From 693f59b6624ec4cb1db2ed6e924a627b8a3469e1 Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Fri, 18 Nov 2005 17:49:57 +0000 Subject: [PATCH] new release git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3028 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/News.htm | 804 ++----------------------- Shorewall-Website/oldnews.html | 1024 +++++++++++++++++++++++++++----- 2 files changed, 944 insertions(+), 884 deletions(-) diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index a3e564031..e96030192 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -20,12 +20,72 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2005-11-11
+

2005-11-18

+
2005-11-18 +Shorewall 3.0.1
+
+Problems Corrected in 3.0.1 
+ +1) If the previous firewall configuration included a policy other than + ACCEPT in the nat, mangle or raw tables then Shorewall would not set + the policy to ACCEPT. This could result in a ruleset that rejected or + dropped all traffic. + +2) The Makefile was broken such that 'make' didn't always work correctly. + +3) If the SOURCE or DEST column in a macro body was non-empty and a dash + ("-") appeared in the corresponding column of an invocation of that + macro, then an invalid rule was generated. + +4) The comments in the /etc/shorewall/blacklist file have been updated to + clarify that the PORTS column refers to destination port number/service + names. + +5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the + order of the rules generated was incorrect causing RELATED TCP connections + to not have CLAMPMSS applied. + +New Features in 3.0.1 + +1) To make the macro facility more flexible, Shorewall now examines the + contents of the SOURCE and DEST columns in both the macro body and in + the invocation and tries to create the intended rule. If the value in + the invocation appears to be an address (IP or MAC) or the name of an + ipset, then it is placed after the value in the macro body. Otherwise, + it is placed before the value in the macro body. + + Example 1: + + /etc/shorewall/macro.foo: + + PARAM - 192.168.1.5 tcp http + + /etc/shorewallrules: + + foo/ACCEPT net loc + + Effective rule: + + ACCEPT net loc:192.168.1.5 tcp http + + Example 2: + + /etc/shorewall/macro.bar: + + PARAM net loc tcp http + + /etc/shorewall/rules: + + bar/ACCEPT - 192.168.1.5 + + Effective rule: + + ACCEPT net loc:192.168.1.5 tcp http +
+


11/11/2005 Shorewall 3.0.0
- -
New Features in Shorewall 3.0.0

1) Error and warning messages are made easier to spot by using capitalization (e.g., ERROR: and WARNING:).

2) A new option 'critical' has been added to /etc/shorewall/routestopped. This option can be used to enable @@ -419,744 +479,6 @@ compatibility with Shorewall 3.0. In 2.4.6, the "dump" command provides the same output as the "status".
-10/05/2005 -Shorewall 2.4.5
-
-
-Problems Corrected in 2.4.5
-
    -
  1. In previous versions, when the command is 'start', 'restart' or -'stop' then OUTPUT traffic to hosts listed in -/etc/shorewall/routestopped is not enabled if ADMINISABSENTMINDED=Yes. -That traffic is now enabled independent of the setting of -ADMINISABSENTMINDED.
  2. -
  3. Although it was documented that icmp types could be used in the -tcrules file, the code did not support it. Thanks to Jorge Molina, that -problem is now corrected.
  4. -
  5. In a multi-ISP configuration, fwmark routing rules now have a -higher priority than source IP rules. This allows entries in tcrules to -be more effective in controlling routing.
  6. -
  7. Previously, not all of the mangle chains were flushed during -"shorewall restart".
  8. -
-09/12/2005 Shorewall 2.4.4
-

-Problems Corrected
-
    -
  1. An incorrect comment in the /etc/shorewall/proxyarp file has been -removed.
  2. -
  3. The message generated when a duplicate policy has been entered is -now more informative. Previously, only the POLICY column contents -appeared in the message. Now the SOURCE, DEST and POLICY column -contents are shown.
  4. -
  5. Shorewall now clears the Netfilter "raw" table during "shorewall -[re]start", "shorewall stop" and "shorewall clear" processing.
  6. -
-New Features
-
    -
  1. Tunnel types "openvpnserver" and "openvpnclient" have been added -to reflect the introduction of client and server OpenVPN configurations -in OpenVPN 2.0.
  2. -
  3. The COMMAND variable is now set to 'restore' in restore scripts. -The value of this variable is sometimes of interest to programmers -providing custom /etc/shorewall/tcstart scripts.
    -
  4. -
-08/16/2005 Shorewall 2.4.3
-

-Problems Corrected:
-
    -
  1. Shorewall is no longer dependent on the 'which' utility.
  2. -
  3. The 'shorewall add' command failed if there existed a zone in the -configuration that specified the 'ipsec' option in /etc/shorewall/hosts.
  4. -
  5. Shorewall is no longer dependent on /bin/echo.
  6. -
  7. A CLASSIFY rule  with $FW in the SOURCE column (tcrules) no -longer results in a "shorewall start" error.
  8. -
  9. You may now use port lists in the DEST PORT and SOURCE PORT -columns of the /etc/shorewall/accounting file.
  10. -
  11. The "shorewall show capabilities" command now accurately reports -the availability of "Packet type match" independent of the setting of -PKTTYPE in shorewall.conf.
  12. -
  13. Thanks to Tuomo Soini, all of the files have been siginificantly -cleaned up in terms of formatting and extra white-space.
    -
  14. -
-New Features:
-
    -
  1. New Allow.Submission and Allow.NTPbrd actions have been added. -Users of the Allow.NTP action that use NTP broadcasting should switch -to use of Allow.NTPbrd instead.
  2. -
  3. The kernel version string is now included in the output of -"shorewall status".
    -
  4. -
-07/30/2005 Shorewall 2.2.6
-
-
Problems Corrected:
-
    -
  1. MACLIST_TTL Vulnerability fix.
  2. -
  3. TCP_FLAGS_LOG_LEVEL=ULOG breaks with recent versions of iptables.
  4. -
  5. The bogons file has been updated to reflect recent IANA -allocations.
  6. -
-07/21/2005 Shorewall 2.4.2
-
-
Problems Corrected:
-
    -
  1. The /etc/shorewall/hosts file now includes information about -defining a zone using one or more ipsets.
  2. -
  3. A vulnerability involving MACLIST_TTL > 0 -or MACLIST_DISPOSITION=ACCEPT has been corrected.
  4. -
  5. It is now possible to specify !<address> in the SUBNET -column of /etc/shorewall/masq. Previously, it was necessary to write -0.0.0.0/0!<address>.
  6. -
  7. When <network1>!<network2> was specified in the -SUBNET column of /etc/shorewall/masq, IPSEC policies were not correctly -applied to the resulting rules. This usually resulted in IPSEC not -working through the interface specified in the INTERFACES column.
    -
  8. -
-New Features:
-
    -
  1. A 'loose' provider option has been added. If you wish to be able -to use marking to specify the gateway used by connections originating -on the firewall itself, the specify 'loose' for each provider. It has -bee reported that 'loose' may break the effect of 'track' so beware if -you need 'track' functionality (you shouldn't be originating many -connections from your firewall to the net anyway).
    -
    -To use 'loose', you also need to add two entries in /etc/shorewall/masq:
    -
    #INTERFACE           SUBNET          ADDRESS
    - $IF_ISP1 $IP_ISP2 $IP_ISP1
    - $IF_ISP2 $IP_ISP1 $IP_ISP2
    -
    -where:
    -
            $IF_ISP1        is the interface to ISP 1.
    - $IF_ISP2 is the interface to ISP 2.
    - $IP_ISP1 is the IP address of $IF_ISP1
    - $IP_ISP2 is the IP address of $IF_ISP2 -
    -
  2. -
  3. /sbin/shorewall now issues a warning each time that it finds that -startup is disabled.
  4. -
  5. A new COPY column has been added to the /etc/shorewall/providers -file. Normally, when a table name/number is given in the DUPLICATE -column, the entire table (less default routes) is copied. The COPY -column allows you to limit the routes copied to those that go through -an interface listed in COPY. For example, if you enter eth0 in -INTERFACE, "eth1,eth2" in COPY and 'main' in DUPLICATE then the new -table created will contain those routes through the interfaces eth0, -eth1 and eth2.
    -
  6. -
-
-

07/17/2005 Security -vulnerability in MACLIST processing

-

Description

-

A security vulnerability has been discovered which affects all -supported stable versions of Shorewall.  This vulnerability -enables a client accepted by MAC address filtering to bypass any other -rule.  If MACLIST_TTL is set to a value greater than 0 or -MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf -(default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a client -is positively identified through its MAC address, it bypasses all other -policies/rules in place, thus gaining access to all open services on -the firewall.

-

Fix

-

Workaround

-

For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or -MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  For -Shorewall 2.0.x, set MACLIST_DISPOSITION=REJECT in -/etc/shorewall/shorewall.conf.  MACLIST filtering is of limited -value on Internet-connected hosts, and the Shorewall team recommends -this approach to be used if possible.

-

Upgrade

-

For Shorewall 2.4.x, a fixed version of the 'firewall' script is -available at: -http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and -http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall.

