diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm
index e27dd03e3..39e4b5262 100644
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@@ -3,2382 +3,2428 @@
-
+
Shorewall News
-
+
+
-
+
-
+
-
-
- |
+ |
+
+
-
+
+
Shorewall News Archive
- |
-
+
+
-
-
+
+
-
-2/8/2003 - Shoreawll 1.3.14
+
+2/8/2003 - Shoreawall 1.3.14
+
New features include
+
- - An OLD_PING_HANDLING option has been added to shorewall.conf. When
- set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
-policies just like any other connection request. The FORWARDPING=Yes option
-in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
-will all generate an error.
-
-
- - It is now possible to direct Shorewall to create a "label" such as
- "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
- This is done by specifying the label instead of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names of the form $DEV.$VID (e.g., eth0.0)
-
-
- - When an interface name is entered in the SUBNET column of the /etc/shorewall/masq
- file, Shorewall previously masqueraded traffic from only the first subnet
- defined on that interface. It did not masquerade traffic from:
-
- a) The subnets associated with other addresses on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an interface name in the
- SUBNET column, shorewall will use the firewall's routing table to construct
- the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
-
+ - An OLD_PING_HANDLING option has been added to shorewall.conf. When
+ set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
+and policies just like any other connection request. The FORWARDPING=Yes
+option in shorewall.conf and the 'noping' and 'filterping' options in
+/etc/shorewall/interfaces will all generate an error.
+
+
+ - It is now possible to direct Shorewall to create a "label" such
+ as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
+just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - Support for OpenVPN Tunnels.
+
+
+ - Support for VLAN devices with names of the form $DEV.$VID (e.g.,
+eth0.0)
+
+
+ - In /etc/shorewall/tcrules, the MARK value may be optionally followed
+by ":" and either 'F' or 'P' to designate that the marking will occur in the
+FORWARD or PREROUTING chains respectively. If this additional specification
+is omitted, the chain used to mark packets will be determined by the setting
+of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
+
+
+ - When an interface name is entered in the SUBNET column of the /etc/shorewall/masq
+ file, Shorewall previously masqueraded traffic from only the first subnet
+ defined on that interface. It did not masquerade traffic from:
+
+ a) The subnets associated with other addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an interface name in
+ the SUBNET column, shorewall will use the firewall's routing table to
+construct the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple local subnets
- connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
- entry, your /etc/shorewall/masq file will need changing. In most cases,
-you will simply be able to remove redundant entries. In some cases though,
-you might want to change from using the interface name to listing specific
-subnetworks if the change described above will cause masquerading to occur
-on subnetworks that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is as follows:
-
-
+
+ When upgrading to Shorewall 1.3.14, if you have multiple local subnets
+ connected to an interface that is specified in the SUBNET column of an
+ /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing.
+ In most cases, you will simply be able to remove redundant entries. In
+some cases though, you might want to change from using the interface name
+to listing specific subnetworks if the change described above will cause
+masquerading to occur on subnetworks that you don't wish to masquerade.
+
+ Example 2 -- Suppose that your current config is as follows:
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq is no longer
- required.
-
- Example 3 -- What if your current configuration is like this?
-
-
+
+ In this case, the second entry in /etc/shorewall/masq is no longer
+ required.
+
+ Example 3 -- What if your current configuration is like this?
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry in /etc/shorewall/masq
- to:
-
+
+ In this case, you would want to change the entry in /etc/shorewall/masq
+ to:
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
+
+
-2/5/2003 - Shorewall Support included in Webmin 1.060
-
-Webmin version 1.060 now has Shorewall support included as standard. See
-http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1
-
+ 2/5/2003 - Shorewall Support included in Webmin 1.060
+
+Webmin version 1.060 now has Shorewall support included as standard. See
+ http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1
+
Includes the Beta 2 content plus support for OpenVPN tunnels.
-
+
1/28/2003 - Shorewall 1.3.14-Beta2
-
-Includes the Beta 1 content plus restores VLAN device names of the form
- $dev.$vid (e.g., eth0.1)
-
+
+Includes the Beta 1 content plus restores VLAN device names of the form
+ $dev.$vid (e.g., eth0.1)
+
1/25/2003 - Shorewall 1.3.14-Beta1
-
-
+
+
The Beta includes the following changes:
-
-
+
+
- - An OLD_PING_HANDLING option has been added to shorewall.conf.
