extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-15 19:01:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update release documents

Browse Source
This commit is contained in:
Tom Eastep 2010-09-16 15:47:05 -07:00
parent 1c870b532a
commit 67b9ae0d2c
2 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -25,6 +25,10 @@ Changes in Shorewall 4.4.13
11) Create dynamic zone ipsets on 'start'. 11) Create dynamic zone ipsets on 'start'.
12) Remove new blacklisting implementation.
13) Implement an alternative blacklisting scheme.
Changes in Shorewall 4.4.12 Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program. 1) Fix IPv6 shorecap program.

46
Shorewall/releasenotes.txt
View File

@ -187,10 +187,48 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
As part of this change, the tcrules file now accepts $FW in the As part of this change, the tcrules file now accepts $FW in the
DEST column for marking packets in the INPUT chain. DEST column for marking packets in the INPUT chain.
4) After a failed attempt to improve blacklisting by destination IP 4) Blacklisting has undergone considerable change in Shorewall 4.4.13.
address, I've decided to remove the OPTIONS column from the
blacklist files and take a fresh start at implementing this a) Blacklisting is now based on zones rather than on interfaces and
feature in a later release. host groups.
b) Near compatibility with earlier releases is maintained.
c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
respectively. The old keywords are still supported.
d) The 'blacklist' keyword may now appear in the OPTIONS,
IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
i) In the IN_OPTIONS column, it indicates that packets received
on the interface are checked against the 'src' entries in
/etc/shorewall/blacklist.
ii) In the OUT_OPTIONS column, it indicates that packets being
sent to the interface are checked against the 'dst' entries.
iii) Placing 'blacklist' in the OPTIONS column is equivalent to
placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
e) The 'blacklist' option in the OPTIONS column of
/etc/shorewall/interfaces or /etc/shorewall/hosts is now
equivalent to placing it in the IN_OPTIONS column of the
associates record in /etc/shorewall/zones. If no zone is given
in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
option is ignored with a warning (it was previously ignored
silently).
f) The 'blacklist' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is now deprecated but will continue
to be supported for several releases. A warning will be added at
least one release before support is removed.
g) Given that blacklisting is now zone-based, there is a slight
change in behavior. Previously, blacklisting was done before
the other interface-oriented checks (tcpflags, nosmurfs, dhcp,
etc.). Beginning with this release, blacklisting is performed
after these checks.
5) There is now an OUT-BANDWIDTH column in 5) There is now an OUT-BANDWIDTH column in
/etc/shorewall/tcinterfaces. /etc/shorewall/tcinterfaces.