-

For Shorewall 2.2.x, a fixed version of the 'firewall' script is -available at: -http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and -http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall.

-

For Shorewall 2.0.x, a fixed version of the 'firewall' script is -available at: http://shorewall.net/pub/shorewall/errata/2.0.17/firewall -and its mirrors, -http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall and -http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall.

-

Users of any version before 2.0.17 are urged to upgrade to a -supported version of Shorewall (preferably 2.4.1) before using the -fixed files.  Only the most recent version of the 2.0.x and 2.2.x -streams will be supported by the development team, and the 1.x branches -are no longer maintained at all.  Future releases of Shorewall -will include this fix.

-

This information was based on Patrick -Blitz's post to the Full Disclosure mailing list.  Thanks to -Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug.
-

-

Version Upgrade
-

-

The vulnerability is corrected in Shorewall 2.4.2 and in Shorewall -2.2.6.
-

-
07/13/2005 -Shorewall 2.4.1
-

-Problems Corrected:
-
    -
  1. Shell variables may now be used in the zones file.
  2. -
  3. The /usr/share/shorewall/bogons file has been updated to reflect -recent IANA allocations.
  4. -
  5. Shorewall now detects an error where multiple providers specify -the 'track' option on the same interface.
  6. -
  7. The remnants of the GATEWAY column in /etc/shorewall/interfaces -have been removed. This column appeared briefly in one of the Beta -versions and was immediately removed but some vestiges remained.
  8. -
  9. Shorewall now correctly restores a load-balancing default route -during processing of the 'shorewall restore' and 'shorewall -f start' -commands. The latter command is normally executed by the Shorewall init -script during reboot.
  10. -
  11. A log level of "None!" is now allowed on builtin actions such as -ACCEPT and DROP.
  12. -
  13. Previously, LIMIT:BURST parameters in /etc/shorewall/policy were -not correctly applied when the policy was QUEUE.
  14. -
  15. The 'chkconfig' command on FC4 and Mandriva previously created -symbolic links with incorrect names ("S-1shorewall"). The init script -has been changed to prevent this incorrect behavior.
  16. -
  17. DHCP traffic forwarded through a bridge could, under some -configurations, be filtered by the 'maclist' option even though the -'dhcp' option was specified. This has been corrected.
    -
  18. -
-06/05/2005 Shorewall 2.4.0
-
-Note:
Because of the short time that has elapsed since the -release of Shorewall 2.2.0, Shorewall 2.0 will be supported until 1 -December 2005 or until the release of Shorewall 2.6.0, whichever occurs -first.
-
-New Features:
-
    -
  1. Shorewall 2.4.0 includes support for multiple internet interfaces -to different ISPs.
    -
    -The file /etc/shorewall/providers may be used to define the different -providers. It can actually be used to define alternate routing tables -so uses like transparent proxy can use the file as well.
    -
    -Columns are:
    -
    -        -NAME            -The provider name.
    -
    -        -NUMBER          The -provider number -- a number between 1 and 15
    -
    -        -MARK            -A FWMARK value used in your /etc/shorewall/tcrules file to direct -packets for this provider.
    -
    -        -DUPLICATE       The name of an existing -table to duplicate. May be -'main' or the name of a previous provider.
    -
    -        -INTERFACE       The name of the network -interface to the provider. -Must be listed in/etc/shorewall/interfaces.
    -
    -        -GATEWAY         The IP address -of the provider's gateway router. If you enter "detect" here then -Shorewall
    -                       -will
    attempt to determine -the gateway IP address automatically.
    -
    -        -OPTIONS         A -comma-separated list selected from the following:
    -
    -                -track   If specified, connections FROM this interface are - to be tracked so that -responses may be
    -                       -routed
    back out this same -interface.
    -
    -                        -You want specify 'track' if internet hosts will be connecting to local servers through
    -                       -this
    provider.
    -
    -                        -Because of limitations in the 'ip' utility and policy routing, you may not use the -SAVE or
    -                       -RESTORE tcrules options or use connection
    marking on any traffic to or from this
    -                        -interface. For traffic control purposes, you must mark packets in the FORWARD chain -(or
    -                       -better yet, use the CLASSIFY target).

    -
    -                -balance The providers that have 'balance' specified will get outbound traffic load-balanced -among
    -                       -them. By
    default, all -interfaces with 'balance' specified will have the same weight (1).
    -                       -You can change the
    weight -of the route out of the interface by specifiying balance=<weight>
    -                       -where <weight> is
    the -desired route weight.
    -
    -       Example:  You run squid in -your DMZ on IP address 192.168.2.99. Your DMZ interface is eth2
    -
    -        -#NAME   NUMBER  MARK DUPLICATE  INTERFACE -GATEWAY       OPTIONS
    -        -Squid   1       -1    --          -eth2      192.168.2.99  -
    -
    -Use of this feature requires that your kernel and iptabls support -CONNMARK target and conntrack match support. It does NOT require the -ROUTE target extension.
    -
    -WARNING: The current version of iptables (1.3.1) is broken with respect -to CONNMARK and iptables-save/iptables-restore. This means that if you -configure multiple ISPs, "shorewall restore" may fail. You must patch -your iptables using the patch at -http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
    -
    -
  2. -
  3. Shorewall 2.3.0 supports the 'cmd-owner' option of the owner -match facility in Netfilter. Like all owner match options, 'cmd-owner' -may only be applied to traffic that originates on the firewall.
    -
    -The syntax of the USER/GROUP column in the following files has been -extended:
    -
    -        /etc/shorewall/accounting
    -        /etc/shorewall/rules
    -        /etc/shorewall/tcrules
    -        -/usr/share/shorewall/action.template
    -
    -To specify a command, prefix the command name with "+".
    -
    -   Examples:
    -
    -         -+mozilla-bin            -#The program is named "mozilla-bin"
    -         -joe+mozilla-bin         #The -program is named "mozilla-bin" and
    -                                 -#is being run by user "joe"
    -         -joe:users+mozilla-bin   #The program is named "mozilla-bin" -and
    -                                 -#is being run by user "joe" with
    -                                 -#effective group "users".
    -
    -   Note that this is not a particularly robust feature and I -would never advertise it as a "Personal Firewall" equivalent. Using -symbolic links, it's easy to alias command names to be anything you -want.
    -
    -
  4. -
  5. Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/).
    -
    -In most places where a host or network address may be used, you may -also use the name of an ipset prefaced by "+".
    -
    -        Example: "+Mirrors"
    -
    -The name of the set may be optionally followed by:
    -
    -a) a number from 1 to 6 enclosed in square brackets ([]) -- this number -indicates the maximum number of ipset binding levels that are to be -matched. Depending on the context where the ipset name is used, either -all "src" or all "dst" matches will be used.
    -
    -        Example: "+Mirrors[4]"
    -
    -b) a series of "src" and "dst" options separated by commas and inclosed -in square brackets ([]). These will be passed directly to iptables in -the generated --set clause. See the ipset documentation for details.
    -
    -        Example: -"+Mirrors[src,dst,src]"
    -
    -Note that "+Mirrors[4]" used in the SOURCE column of the rules file is -equivalent to "+Mirrors[src,src,src,src]".
    -
    -To generate a negative match, prefix the "+" with "!" as in "!+Mirrors".
    -
    -Example 1: Blacklist all hosts in an ipset named "blacklist"
    -
    -           -/etc/shorewall/blacklist
    -
    -            -#ADDRESS/SUBNET         -PROTOCOL        PORT
    -            -+blacklist
    -
    -Example 2: Allow SSH from all hosts in an ipset named "sshok:
    -
    -           -/etc/shorewall/rules
    -
    -            -#ACTION      -SOURCE      DEST     -PROTO    DEST PORT(S)
    -            -ACCEPT       -+sshok      -fw       -tcp      22
    -
    -Shorewall can automatically capture the contents of your ipsets for -you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf -then "shorewall save" will save the contents of your ipsets. The file -where the sets are saved is formed by taking the name where the -Shorewall configuration is stored and appending "-ipsets". So if you -enter the command "shorewall save standard" then your Shorewall -configuration will be saved in var/lib/shorewall/standard and your -ipset contents will be saved in /var/lib/shorewall/standard-ipsets. -Assuming the default RESTOREFILE setting, if you just enter "shorewall -save" then your Shorewall configuration will be saved in -/var/lib/shorewall/restore and your ipset contents will be saved in -/var/lib/shorewall/restore-ipsets.
    -
    -Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" and -"shorewall restore" commands will restore the ipset contents -corresponding to the Shorewall configuration restored provided that the -saved Shorewall configuration specified exists.
    -
    -For example, "shorewall restore standard" would restore the ipset -contents from /var/lib/shorewall/standard-ipsets provided that -/var/lib/shorewall/standard exists and is executable and that -/var/lib/shorewall/standard-ipsets exists and is executable.
    -
    -Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" -command will purge the saved ipset information (if any) associated with -the saved shorewall configuration being removed.
    -
    -You can also associate ipset contents with Shorewall configuration -directories using the following command:
    -
    -       ipset -S > <config -directory>/ipsets
    -
    -Example:
    -
    -       ipset -S > /etc/shorewall/ipsets
    -
    -When you start or restart Shorewall (including using the 'try' command) -from the configuration directory, your ipsets will be configured from -the saved ipsets file. Once again, this behavior is independent of the -setting of SAVE_IPSETS.
    -
    -Ipsets are well suited for large blacklists. You can maintain your -blacklist using the 'ipset' utility without ever having to restart or -refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be sure -to "shorewall save" after altering the blacklist ipset(s).
    -
    -Example /etc/shorewall/blacklist:
    -
    -    -#ADDRESS/SUBNET         -PROTOCOL        PORT
    -    -+Blacklist[src,dst]
    -    -+Blacklistnets[src,dst]
    -
    -Create the blacklist ipsets using:
    -
    -          ipset -N -Blacklist iphash
    -          ipset -N -Blacklistnets nethash
    -
    -Add entries
    -
    -       ipset -A Blacklist 206.124.146.177
    -       ipset -A Blacklistnets -206.124.146.0/24
    -
    -To allow entries for individual ports
    -
    -       ipset -N SMTP portmap --from 1 ---to 31
    -       ipset -A SMTP 25
    -
    -       ipset -A Blacklist 206.124.146.177
    -       ipset -B Blacklist 206.124.146.177 --b SMTP
    -
    -Now only port 25 will be blocked from 206.124.146.177.
    -
    -
  6. -
  7. Shorewall 2.4.0 can now configure routing if your kernel and -iptables support the ROUTE target extension. This extension is -available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since the -Netfilter team have no intention of ever releasing the ROUTE target -extension to kernel.org.
    -
    -Routing is configured using the /etc/shorewall/routes file. Columns in -the file are as follows:
    -
    -       -SOURCE            -Source of the packet. May be any of the following:
    -
    -
    -                         -- A host or network address
    -                         -- A network interface name.
    -                         -- The name of an ipset prefaced with "+"
    -                         -- $FW (for packets originating on the firewall)
    -                         -- A MAC address in Shorewall format
    -                         -- A range of IP addresses (assuming that your kernel and iptables support range -match)
    -                         -- A network interface name followed by ":" and an address or address range.
    -
    -         -DEST            -Destination of the packet. May be any of the following:
    -
    -                         -- A host or network address
    -                         -- A network interface name (determined from
    -                           -routing table(s))
    -                         -- The name of an ipset prefaced with "+"
    -                         -- A network interface name followed by ":"
    -                           -and an address or address range.
    -
    -         -PROTO           -Protocol - Must be "tcp", "udp", "icmp", "ipp2p", a number, or "all". "ipp2p" -requires
    -                        -ipp2p match support in your kernel and
    iptables.
    -
    -         -PORT(S)         Destination -Ports. A comma-separated list of Port names (from /etc/services), port
    -                        -numbers
    or port ranges; -if the protocol is "icmp", thiscolumn is interpreted as the
    -                        -destination
    icmp-type(s).
    -
    -                         -If the protocol is ipp2p, this column is interpreted as an ipp2p option without -the
    -                        -leading "--" (example "bit" for bit-torrent).
    If no PORT is given, "ipp2p" is -assumed.
    -
    -                         -This column is ignored if PROTOCOL = all but must be entered if any of the following
    -                        -field
    is supplied. In -that case, it is suggested that this field contain "-"
    -
    -         -SOURCE PORT(S)  (Optional) Source port(s). If omitted, any source port is acceptable. -Specified as a
    -                        -comma-separated list of port names, port
    numbers or port ranges.
    -
    -         -TEST            -Defines a test on the existing packet or connection mark.
    -
    -                         -The rule will match only if the test returns true. Tests have the format
    -                        -[!]<value>[/<mask>][:C]