-When set to Yes, Shorewall ping handling is as it has always been (see
+
- An OLD_PING_HANDLING option has been added to shorewall.conf.
+ When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
-policies just like any other connection request. The FORWARDPING=Yes option
-in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
-will all generate an error.
-
-
- - It is now possible to direct Shorewall to create a "label" such
- as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
-and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
-of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - When an interface name is entered in the SUBNET column of the
-/etc/shorewall/masq file, Shorewall previously masqueraded traffic from
-only the first subnet defined on that interface. It did not masquerade
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules
+and policies just like any other connection request. The FORWARDPING=Yes
+option in shorewall.conf and the 'noping' and 'filterping' options in
+/etc/shorewall/interfaces will all generate an error.
+
+
+ - It is now possible to direct Shorewall to create a "label"
+such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
+just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - When an interface name is entered in the SUBNET column of the
+ /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
+ only the first subnet defined on that interface. It did not masquerade
traffic from:
-
- a) The subnets associated with other addresses on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an interface name in the
- SUBNET column, shorewall will use the firewall's routing table to construct
- the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
-
+
+ a) The subnets associated with other addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an interface name in
+ the SUBNET column, shorewall will use the firewall's routing table to
+construct the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple local subnets
- connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
- entry, your /etc/shorewall/masq file will need changing. In most cases,
-you will simply be able to remove redundant entries. In some cases though,
-you might want to change from using the interface name to listing specific
-subnetworks if the change described above will cause masquerading to occur
-on subnetworks that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is as follows:
-
-
+
+ When upgrading to Shorewall 1.3.14, if you have multiple local subnets
+ connected to an interface that is specified in the SUBNET column of an
+ /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing.
+ In most cases, you will simply be able to remove redundant entries. In
+some cases though, you might want to change from using the interface name
+to listing specific subnetworks if the change described above will cause
+masquerading to occur on subnetworks that you don't wish to masquerade.
+
+ Example 2 -- Suppose that your current config is as follows:
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq is no longer
- required.
-
- Example 3 -- What if your current configuration is like this?
-
-
+
+ In this case, the second entry in /etc/shorewall/masq is no longer
+ required.
+
+ Example 3 -- What if your current configuration is like this?
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry in /etc/shorewall/masq
- to:
-
+
+ In this case, you would want to change the entry in /etc/shorewall/masq
+ to:
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
-
+
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
- the PDF may be downloaded from
- Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
+ the PDF may be downloaded from
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
1/17/2003 - shorewall.net has MOVED
-
+
Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and
-ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
-big thanks to Alex for making this happen.
-
-
+ href="http://www.rettc.com">Rett Consulting, www.shorewall.net and ftp.shorewall.net
+are now hosted on a system in Bellevue, Washington. A big thanks to Alex
+for making this happen.
+
+
1/13/2003 - Shorewall 1.3.13
-
-
+
+
Just includes a few things that I had on the burner:
-
-
+
+
- - A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
- file. DNAT- is intended for advanced users who wish to minimize the number
- of rules that connection requests must traverse.
-
- A Shorewall DNAT rule actually generates two iptables rules: a header
- rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter'
-table. A DNAT- rule only generates the first of these rules. This is
-handy when you have several DNAT rules that would generate the same ACCEPT
-rule.
-
- Here are three rules from my previous rules file:
-
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
-
- These three rules ended up generating _three_ copies of
-
- ACCEPT net dmz:206.124.146.177 tcp smtp
-
- By writing the rules this way, I end up with only one copy of
-the ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
-
-
- - The 'shorewall check' command now prints out the applicable
- policy between each pair of zones.
-
-
- - A new CLEAR_TC option has been added to shorewall.conf. If
-this option is set to 'No' then Shorewall won't clear the current traffic
-control rules during [re]start. This setting is intended for use by people
-that prefer to configure traffic shaping when the network interfaces come
-up rather than when the firewall is started. If that is what you want to
-do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
- file. That way, your traffic shaping rules can still use the 'fwmark'
+
- A new 'DNAT-' action has been added for entries in the
+/etc/shorewall/rules file. DNAT- is intended for advanced users who
+wish to minimize the number of rules that connection requests must traverse.
+
+ A Shorewall DNAT rule actually generates two iptables rules:
+a header rewriting rule in the 'nat' table and an ACCEPT rule in the
+'filter' table. A DNAT- rule only generates the first of these rules.
