|
||||||
|
file.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
vpn tun+
|
||||||
|
|
||||||
|
/etc/shorewall/masq:
|
||||||
|
|
||||||
|
tun1 192.168.4.0/24
|
||||||
|
|
||||||
|
19) Previously, Shorewall classified non-firewall zones as either
|
||||||
|
'simple' or 'complex'. Attributes of a zone which made it 'complex'
|
||||||
|
included:
|
||||||
|
|
||||||
|
- The zone was of type 'ipsec' or 'ipsec4' or it had a hosts
|
||||||
|
entry with the 'ipsec' options.
|
||||||
|
- The zone had OPTIONS, IN OPTIONS or OUT OPTIONS
|
||||||
|
- The zone had more than one network on a given interface
|
||||||
|
- The zone had a hosts file entry with an exclusion.
|
||||||
|
- The zone had a hosts file entry specifying an ipset.
|
||||||
|
|
||||||
|
The handling of 'simple' and 'complex' zones was different.
|
||||||
|
|
||||||
|
- complex zones had their own 'forward' chain (named
|
||||||
|
'<zone>_frwd').
|
||||||
|
- complex zones with exclusions had their own 'input' and
|
||||||
|
'output' chains.
|
||||||
|
|
||||||
|
Beginning with Shorewall-perl 4.1, all non-firewall zones will be
|
||||||
|
treated as 'complex'. This will have the effect of one additional
|
||||||
|
filter chain per zone but in most cases, the average number of
|
||||||
|
filter rules traversed by a connection request will be reduced.
|
||||||
|
|
||||||
|
|
||||||
|
@ -71,7 +71,7 @@ sub initialize() {
|
|||||||
$balance = 0;
|
$balance = 0;
|
||||||
$first_default_route = 1;
|
$first_default_route = 1;
|
||||||
|
|
||||||
%providers = ( 'local' => { number => LOCAL_NUMBER , mark => 0 , optional => 0 } ,
|
%providers = ( local => { number => LOCAL_NUMBER , mark => 0 , optional => 0 } ,
|
||||||
main => { number => MAIN_NUMBER , mark => 0 , optional => 0 } ,
|
main => { number => MAIN_NUMBER , mark => 0 , optional => 0 } ,
|
||||||
default => { number => DEFAULT_NUMBER , mark => 0 , optional => 0 } ,
|
default => { number => DEFAULT_NUMBER , mark => 0 , optional => 0 } ,
|
||||||
unspec => { number => UNSPEC_NUMBER , mark => 0 , optional => 0 } );
|
unspec => { number => UNSPEC_NUMBER , mark => 0 , optional => 0 } );
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article>
|
<article>
|
||||||
<!--$Id$-->
|
<!--ble$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Shorewall and Multiple Internet Connections</title>
|
<title>Shorewall and Multiple Internet Connections</title>
|
||||||
@ -24,6 +24,8 @@
|
|||||||
|
|
||||||
<year>2007</year>
|
<year>2007</year>
|
||||||
|
|
||||||
|
<year>2008</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
@ -79,7 +81,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>It utilizes static routing configuration. As such, there is no
|
<para>It utilizes static routing configuration. As such, there is no
|
||||||
provision for reacting to the failure of either of the uplinks.</para>
|
provision for reacting to the failure of any of the uplinks.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -96,6 +98,12 @@
|
|||||||
stop</command>, <command>shorewall clear</command> or
|
stop</command>, <command>shorewall clear</command> or
|
||||||
<command>shorewall restart</command>.</para>
|
<command>shorewall restart</command>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>For most routing applications, <ulink
|
||||||
|
url="http://www.quagga.net/">Quagga</ulink> is a better
|
||||||
|
solution.</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<section id="Overview">
|
<section id="Overview">
|
||||||
@ -433,7 +441,7 @@
|
|||||||
Shorewall-perl 4.1.5)</term>
|
Shorewall-perl 4.1.5)</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para> Specifies the source address to use when routing to
|
<para>Specifies the source address to use when routing to
|
||||||
this provider and none is known (the local client has bound
|
this provider and none is known (the local client has bound
|
||||||
to the 0 address). May not be specified when an
|
to the 0 address). May not be specified when an
|
||||||
<replaceable>address</replaceable> is given in the INTERFACE
|
<replaceable>address</replaceable> is given in the INTERFACE
|
||||||
|
Loading…
Reference in New Issue
Block a user