    -
    -                         -Where:
    -
    -                                 -!       Inverts the test (not equal) - <value> Value of the -packet or
    -                                        -connection mark.

    -
    -                                 -<mask>  A mask to be applied to the mark before testing
    -                                 -:C      Designates a connection mark. If omitted, the packet mark's value
    -                                        -is tested.

    -
    -         -INTERFACE       The interface that the -packet is to be routed out -of. If you do not specify this
    -                        -field then
    you must place -"-" in this column and enter an IP address in the GATEWAY
    -                        -column.

    -
    -         -GATEWAY         The gateway -that the packet is to be forewarded through.
    -
    -
  8. -
  9. Normally when Shorewall is stopped, starting or restarting then -connections are allowed from hosts listed in -/etc/shorewall/routestopped to the firewall and to other hosts listed -in /etc/shorewall/routestopped.
    -
    -A new 'source' option is added for entries in that file which will -cause Shorewall to allow traffic from the host listed in the entry to -ANY other host. When 'source' is specified in an entry, it is -unnecessary to also specify 'routeback'.
    -
    -Similarly, a new 'dest' option is added which will cause Shorewall to -allow traffic to the host listed in the entry from ANY other host. When -'source' is specified in an entry, it is unnecessary to also specify -'routeback'.
    -
    -
  10. -
  11. This change was implemented by Lorenzo Martignoni. It provides -two new commands: "safe-start" and "safe-restart".
    -
    - safe-start starts Shorewall -then prompts you to ask you if everything looks ok. If you answer "no" -or if you don't answer within 60 seconds, a "shorewall clear" is -executed.
    -
    - safe-restart saves your -current configuration to /var/lib/shorewall/safe-restart then issues a -"shorewall restart"; It then prompts you to ask if you if you want to -accept the new configuration. If you answer "no" or if you don't answer -within 60 seconds, the configuration is restored to its prior state.
    -
    -These new commands require either that your /bin/sh supports the "-t" -option to the 'read' command or that you have /bin/bash installed.
    -
  12. -
Old News here
diff --git a/Shorewall-Website/oldnews.html b/Shorewall-Website/oldnews.html index 7104d6421..43aa05de4 100644 --- a/Shorewall-Website/oldnews.html +++ b/Shorewall-Website/oldnews.html @@ -9,6 +9,744 @@ + 10/05/2005 +Shorewall 2.4.5
+
+
+Problems Corrected in 2.4.5
+
    +
  1. In previous versions, when the command is 'start', 'restart' or +'stop' then OUTPUT traffic to hosts listed in +/etc/shorewall/routestopped is not enabled if ADMINISABSENTMINDED=Yes. +That traffic is now enabled independent of the setting of +ADMINISABSENTMINDED.
  2. +
  3. Although it was documented that icmp types could be used in the +tcrules file, the code did not support it. Thanks to Jorge Molina, that +problem is now corrected.
  4. +
  5. In a multi-ISP configuration, fwmark routing rules now have a +higher priority than source IP rules. This allows entries in tcrules to +be more effective in controlling routing.
  6. +
  7. Previously, not all of the mangle chains were flushed during +"shorewall restart".
  8. +
+09/12/2005 Shorewall 2.4.4
+

+Problems Corrected
+
    +
  1. An incorrect comment in the /etc/shorewall/proxyarp file has been +removed.
  2. +
  3. The message generated when a duplicate policy has been entered is +now more informative. Previously, only the POLICY column contents +appeared in the message. Now the SOURCE, DEST and POLICY column +contents are shown.
  4. +
  5. Shorewall now clears the Netfilter "raw" table during "shorewall +[re]start", "shorewall stop" and "shorewall clear" processing.
  6. +
+New Features
+
    +
  1. Tunnel types "openvpnserver" and "openvpnclient" have been added +to reflect the introduction of client and server OpenVPN configurations +in OpenVPN 2.0.
  2. +
  3. The COMMAND variable is now set to 'restore' in restore scripts. +The value of this variable is sometimes of interest to programmers +providing custom /etc/shorewall/tcstart scripts.
    +
  4. +
+08/16/2005 Shorewall 2.4.3
+