+This is handy when you have several DNAT rules that would generate the
+same ACCEPT rule.
+
+ Here are three rules from my previous rules file:
+
+ DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
+ DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
+
+ These three rules ended up generating _three_ copies of
+
+ ACCEPT net dmz:206.124.146.177 tcp smtp
+
+ By writing the rules this way, I end up with only one copy
+of the ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
+ DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
+
+
+ - The 'shorewall check' command now prints out the applicable
+ policy between each pair of zones.
+
+
+ - A new CLEAR_TC option has been added to shorewall.conf.
+If this option is set to 'No' then Shorewall won't clear the current traffic
+ control rules during [re]start. This setting is intended for use by people
+ that prefer to configure traffic shaping when the network interfaces come
+ up rather than when the firewall is started. If that is what you want
+to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
+ file. That way, your traffic shaping rules can still use the 'fwmark'
classifier based on packet marking defined in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable has been added that allows distribution
- packagers to easily move the shared directory (default /usr/lib/shorewall).
- Users should never have a need to change the value of this shorewall.conf
- setting.
-
-
-
-
-1/6/2003 - BURNOUT
-
-
-Until further notice, I will not be involved in either Shorewall Development
- or Shorewall Support
-
--Tom Eastep
-
-
-12/30/2002 - Shorewall Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
- the PDF may be downloaded from
-
- ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
-
-12/27/2002 - Shorewall 1.3.12 Released
-
- Features include:
-
-
-
- - "shorewall refresh" now reloads the traffic shaping rules
- (tcrules and tcstart).
- - "shorewall debug [re]start" now turns off debugging after
- an error occurs. This places the point of the failure near the end of
- the trace rather than up in the middle of it.
- - "shorewall [re]start" has been speeded up by more than
-40% with my configuration. Your milage may vary.
- - A "shorewall show classifiers" command has been added which
- shows the current packet classification filters. The output from this
- command is also added as a separate page in "shorewall monitor"
- - ULOG (must be all caps) is now accepted as a valid syslog
- level and causes the subject packets to be logged using the ULOG target
- rather than the LOG target. This allows you to run ulogd (available
- from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages to
- a separate log file.
- - If you are running a kernel that has a FORWARD chain in
-the mangle table ("shorewall show mangle" will show you the chains
-in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking
- input packets based on their destination even when you are using
-Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall directory with empty
- 'init', 'start', 'stop' and 'stopped' files. If you already have a
- file with one of these names, don't worry -- the upgrade process won't
- overwrite your file.
- - I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies
- the syslog level at which packets are logged as a result of entries
-in the /etc/shorewall/rfc1918 file. Previously, these packets were always
- logged at the 'info' level.
+
+
+ - A new SHARED_DIR variable has been added that allows distribution
+ packagers to easily move the shared directory (default /usr/lib/shorewall).
+ Users should never have a need to change the value of this shorewall.conf
+ setting.
-12/20/2002 - Shorewall 1.3.12 Beta 3
-
- This version corrects a problem with Blacklist logging. In Beta
- 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall
-would fail to start and "shorewall refresh" would also fail.
-
-12/20/2002 - Shorewall 1.3.12 Beta 2
-
-The first public Beta version of Shorewall 1.3.12 is now available (Beta
- 1 was made available only to a limited audience).
-
- Features include:
-
+1/6/2003 - BURNOUT
+
+
+Until further notice, I will not be involved in either Shorewall Development
+ or Shorewall Support
+
+-Tom Eastep
+
+
+12/30/2002 - Shorewall Documentation in PDF Format
+
+Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
+ the PDF may be downloaded from
+
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
+
+12/27/2002 - Shorewall 1.3.12 Released
+
+ Features include:
+
+
- - "shorewall refresh" now reloads the traffic shaping
- rules (tcrules and tcstart).
- - "shorewall debug [re]start" now turns off debugging
- after an error occurs. This places the point of the failure near
-the end of the trace rather than up in the middle of it.
- - "shorewall [re]start" has been speeded up by more
-than 40% with my configuration. Your milage may vary.
- - A "shorewall show classifiers" command has been added
- which shows the current packet classification filters. The output
-from this command is also added as a separate page in "shorewall monitor"
- - ULOG (must be all caps) is now accepted as a valid
-syslog level and causes the subject packets to be logged using the
-ULOG target rather than the LOG target. This allows you to run ulogd
-(available from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages to
- a separate log file.