+Problems Corrected:
+
    +
  1. Shorewall is no longer dependent on the 'which' utility.
  2. +
  3. The 'shorewall add' command failed if there existed a zone in the +configuration that specified the 'ipsec' option in /etc/shorewall/hosts.
  4. +
  5. Shorewall is no longer dependent on /bin/echo.
  6. +
  7. A CLASSIFY rule  with $FW in the SOURCE column (tcrules) no +longer results in a "shorewall start" error.
  8. +
  9. You may now use port lists in the DEST PORT and SOURCE PORT +columns of the /etc/shorewall/accounting file.
  10. +
  11. The "shorewall show capabilities" command now accurately reports +the availability of "Packet type match" independent of the setting of +PKTTYPE in shorewall.conf.
  12. +
  13. Thanks to Tuomo Soini, all of the files have been siginificantly +cleaned up in terms of formatting and extra white-space.
    +
  14. +
+New Features:
+
    +
  1. New Allow.Submission and Allow.NTPbrd actions have been added. +Users of the Allow.NTP action that use NTP broadcasting should switch +to use of Allow.NTPbrd instead.
  2. +
  3. The kernel version string is now included in the output of +"shorewall status".
    +
  4. +
+07/30/2005 Shorewall 2.2.6
+
+
Problems Corrected:
+
    +
  1. MACLIST_TTL Vulnerability fix.
  2. +
  3. TCP_FLAGS_LOG_LEVEL=ULOG breaks with recent versions of iptables.
  4. +
  5. The bogons file has been updated to reflect recent IANA +allocations.
  6. +
+07/21/2005 Shorewall 2.4.2
+
+
Problems Corrected:
+
    +
  1. The /etc/shorewall/hosts file now includes information about +defining a zone using one or more ipsets.
  2. +
  3. A vulnerability involving MACLIST_TTL > 0 +or MACLIST_DISPOSITION=ACCEPT has been corrected.
  4. +
  5. It is now possible to specify !<address> in the SUBNET +column of /etc/shorewall/masq. Previously, it was necessary to write +0.0.0.0/0!<address>.
  6. +
  7. When <network1>!<network2> was specified in the +SUBNET column of /etc/shorewall/masq, IPSEC policies were not correctly +applied to the resulting rules. This usually resulted in IPSEC not +working through the interface specified in the INTERFACES column.
    +
  8. +
+New Features:
+
    +
  1. A 'loose' provider option has been added. If you wish to be able +to use marking to specify the gateway used by connections originating +on the firewall itself, the specify 'loose' for each provider. It has +bee reported that 'loose' may break the effect of 'track' so beware if +you need 'track' functionality (you shouldn't be originating many +connections from your firewall to the net anyway).
    +
    +To use 'loose', you also need to add two entries in /etc/shorewall/masq:
    +
    #INTERFACE           SUBNET          ADDRESS
    + $IF_ISP1 $IP_ISP2 $IP_ISP1
    + $IF_ISP2 $IP_ISP1 $IP_ISP2
    +
    +where:
    +
            $IF_ISP1        is the interface to ISP 1.
    + $IF_ISP2 is the interface to ISP 2.
    + $IP_ISP1 is the IP address of $IF_ISP1
    + $IP_ISP2 is the IP address of $IF_ISP2 +
    +
  2. +
  3. /sbin/shorewall now issues a warning each time that it finds that +startup is disabled.
  4. +
  5. A new COPY column has been added to the /etc/shorewall/providers +file. Normally, when a table name/number is given in the DUPLICATE +column, the entire table (less default routes) is copied. The COPY +column allows you to limit the routes copied to those that go through +an interface listed in COPY. For example, if you enter eth0 in +INTERFACE, "eth1,eth2" in COPY and 'main' in DUPLICATE then the new +table created will contain those routes through the interfaces eth0, +eth1 and eth2.
    +
  6. +
+
+

07/17/2005 Security +vulnerability in MACLIST processing

+

Description

+

A security vulnerability has been discovered which affects all +supported stable versions of Shorewall.  This vulnerability +enables a client accepted by MAC address filtering to bypass any other +rule.  If MACLIST_TTL is set to a value greater than 0 or +MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf +(default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a client +is positively identified through its MAC address, it bypasses all other +policies/rules in place, thus gaining access to all open services on +the firewall.

+

Fix

+

Workaround

+

For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or +MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  For +Shorewall 2.0.x, set MACLIST_DISPOSITION=REJECT in +/etc/shorewall/shorewall.conf.  MACLIST filtering is of limited +value on Internet-connected hosts, and the Shorewall team recommends +this approach to be used if possible.

+

Upgrade

+

For Shorewall 2.4.x, a fixed version of the 'firewall' script is +available at: +http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall.

+

For Shorewall 2.2.x, a fixed version of the 'firewall' script is +available at: +http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall.

+

For Shorewall 2.0.x, a fixed version of the 'firewall' script is +available at: http://shorewall.net/pub/shorewall/errata/2.0.17/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall and +http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall.

+

Users of any version before 2.0.17 are urged to upgrade to a +supported version of Shorewall (preferably 2.4.1) before using the +fixed files.  Only the most recent version of the 2.0.x and 2.2.x +streams will be supported by the development team, and the 1.x branches +are no longer maintained at all.  Future releases of Shorewall +will include this fix.

+

This information was based on Patrick +Blitz's post to the Full Disclosure mailing list.  Thanks to +Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug.
+

+

Version Upgrade
+

+

The vulnerability is corrected in Shorewall 2.4.2 and in Shorewall +2.2.6.
+

+
07/13/2005 +Shorewall 2.4.1
+

+Problems Corrected:
+
    +
  1. Shell variables may now be used in the zones file.
  2. +
  3. The /usr/share/shorewall/bogons file has been updated to reflect +recent IANA allocations.
  4. +
  5. Shorewall now detects an error where multiple providers specify +the 'track' option on the same interface.
  6. +
  7. The remnants of the GATEWAY column in /etc/shorewall/interfaces +have been removed. This column appeared briefly in one of the Beta +versions and was immediately removed but some vestiges remained.
  8. +
  9. Shorewall now correctly restores a load-balancing default route +during processing of the 'shorewall restore' and 'shorewall -f start' +commands. The latter command is normally executed by the Shorewall init +script during reboot.
  10. +
  11. A log level of "None!" is now allowed on builtin actions such as +ACCEPT and DROP.
  12. +
  13. Previously, LIMIT:BURST parameters in /etc/shorewall/policy were +not correctly applied when the policy was QUEUE.
  14. +
  15. The 'chkconfig' command on FC4 and Mandriva previously created +symbolic links with incorrect names ("S-1shorewall"). The init script +has been changed to prevent this incorrect behavior.
  16. +
  17. DHCP traffic forwarded through a bridge could, under some +configurations, be filtered by the 'maclist' option even though the +'dhcp' option was specified. This has been corrected.
    +
  18. +
+06/05/2005 Shorewall 2.4.0
+
+Note:
Because of the short time that has elapsed since the +release of Shorewall 2.2.0, Shorewall 2.0 will be supported until 1 +December 2005 or until the release of Shorewall 2.6.0, whichever occurs +first.
+
+New Features:
+
    +
  1. Shorewall 2.4.0 includes support for multiple internet interfaces +to different ISPs.
    +
    +The file /etc/shorewall/providers may be used to define the different +providers. It can actually be used to define alternate routing tables +so uses like transparent proxy can use the file as well.
    +
    +Columns are:
    +
    +        +NAME            +The provider name.
    +
    +        +NUMBER          The +provider number -- a number between 1 and 15
    +
    +        +MARK            +A FWMARK value used in your /etc/shorewall/tcrules file to direct +packets for this provider.
    +
    +        +DUPLICATE       The name of an existing +table to duplicate. May be +'main' or the name of a previous provider.
    +
    +        +INTERFACE       The name of the network +interface to the provider. +Must be listed in/etc/shorewall/interfaces.
    +
    +        +GATEWAY         The IP address +of the provider's gateway router. If you enter "detect" here then +Shorewall
    +                       +will
    attempt to determine +the gateway IP address automatically.
    +
    +        +OPTIONS         A +comma-separated list selected from the following:
    +
    +                +track   If specified, connections FROM this interface are + to be tracked so that +responses may be
    +                       +routed
    back out this same +interface.
    +
    +                        +You want specify 'track' if internet hosts will be connecting to local servers through
    +                       +this
    provider.
    +
    +                        +Because of limitations in the 'ip' utility and policy routing, you may not use the +SAVE or
    +                       +RESTORE tcrules options or use connection
    marking on any traffic to or from this
    +                        +interface. For traffic control purposes, you must mark packets in the FORWARD chain +(or
    +                       +better yet, use the CLASSIFY target).

    +
    +                +balance The providers that have 'balance' specified will get outbound traffic load-balanced +among
    +                       +them. By
    default, all +interfaces with 'balance' specified will have the same weight (1).
    +                       +You can change the
    weight +of the route out of the interface by specifiying balance=<weight>
    +                       +where <weight> is
    the +desired route weight.
    +
    +       Example:  You run squid in +your DMZ on IP address 192.168.2.99. Your DMZ interface is eth2
    +
    +        +#NAME   NUMBER  MARK DUPLICATE  INTERFACE +GATEWAY       OPTIONS
    +        +Squid   1       +1    +-          +eth2      192.168.2.99  -
    +
    +Use of this feature requires that your kernel and iptabls support +CONNMARK target and conntrack match support. It does NOT require the +ROUTE target extension.
    +
    +WARNING: The current version of iptables (1.3.1) is broken with respect +to CONNMARK and iptables-save/iptables-restore. This means that if you +configure multiple ISPs, "shorewall restore" may fail. You must patch +your iptables using the patch at +http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
    +
    +
  2. +
  3. Shorewall 2.3.0 supports the 'cmd-owner' option of the owner +match facility in Netfilter. Like all owner match options, 'cmd-owner' +may only be applied to traffic that originates on the firewall.
    +
    +The syntax of the USER/GROUP column in the following files has been +extended:
    +
    +        /etc/shorewall/accounting
    +        /etc/shorewall/rules
    +        /etc/shorewall/tcrules
    +        +/usr/share/shorewall/action.template
    +
    +To specify a command, prefix the command name with "+".
    +
    +   Examples:
    +
    +         ++mozilla-bin            +#The program is named "mozilla-bin"
    +         +joe+mozilla-bin         #The +program is named "mozilla-bin" and
    +                                 +#is being run by user "joe"
    +         +joe:users+mozilla-bin   #The program is named "mozilla-bin" +and
    +                                 +#is being run by user "joe" with
    +                                 +#effective group "users".
    +
    +   Note that this is not a particularly robust feature and I +would never advertise it as a "Personal Firewall" equivalent. Using +symbolic links, it's easy to alias command names to be anything you +want.
    +
    +
  4. +
  5. Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/).
    +
    +In most places where a host or network address may be used, you may +also use the name of an ipset prefaced by "+".
    +
    +        Example: "+Mirrors"
    +
    +The name of the set may be optionally followed by:
    +
    +a) a number from 1 to 6 enclosed in square brackets ([]) -- this number +indicates the maximum number of ipset binding levels that are to be +matched. Depending on the context where the ipset name is used, either +all "src" or all "dst" matches will be used.
    +
    +        Example: "+Mirrors[4]"
    +
    +b) a series of "src" and "dst" options separated by commas and inclosed +in square brackets ([]). These will be passed directly to iptables in +the generated --set clause. See the ipset documentation for details.
    +
    +        Example: +"+Mirrors[src,dst,src]"
    +
    +Note that "+Mirrors[4]" used in the SOURCE column of the rules file is +equivalent to "+Mirrors[src,src,src,src]".
    +
    +To generate a negative match, prefix the "+" with "!" as in "!+Mirrors".
    +
    +Example 1: Blacklist all hosts in an ipset named "blacklist"
    +
    +           +/etc/shorewall/blacklist
    +
    +            +#ADDRESS/SUBNET         +PROTOCOL        PORT
    +            ++blacklist
    +
    +Example 2: Allow SSH from all hosts in an ipset named "sshok:
    +
    +           +/etc/shorewall/rules
    +
    +            +#ACTION      +SOURCE      DEST     +PROTO    DEST PORT(S)
    +            +ACCEPT       ++sshok      +fw       +tcp      22
    +
    +Shorewall can automatically capture the contents of your ipsets for +you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf +then "shorewall save" will save the contents of your ipsets. The file +where the sets are saved is formed by taking the name where the +Shorewall configuration is stored and appending "-ipsets". So if you +enter the command "shorewall save standard" then your Shorewall +configuration will be saved in var/lib/shorewall/standard and your +ipset contents will be saved in /var/lib/shorewall/standard-ipsets. +Assuming the default RESTOREFILE setting, if you just enter "shorewall +save" then your Shorewall configuration will be saved in +/var/lib/shorewall/restore and your ipset contents will be saved in +/var/lib/shorewall/restore-ipsets.
    +
    +Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" and +"shorewall restore" commands will restore the ipset contents +corresponding to the Shorewall configuration restored provided that the +saved Shorewall configuration specified exists.
    +
    +For example, "shorewall restore standard" would restore the ipset +contents from /var/lib/shorewall/standard-ipsets provided that +/var/lib/shorewall/standard exists and is executable and that +/var/lib/shorewall/standard-ipsets exists and is executable.
    +
    +Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" +command will purge the saved ipset information (if any) associated with +the saved shorewall configuration being removed.
    +
    +You can also associate ipset contents with Shorewall configuration +directories using the following command:
    +
    +       ipset -S > <config +directory>/ipsets
    +
    +Example:
    +
    +       ipset -S > /etc/shorewall/ipsets
    +
    +When you start or restart Shorewall (including using the 'try' command) +from the configuration directory, your ipsets will be configured from +the saved ipsets file. Once again, this behavior is independent of the +setting of SAVE_IPSETS.
    +
    +Ipsets are well suited for large blacklists. You can maintain your +blacklist using the 'ipset' utility without ever having to restart or +refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be sure +to "shorewall save" after altering the blacklist ipset(s).
    +
    +Example /etc/shorewall/blacklist:
    +
    +    +#ADDRESS/SUBNET         +PROTOCOL        PORT
    +    ++Blacklist[src,dst]
    +    ++Blacklistnets[src,dst]
    +
    +Create the blacklist ipsets using:
    +
    +          ipset -N +Blacklist iphash
    +          ipset -N +Blacklistnets nethash
    +
    +Add entries
    +
    +       ipset -A Blacklist 206.124.146.177
    +       ipset -A Blacklistnets +206.124.146.0/24
    +
    +To allow entries for individual ports
    +
    +       ipset -N SMTP portmap --from 1 +--to 31
    +       ipset -A SMTP 25
    +
    +       ipset -A Blacklist 206.124.146.177
    +       ipset -B Blacklist 206.124.146.177 +-b SMTP
    +
    +Now only port 25 will be blocked from 206.124.146.177.
    +
    +
  6. +
  7. Shorewall 2.4.0 can now configure routing if your kernel and +iptables support the ROUTE target extension. This extension is +available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since the +Netfilter team have no intention of ever releasing the ROUTE target +extension to kernel.org.
    +
    +Routing is configured using the /etc/shorewall/routes file. Columns in +the file are as follows:
    +
    +       +SOURCE            +Source of the packet. May be any of the following:
    +
    +
    +                         +- A host or network address
    +                         +- A network interface name.
    +                         +- The name of an ipset prefaced with "+"
    +                         +- $FW (for packets originating on the firewall)
    +                         +- A MAC address in Shorewall format
    +                         +- A range of IP addresses (assuming that your kernel and iptables support range +match)
    +                         +- A network interface name followed by ":" and an address or address range.
    +
    +         +DEST            +Destination of the packet. May be any of the following:
    +
    +                         +- A host or network address
    +                         +- A network interface name (determined from
    +                           +routing table(s))
    +                         +- The name of an ipset prefaced with "+"
    +                         +- A network interface name followed by ":"
    +                           +and an address or address range.
    +
    +         +PROTO           +Protocol - Must be "tcp", "udp", "icmp", "ipp2p", a number, or "all". "ipp2p" +requires
    +                        +ipp2p match support in your kernel and
    iptables.
    +
    +         +PORT(S)         Destination +Ports. A comma-separated list of Port names (from /etc/services), port
    +                        +numbers
    or port ranges; +if the protocol is "icmp", thiscolumn is interpreted as the
    +                        +destination
    icmp-type(s).
    +
    +                         +If the protocol is ipp2p, this column is interpreted as an ipp2p option without +the
    +                        +leading "--" (example "bit" for bit-torrent).
    If no PORT is given, "ipp2p" is +assumed.
    +
    +                         +This column is ignored if PROTOCOL = all but must be entered if any of the following
    +                        +field
    is supplied. In +that case, it is suggested that this field contain "-"
    +
    +         +SOURCE PORT(S)  (Optional) Source port(s). If omitted, any source port is acceptable. +Specified as a
    +                        +comma-separated list of port names, port
    numbers or port ranges.
    +
    +         +TEST            +Defines a test on the existing packet or connection mark.
    +
    +                         +The rule will match only if the test returns true. Tests have the format
    +                        +[!]<value>[/<mask>][:C]

    +
    +                         +Where:
    +
    +                                 +!       Inverts the test (not equal) + <value> Value of the +packet or
    +                                        +connection mark.

    +
    +                                 +<mask>  A mask to be applied to the mark before testing
    +                                 +:C      Designates a connection mark. If omitted, the packet mark's value
    +                                        +is tested.

    +
    +         +INTERFACE       The interface that the +packet is to be routed out +of. If you do not specify this
    +                        +field then
    you must place +"-" in this column and enter an IP address in the GATEWAY
    +                        +column.