- - If you are running a kernel that has a FORWARD chain
- in the mangle table ("shorewall show mangle" will show you the chains
- in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
- This allows for marking input packets based on their destination even
- when you are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall directory with
- empty 'init', 'start', 'stop' and 'stopped' files. If you already
-have a file with one of these names, don't worry -- the upgrade process
-won't overwrite your file.
-
+ - "shorewall refresh" now reloads the traffic shaping
+rules (tcrules and tcstart).
+ - "shorewall debug [re]start" now turns off debugging
+after an error occurs. This places the point of the failure near
+the end of the trace rather than up in the middle of it.
+ - "shorewall [re]start" has been speeded up by more than
+ 40% with my configuration. Your milage may vary.
+ - A "shorewall show classifiers" command has been added
+ which shows the current packet classification filters. The output
+ from this command is also added as a separate page in "shorewall
+monitor"
+ - ULOG (must be all caps) is now accepted as a valid syslog
+ level and causes the subject packets to be logged using the ULOG
+target rather than the LOG target. This allows you to run ulogd (available
+ from http://www.gnumonks.org/projects/ulogd)
+ and log all Shorewall messages to a separate log file.
+ - If you are running a kernel that has a FORWARD chain
+in the mangle table ("shorewall show mangle" will show you the chains
+ in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking
+ input packets based on their destination even when you are using
+Masquerading or SNAT.
+ - I have cluttered up the /etc/shorewall directory with
+ empty 'init', 'start', 'stop' and 'stopped' files. If you already
+ have a file with one of these names, don't worry -- the upgrade process
+ won't overwrite your file.
+ - I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies
+ the syslog level at which packets are logged as a result of entries
+ in the /etc/shorewall/rfc1918 file. Previously, these packets were always
+ logged at the 'info' level.
+
+
- You may download the Beta from:
-
+
+12/20/2002 - Shorewall 1.3.12 Beta 3
+
+ This version corrects a problem with Blacklist logging. In
+ Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall
+ would fail to start and "shorewall refresh" would also fail.
+
+12/20/2002 - Shorewall 1.3.12 Beta 2
+
+The first public Beta version of Shorewall 1.3.12 is now available (Beta
+ 1 was made available only to a limited audience).
+
+ Features include:
+
+
+ - "shorewall refresh" now reloads the traffic shaping
+ rules (tcrules and tcstart).
+ - "shorewall debug [re]start" now turns off debugging
+ after an error occurs. This places the point of the failure near
+the end of the trace rather than up in the middle of it.
+ - "shorewall [re]start" has been speeded up by more
+ than 40% with my configuration. Your milage may vary.
+ - A "shorewall show classifiers" command has been
+added which shows the current packet classification filters. The
+output from this command is also added as a separate page in "shorewall
+monitor"
+ - ULOG (must be all caps) is now accepted as a valid
+ syslog level and causes the subject packets to be logged using the
+ ULOG target rather than the LOG target. This allows you to run ulogd
+ (available from http://www.gnumonks.org/projects/ulogd)
+ and log all Shorewall messages to a separate log file.
+ - If you are running a kernel that has a FORWARD
+chain in the mangle table ("shorewall show mangle" will show you
+the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
+in shorewall.conf. This allows for marking input packets based on
+their destination even when you are using Masquerading or SNAT.
+ - I have cluttered up the /etc/shorewall directory
+ with empty 'init', 'start', 'stop' and 'stopped' files. If you already
+ have a file with one of these names, don't worry -- the upgrade process
+ won't overwrite your file.
+
+
+ You may download the Beta from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
-
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
+
+
12/12/2002 - Mandrake Multi Network Firewall 
-
- Shorewall is at the center of MandrakeSoft's recently-announced
- Multi
- Network Firewall (MNF) product. Here is the press
- release.
-
+
+ Shorewall is at the center of MandrakeSoft's recently-announced
+ Multi
+ Network Firewall (MNF) product. Here is the press
+ release.
+
12/7/2002 - Shorewall Support for Mandrake 9.0
-
-Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
- I have installed 9.0 on one of my systems and I am now in a position
- to support Shorewall users who run Mandrake 9.0.