    +
    +         +GATEWAY         The gateway +that the packet is to be forewarded through.
    +
    +
  8. +
  9. Normally when Shorewall is stopped, starting or restarting then +connections are allowed from hosts listed in +/etc/shorewall/routestopped to the firewall and to other hosts listed +in /etc/shorewall/routestopped.
    +
    +A new 'source' option is added for entries in that file which will +cause Shorewall to allow traffic from the host listed in the entry to +ANY other host. When 'source' is specified in an entry, it is +unnecessary to also specify 'routeback'.
    +
    +Similarly, a new 'dest' option is added which will cause Shorewall to +allow traffic to the host listed in the entry from ANY other host. When +'source' is specified in an entry, it is unnecessary to also specify +'routeback'.
    +
    +
  10. +
  11. This change was implemented by Lorenzo Martignoni. It provides +two new commands: "safe-start" and "safe-restart".
    +
    + safe-start starts Shorewall +then prompts you to ask you if everything looks ok. If you answer "no" +or if you don't answer within 60 seconds, a "shorewall clear" is +executed.
    +
    + safe-restart saves your +current configuration to /var/lib/shorewall/safe-restart then issues a +"shorewall restart"; It then prompts you to ask if you if you want to +accept the new configuration. If you answer "no" or if you don't answer +within 60 seconds, the configuration is restored to its prior state.
    +
    +These new commands require either that your /bin/sh supports the "-t" +option to the 'read' command or that you have /bin/bash installed.
    +
  12. +
05/20/2005  Shorewall CVS Repository has Moved to Sourceforge

@@ -25,7 +763,7 @@ -Tom

Problems Corrected:
- +
  1. Previously, if PKTTYPE=No in shorewall.conf then pkttype @@ -64,7 +802,7 @@ Regards,

    -Tom
    - +

    05/02/2005 Shorewall 2.2.4
    @@ -93,7 +831,7 @@ column contents: <column contents>

New Features:
- +
  1. Support has been added for UPnP using linux-igd  ( WARNING:
    - +
    From a security architecture viewpoint, UPnP is a disaster. It assumes that:
    - +
    1. All local systems and their users are completely @@ -137,7 +875,7 @@
      WARNING:
      - +
      The linux-igd project appears to be inactive and the web @@ -155,7 +893,7 @@
      Configuring linux-igd:
      - +
      In /etc/upnpd.conf, you will want:
      @@ -172,7 +910,7 @@
      Shorewall Configuration:
      - +
      In /etc/shorewall/interfaces, you need the 'upnp' option on @@ -378,7 +1116,7 @@ information was displayed.
    New Features:
    - +
    1. A new extension script "continue" has been added. This @@ -446,7 +1184,7 @@ 2.0.17

      Problems Corrected:
      - +
      1. Invoking the 'rejNotSyn' action results in an error at @@ -465,7 +1203,7 @@ 03/12/2005 Shorewall 2.2.2

        Problems Corrected:
        - +
        1. The SOURCE column in the /etc/shorewall/tcrules file now @@ -495,7 +1233,7 @@
        New Features:
        - +
        1. The SOURCE column in the /etc/shorewall/tcrules file now @@ -613,7 +1351,7 @@
          This release back-ports the DROPINVALID shorewall.conf option from 2.2.0.
          - +
          1. Recent 2.6 kernels include code that evaluates TCP @@ -768,7 +1506,7 @@ invoked, the following three variables will be set for use by the script:

            - +
            $CHAIN = the name of the chain where your rules are to be @@ -788,7 +1526,7 @@
            Your /etc/shorewall/acton file will be run with:

            - +
            $CHAIN="%acton1
            @@ -797,7 +1535,7 @@

            - +
            1. The /etc/shorewall/startup_disabled file is no longer @@ -917,7 +1655,7 @@ Under 2.4 Kernel FreeS/Wan:

              /etc/shorewall/zones:
              - +
               net    Net    The big bad Internet
              loc Local Extended local zone @@ -1528,7 +2266,7 @@ loc Local Extended local zone /etc/shorewall/ecn produce startup errors.
            New Features:
            - +
            1. A new AllowInvalid standard built-in action has been @@ -1545,7 +2283,7 @@ loc Local Extended local zone 01/12/2005 - Shorewall 2.0.15

              Problems Corrected:
              - +
              1. The range of ports opened by the AllowTrcrt action has @@ -1565,7 +2303,7 @@ loc Local Extended local zone "2_2_0_RC4">01/06/2005 - Shorewall 2.2.0 RC4

                New Features:
                - +
                1. A listing of loaded iptables kernel modules is now @@ -1573,7 +2311,7 @@ loc Local Extended local zone
                Problems Corrected.
                - +
                1. Several problems associated with processing the IPSEC @@ -1584,7 +2322,7 @@ loc Local Extended local zone "2_0_14">01/03/2005 - Shorewall 2.0.14

                  New Features:
                  - +
                  1. Previously, when rate-limiting was specified in @@ -1596,7 +2334,7 @@ loc Local Extended local zone
                  Problems Corrected:
                  - +
                  1. A typo in the /etc/shorewall/interfaces file has been @@ -1636,7 +2374,7 @@ loc Local Extended local zone "2_2_0_RC3">12/30/2004 - Shorewall 2.2.0 RC3

                    Problems Corrected:
                    - +
                    1. The following error message could appear during @@ -1679,7 +2417,7 @@ loc Local Extended local zone "2_2_0_RC1">12/19/2004 - Shorewall 2.2.0 RC1

                      Problems Corrected:
                      - +
                      1. The syntax of the add and delete command has been @@ -1687,7 +2425,7 @@ loc Local Extended local zone /sbin/shorewall.
                      New Features:
                      - +
                      1. @@ -1701,7 +2439,7 @@ loc Local Extended local zone <gateway>

                        Examples:
                        - +
                             openvpn:tcp         net    1.2.3.4    # TCP tunnel on port 5000
                        openvpn:3344 net 1.2.3.4 # UDP on port 3344
                        @@ -1730,7 +2468,7 @@ loc Local Extended local zone "2_2_0_Beta8">12/11/2004 - Shorewall 2.2.0 Beta 8

                        Problems Corrected:
                        - +
                        1. A typo in the /etc/shorewall/interfaces file has been @@ -1741,7 +2479,7 @@ loc Local Extended local zone was available.
                        New Features:
                        - +
                        1. Recent 2.6 kernels include code that evaluates TCP @@ -1794,7 +2532,7 @@ loc Local Extended local zone "2_2_0_Beta7">12/04/2004 - Shorewall 2.2.0 Beta 7

                          Problems Corrected:
                          - +
                          1. The "shorewall add" and "shorewall delete" commands now @@ -1850,7 +2588,7 @@ loc Local Extended local zone was run, capabilities were mis-detected.
                          New Features:
                          - +
                          1. You can now use the "shorewall show zones" command to @@ -1922,13 +2660,13 @@ loc Local Extended local zone "2_0_13">12/02/2004 - Shorewall 2.0.13

                            Problems Corrected:
                            - +
                            1. A typo in /usr/share/shorewall/firewall caused the "shorewall add" to issue an error message:
                              - +
                               /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found
                               
                              @@ -1938,7 +2676,7 @@ loc Local Extended local zone "2_0_12">12/01/2004 - Shorewall 2.0.12

                              Problems Corrected:
                              - +
                              1. A typo in shorewall.conf (NETNOTSYN) has been @@ -1992,7 +2730,7 @@ loc Local Extended local zone policies and rules. This has been corrected.
                              New Features:
                              - +
                              1. Variable expansion may now be used with the INCLUDE @@ -2019,7 +2757,7 @@ loc Local Extended local zone Beta 5 was more or less DOA. Here's Beta 6.

                                Problems Corrected:
                                - +
                                1. Fixed a number of problems associated with not having an @@ -2033,14 +2771,14 @@ loc Local Extended local zone "2_2_0_Beta5">11/26/2004 - Shorewall 2.2.0 Beta 5

                                  Problems corrected:
                                  - +
                                  1. A typo in shorewall.conf (NETNOTSYN) has been corrected.
                                  New Features:
                                  - +
                                  1. For consistency, the CLIENT PORT(S) column in the tcrules @@ -2059,7 +2797,7 @@ loc Local Extended local zone "2_0_11">11/23/2004 - Shorewall 2.0.11

                                    Problems corrected:
                                    - +
                                    1. The INSTALL file now include special instructions for @@ -2074,7 +2812,7 @@ loc Local Extended local zone a new install has been corrected.
                                    New Features:
                                    - +
                                    1. The AllowNNTP action now allows NNTP over SSL/TLS @@ -2085,7 +2823,7 @@ loc Local Extended local zone "2_2_0_Beta4">11/19/2004 - Shorewall 2.2.0 Beta 4

                                      Problems Corrected:
                                      - +
                                      1. A cut and paste error resulted in some nonsense in the @@ -2099,7 +2837,7 @@ loc Local Extended local zone but did nothing -- now it works.
                                      New Features:
                                      - +
                                      1. The AllowNNTP action now allows NNTP over SSL/TLS @@ -2110,7 +2848,7 @@ loc Local Extended local zone "2_2_0_Beta3">11/09/2004 - Shorewall 2.2.0 Beta 3

                                        Problems Corrected:
                                        - +
                                        1. Missing '#' in the rfc1918 file has been corrected.
                                        2. @@ -2119,13 +2857,13 @@ loc Local Extended local zone Slackware users.
                                        New Features:
                                        - +
                                        1. In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may now appear in the DEST column as in:
                                          - +
                                                   #MARK/      SOURCE       DEST      PROTO     PORT(S)
                                          #CLASSIFY
                                          @@ -2137,7 +2875,7 @@ loc Local Extended local zone "2_2_0_Beta2">11/02/2004 - Shorewall 2.2.0 Beta 2

                                          Problems Corrected:
                                          - +
                                          1. The "shorewall check" command results in the (harmless) @@ -2160,7 +2898,7 @@ loc Local Extended local zone file.
                                          New Features:
                                          - +
                                          1. The SUBNET column in /etc/shorewall/rfc1918 has been @@ -2172,7 +2910,7 @@ loc Local Extended local zone "2_0_10">10/25/2004 - Shorewall 2.0.10

                                            Problems Corrected:
                                            - +
                                            1. The GATEWAY column was previously ignored in 'pptpserver' @@ -2191,7 +2929,7 @@ loc Local Extended local zone
                                            New Features:
                                            - +
                                            1. The "shorewall status" command has been enhanced to @@ -2229,7 +2967,7 @@ loc Local Extended local zone The first beta in the 2.2 series is now available. Download location is:

                                              - +
                                            New Features:
                                            - +
                                            1. The "shorewall status" command now includes the output of @@ -3054,7 +3792,7 @@ loc Local Extended local zone

                                              5/21/2004 - Shorewall 2.0.2c

                                              One problem corrected:
                                              - +
                                              1.  DNAT rules with a dynamic source zone don't work @@ -3128,7 +3866,7 @@ loc Local Extended local zone
                                              Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
                                              - +
                                              1. Extension Scripts -- In order for extension scripts to @@ -3180,7 +3918,7 @@ loc Local Extended local zone set DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.
                                              New Features:
                                              - +
                                              1. Shorewall has now been integrated with @@ -3391,13 +4129,13 @@ loc Local Extended local zone presentation was entitled "Shorewall and the Enterprise" and described - the history of Shorewall and gave an overview of its features. + the history of Shorewall and gave an overview of its features.

                                                4/5/2004 - Shorewall 2.0.1

                                                Problems Corrected since 2.0.0

                                                - +
                                                1. Using actions in the manner recommended in the @@ -3418,7 +4156,7 @@ loc Local Extended local zone Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:

                                                  - +
                                                  1. The function of 'norfc1918' is now split between that @@ -3445,7 +4183,7 @@ loc Local Extended local zone
                                                  New Features:

                                                  - +
                                                  1. Support for Bridging Firewalls has been added. For @@ -3496,7 +4234,7 @@ loc Local Extended local zone
                                                  2. Shorewall now traps two common zone definition errors:
                                                    - +
                                                    • Including the firewall zone in a /etc/shorewall/hosts @@ -3550,7 +4288,7 @@ loc Local Extended local zone

                                                      3/14/2004 - Shorewall 2.0.0b 

                                                      Corrects two problems:
                                                      - +
                                                      1. Thanks to Sean Mathews, the long-standing problem with @@ -3816,7 +4554,7 @@ loc Local Extended local zone

                                                        Corrects one problem:

                                                        Entries in /etc/shorewall/tcrules with an empty USER/GROUP - column would cause a startup error. + column would cause a startup error.

                                                        2/12/2004 - Shorewall 1.4.10b 

                                                        @@ -3873,7 +4611,7 @@ loc Local Extended local zone     None.

                                                        New Features:
                                                        - +
                                                        1. The INTERFACE column in the /etc/shorewall/masq file may @@ -3958,7 +4696,7 @@ loc Local Extended local zone     None.

                                                          New Features:
                                                          - +
                                                          1. The INTERFACE column in the /etc/shorewall/masq file may @@ -4034,7 +4772,7 @@ loc Local Extended local zone     None.

                                                            New Features:
                                                            - +
                                                            1. The INTERFACE column in the /etc/shorewall/masq file may @@ -4103,7 +4841,7 @@ loc Local Extended local zone     None.

                                                              New Features:
                                                              - +
                                                              1. The INTERFACE column in the /etc/shorewall/masq file may @@ -4513,7 +5251,7 @@ loc Local Extended local zone field questions and problems from new users. I will not monitor that list personally. I will continue my active development of Shorewall and will be available via the development list to - handle development issues -- Tom. + handle development issues -- Tom.

                                                                11/07/2003 - Shorewall 1.4.8

                                                                @@ -4603,7 +5341,7 @@ loc Local Extended local zone

                                                              Migration Issues:
                                                              - +
                                                              1. The definition of the ROUTE_FILTER option in @@ -4611,7 +5349,7 @@ loc Local Extended local zone
                                                              New Features:
                                                              - +
                                                              1. A new QUEUE action has been introduced for rules. QUEUE @@ -4660,7 +5398,7 @@ loc Local Extended local zone Given the small number of new features and the relatively few lines of code that were changed, there will be no Beta for 1.4.8.
                                                                - +

                                                                http://shorewall.net/pub/shorewall/Beta
                                                                @@ -4737,7 +5475,7 @@ loc Local Extended local zone 'routefilter' option in the interfaces file.

                                                              Migration Issues:
                                                              - +
                                                              1. The definition of the ROUTE_FILTER option in @@ -4745,7 +5483,7 @@ loc Local Extended local zone
                                                              New Features:
                                                              - +
                                                              1. A new QUEUE action has been introduced for rules. QUEUE @@ -4806,7 +5544,7 @@ loc Local Extended local zone

                                                                10/24/2003 - Shorewall 1.4.7b

                                                                This is a bugfx rollup of the 1.4.7a fixes plus:
                                                                - +
                                                                1. The fix for problem 5 in 1.4.7a was wrong with the result @@ -4880,7 +5618,7 @@ loc Local Extended local zone

                                                                  Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 RC2).
                                                                  - +
                                                                  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5012,7 +5750,7 @@ loc Local Extended local zone
                                                                  Migration Issues:
                                                                  - +
                                                                  1. Shorewall IP Traffic Accounting has changed since @@ -5030,7 +5768,7 @@ loc Local Extended local zone
                                                                  New Features:
                                                                  - +
                                                                  1. Thanks to Steve Herber, the 'help' command can now give @@ -5226,7 +5964,7 @@ loc Local Extended local zone

                                                                    Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 RC 1).
                                                                    - +
                                                                    1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5346,7 +6084,7 @@ loc Local Extended local zone
                                                                    Migration Issues:
                                                                    - +
                                                                    1. Shorewall IP Traffic Accounting has changed since @@ -5364,7 +6102,7 @@ loc Local Extended local zone
                                                                    New Features:
                                                                    - +
                                                                    1. Thanks to Steve Herber, the 'help' command can now give @@ -5560,7 +6298,7 @@ loc Local Extended local zone

                                                                      Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 Beta 1).
                                                                      - +
                                                                      1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5626,7 +6364,7 @@ loc Local Extended local zone
                                                                      Migration Issues:
                                                                      - +
                                                                      1. Shorewall IP Traffic Accounting has changed since @@ -5644,7 +6382,7 @@ loc Local Extended local zone
                                                                      New Features:
                                                                      - +
                                                                      1. Thanks to Steve Herber, the 'help' command can now give @@ -5840,7 +6578,7 @@ loc Local Extended local zone

                                                                        Problems Corrected since version 1.4.6 (Those in bold font were corrected since 1.4.7 Beta 1).
                                                                        - +
                                                                        1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -5900,7 +6638,7 @@ loc Local Extended local zone
                                                                        Migration Issues:
                                                                        - +
                                                                        1. Shorewall IP Traffic Accounting has changed since @@ -5918,7 +6656,7 @@ loc Local Extended local zone
                                                                        New Features:
                                                                        - +
                                                                        1. Thanks to Steve Herber, the 'help' command can now give @@ -6121,7 +6859,7 @@ loc Local Extended local zone Guide 

                                                                          Thanks to Fabien Demassieux, there is now a French translation of the - Shorewall Setup Guide. Merci Beacoup, Fabien! + Shorewall Setup Guide. Merci Beacoup, Fabien!

                                                                          8/25/2003 - Shorewall 1.4.7 Beta 1

                                                                          @@ -6133,7 +6871,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Beta

                                                                          Problems Corrected since version 1.4.6
                                                                          - +
                                                                          1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6167,7 +6905,7 @@ loc Local Extended local zone
                                                                          Migration Issues:
                                                                          - +
                                                                          1. Shorewall IP Traffic Accounting has changed since @@ -6185,7 +6923,7 @@ loc Local Extended local zone
                                                                          New Features:
                                                                          - +
                                                                          1. Thanks to Steve Herber, the 'help' command can now give @@ -6383,7 +7121,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/

                                                                            Problems Corrected since version 1.4.6
                                                                            - +
                                                                            1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6417,7 +7155,7 @@ loc Local Extended local zone
                                                                            Migration Issues:
                                                                            - +
                                                                            1. Once you have installed this version of Shorewall, you @@ -6438,7 +7176,7 @@ loc Local Extended local zone page for details.
                                                                            New Features:
                                                                            - +
                                                                            1. Shorewall now creates a dynamic blacklisting chain for @@ -6647,7 +7385,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/

                                                                              Problems Corrected since version 1.4.6
                                                                              - +
                                                                              1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6678,7 +7416,7 @@ loc Local Extended local zone
                                                                              Migration Issues:
                                                                              - +
                                                                              1. Once you have installed this version of Shorewall, you @@ -6691,7 +7429,7 @@ loc Local Extended local zone rejectall"
                                                                              New Features:
                                                                              - +
                                                                              1. Shorewall now creates a dynamic blacklisting chain for @@ -6882,7 +7620,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/

                                                                                Problems Corrected since version 1.4.6
                                                                                - +
                                                                                1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -6908,7 +7646,7 @@ loc Local Extended local zone
                                                                                Migration Issues:
                                                                                - +
                                                                                1. Once you have installed this version of Shorewall, you @@ -6921,7 +7659,7 @@ loc Local Extended local zone rejectall"
                                                                                New Features:
                                                                                - +
                                                                                1. Shorewall now creates a dynamic blacklisting chain for @@ -7038,7 +7776,7 @@ loc Local Extended local zone

                                                                                  8/5/2003 - Shorewall-1.4.6b 

                                                                                  Problems Corrected since version 1.4.6:
                                                                                  - +
                                                                                  1. Previously, if TC_ENABLED is set to yes in shorewall.conf @@ -7068,7 +7806,7 @@ loc Local Extended local zone

                                                                                    8/5/2003 - Shorewall-1.4.6b

                                                                                    Problems Corrected since version 1.4.6:
                                                                                    - +
                                                                                    1. Previously, if TC_ENABLED is set to yes in shorewall.conf @@ -7213,7 +7951,7 @@ loc Local Extended local zone "_top">ftp://shorewall.net/pub/shorewall/Snapshots/

                                                                                      Problems Corrected since version 1.4.6
                                                                                      - +
                                                                                      1. Corrected problem in 1.4.6 where the MANGLE_ENABLED @@ -7225,7 +7963,7 @@ loc Local Extended local zone
                                                                                      Migration Issues:
                                                                                      - +
                                                                                      1. Once you have installed this version of Shorewall, you @@ -7238,7 +7976,7 @@ loc Local Extended local zone rejectall"
                                                                                      New Features:
                                                                                      - +
                                                                                      1. Shorewall now creates a dynamic blacklisting chain for @@ -7308,12 +8046,12 @@ loc Local Extended local zone Two new commands ('dropall' and 'rejectall') have been introduced that do what 'drop' and 'reject' used to do; namely, when an address is blacklisted using these new commands, it - will be blacklisted on all of your firewall's interfaces. + will be blacklisted on all of your firewall's interfaces.

                                                                                        7/22/2003 - Shorewall-1.4.6a

                                                                                        Problems Corrected:
                                                                                        - +
                                                                                        1. Previously, if TC_ENABLED is set to yes in shorewall.conf @@ -7587,7 +8325,7 @@ loc Local Extended local zone

                                                                                          Thanks to the folks at securityopensource.org.br, there is now a Shorewall mirror in Brazil. + "_top">Shorewall mirror in Brazil.

                                                                                          7/15/2003 - Shorewall-1.4.6 RC 1

                                                                                          @@ -8235,7 +8973,7 @@ loc Local Extended local zone that restores the previous 5-character limit by conditionally omitting the log rule number when the LOGFORMAT doesn't contain '%d'.
                                                                                          - +

                                                                                          5/23/2003 - Shorewall-1.4.4

                                                                                          I apologize for the rapid-fire releases but since there is a @@ -8244,13 +8982,13 @@ loc Local Extended local zone bug-fix release.

                                                                                              Problems corrected:
                                                                                          - +
                                                                                          None.
                                                                                              New Features:
                                                                                          -
                                                                                          +
                                                                                          1. A REDIRECT- rule target has been added. This target @@ -8291,7 +9029,7 @@ loc Local Extended local zone

                                                                                            This version primarily corrects the documentation included in the .tgz and in the .rpm. In addition:
                                                                                            - +
                                                                                            1. (This change is in 1.4.3 but is not documented) If you @@ -8315,7 +9053,7 @@ loc Local Extended local zone

                                                                                              5/18/2003 - Shorewall 1.4.3

                                                                                                  Problems Corrected:
                                                                                              -
                                                                                              +
                                                                                              1. There were several cases where Shorewall would fail to @@ -8329,7 +9067,7 @@ loc Local Extended local zone confused.
                                                                                                  New Features:
                                                                                              -
                                                                                              +
                                                                                              1.  IPV6-IPV4 (6to4) tunnels are now supported in the @@ -8350,7 +9088,7 @@ loc Local Extended local zone

                                                                                                5/8/2003 - Shorewall Mirror in Chile

                                                                                                Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago - Chile. + Chile.

                                                                                                4/21/2003 - Samples updated for Shorewall version 1.4.2

                                                                                                @@ -8491,14 +9229,14 @@ loc Local Extended local zone if there are entries in /etc/shorewall/ecn.
                                                                                              New Features:
                                                                                              - +
                                                                                              Note: In the list that follows, the term group refers to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a host address) accessed through a particular interface. Examples:
                                                                                              - +
                                                                                              eth0:0.0.0.0/0
                                                                                              @@ -8531,7 +9269,7 @@ loc Local Extended local zone traffic from Z1 to Z2.
                                                    See the upgrade issues for a - discussion of how these changes may affect your configuration. + discussion of how these changes may affect your configuration.

                                                    3/17/2003 - Shorewall 1.4.0

                                                    Shorewall 1.4 represents the next step in the evolution of @@ -8544,7 +9282,7 @@ loc Local Extended local zone
                                                    Function from 1.3 that has been omitted from this version include:
                                                    - +
                                                    1. The MERGE_HOSTS variable in shorewall.conf is no longer @@ -8588,7 +9326,7 @@ loc Local Extended local zone
                                                    Changes for 1.4 include:
                                                    - +
                                                    1. The /etc/shorewall/shorewall.conf file has been @@ -8759,7 +9497,7 @@ loc Local Extended local zone  
                                                      Example 1 -- This is how it works in 1.3.14.
                                                        
                                                      - +
                                                          [root@gateway test]# cat /etc/shorewall/masq
                                                      #INTERFACE SUBNET ADDRESS
                                                      @@ -8796,7 +9534,7 @@ loc Local Extended local zone Example 2 -- Suppose that your current config is as follows:
                                                        
                                                      - +
                                                          [root@gateway test]# cat /etc/shorewall/masq
                                                      #INTERFACE SUBNET ADDRESS
                                                      @@ -8819,7 +9557,7 @@ loc Local Extended local zone Example 3 -- What if your current configuration is like this?
                                                       
                                                      - +
                                                          [root@gateway test]# cat /etc/shorewall/masq
                                                      #INTERFACE SUBNET ADDRESS
                                                      @@ -8837,7 +9575,7 @@ loc Local Extended local zone  
                                                         In this case, you would want to change the entry in  /etc/shorewall/masq to:
                                                      - +
                                                          #INTERFACE              SUBNET                  ADDRESS
                                                      eth0 192.168.1.0/24 206.124.146.176
                                                      @@ -8915,7 +9653,7 @@ loc Local Extended local zone  
                                                      Example 1 -- This is how it works in 1.3.14.
                                                        
                                                      - +
                                                          [root@gateway test]# cat /etc/shorewall/masq
                                                      #INTERFACE SUBNET ADDRESS
                                                      @@ -8952,7 +9690,7 @@ loc Local Extended local zone Example 2 -- Suppose that your current config is as follows:
                                                        
                                                      - +
                                                          [root@gateway test]# cat /etc/shorewall/masq
                                                      #INTERFACE SUBNET ADDRESS
                                                      @@ -8975,7 +9713,7 @@ loc Local Extended local zone Example 3 -- What if your current configuration is like this?
                                                       
                                                      - +
                                                          [root@gateway test]# cat /etc/shorewall/masq
                                                      #INTERFACE SUBNET ADDRESS
                                                      @@ -8993,7 +9731,7 @@ loc Local Extended local zone  
                                                         In this case, you would want to change the entry in  /etc/shorewall/masq to:
                                                      - +
                                                          #INTERFACE              SUBNET                  ADDRESS
                                                      eth0 192.168.1.0/24 206.124.146.176
                                                      @@ -9014,7 +9752,7 @@ loc Local Extended local zone     http://slovakia.shorewall.net/pub/shorewall/pdf/ - +

                                                      1/17/2003 - shorewall.net has MOVED 

                                                      @@ -9178,7 +9916,7 @@ loc Local Extended local zone 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail to start and "shorewall refresh" would also fail.
                                                      - +

                                                      12/20/2002 - Shorewall 1.3.12 Beta 2

                                                      @@ -9187,7 +9925,7 @@ loc Local Extended local zone audience).

                                                      Features include:
                                                      - +
                                                      1. "shorewall refresh" now reloads the traffic shaping rules @@ -9226,7 +9964,7 @@ loc Local Extended local zone the upgrade process won't overwrite your file.
                                                      You may download the Beta from:
                                                      - +
                                                      product. Here is the press release.
                                                      - +

                                                      12/7/2002 - Shorewall Support for Mandrake 9.0

                                                      @@ -9363,11 +10101,11 @@ loc Local Extended local zone Alexandru Hartmann reports that his Shorewall package is now a part of the Gentoo Linux distribution. Thanks Alex!
                                                      - +

                                                      10/23/2002 - Shorewall 1.3.10 Beta 1

                                                      In this version:
                                                      - + You may download the Beta from:
                                                      - +