-
+
+Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
+ I have installed 9.0 on one of my systems and I am now in a position
+ to support Shorewall users who run Mandrake 9.0.
+
12/6/2002 - Debian 1.3.11a Packages Available
-
-
-
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-12/3/2002 - Shorewall 1.3.11a
-
-This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
- excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
- who don't need rules of this type need not upgrade to 1.3.11.
-
-11/24/2002 - Shorewall 1.3.11
-
-In this version:
-
-
- - A 'tcpflags' option has been added to entries
- in /etc/shorewall/interfaces.
- This option causes Shorewall to make a set of sanity check on TCP packet
- header flags.
- - It is now allowed to use 'all' in the SOURCE
- or DEST column in a rule.
- When used, 'all' must appear by itself (in may not be qualified) and
- it does not enable intra-zone traffic. For example, the rule
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic from 'loc' to 'loc'.
- - Shorewall's use of the 'echo' command is now
- compatible with bash clones such as ash and dash.
- - fw->fw policies now generate a startup error.
- fw->fw rules generate a warning and are ignored
-
-
-
-11/14/2002 - Shorewall Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
- the PDF may be downloaded from
-
- ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
-
-11/09/2002 - Shorewall is Back at SourceForge
-
-
-
-The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
+
-11/09/2002 - Shorewall 1.3.10
+Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+
+12/3/2002 - Shorewall 1.3.11a
+
+This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
+ excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
+users who don't need rules of this type need not upgrade to 1.3.11.
+
+11/24/2002 - Shorewall 1.3.11
In this version:
- - You may now define
- the contents of a zone dynamically with the "shorewall add" and "shorewall
- delete" commands. These commands are expected to be used
- primarily within FreeS/Wan updown
-scripts.
- - Shorewall can now do MAC verification on ethernet segments.
-You can specify the set of allowed MAC addresses on the segment
-and you can optionally tie each MAC address to one or more IP addresses.
- - PPTP Servers and Clients running on the
-firewall system may now be defined in the
-/etc/shorewall/tunnels file.
- - A new 'ipsecnat' tunnel type is supported
- for use when the remote IPSEC endpoint
- is behind a NAT gateway.
- - The PATH used by Shorewall may now be specified
- in /etc/shorewall/shorewall.conf.
- - The main firewall script is now /usr/lib/shorewall/firewall.
- The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
- to do the real work. This change makes custom distributions such
- as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
- that tends to have distribution-dependent code
+ - A 'tcpflags' option has been added to entries
+ in /etc/shorewall/interfaces.
+ This option causes Shorewall to make a set of sanity check on TCP packet
+ header flags.
+ - It is now allowed to use 'all' in the SOURCE
+ or DEST column in a rule.
+ When used, 'all' must appear by itself (in may not be qualified)
+ and it does not enable intra-zone traffic. For example, the rule
+
+
+ ACCEPT loc all tcp 80
+
+ does not enable http traffic from 'loc' to 'loc'.
+ - Shorewall's use of the 'echo' command is
+now compatible with bash clones such as ash and dash.
+ - fw->fw policies now generate a startup
+ error. fw->fw rules generate a warning and are ignored
+11/14/2002 - Shorewall Documentation in PDF Format
+
+Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
+ the PDF may be downloaded from
+
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
+
+11/09/2002 - Shorewall is Back at SourceForge
+
+
+
+The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
+
+
+
+11/09/2002 - Shorewall 1.3.10
+
+In this version:
+
+
+
10/24/2002 - Shorewall is now in Gentoo Linux
-
- Alexandru Hartmann reports that his Shorewall
- package is now a part of the
+
+ Alexandru Hartmann reports that his Shorewall
+ package is now a part of the
Gentoo Linux distribution. Thanks Alex!
-
+
10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:
+ In this version:
+
+
+
+ You may download the Beta from:
+
+
+
+
+10/10/2002 - Debian 1.3.9b Packages Available
+
+
+
+Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+
+10/9/2002 - Shorewall 1.3.9b
+ This release rolls up fixes to the installer
+ and to the firewall script.
+
+10/6/2002 - Shorewall.net now running on RH8.0
+
+ The firewall and server here at shorewall.net
+ are now running RedHat release 8.0.
+
+ 9/30/2002 - Shorewall 1.3.9a
+ Roles up the fix for broken tunnels.
+
+9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is an updated firewall script at
+ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
+ -- copy that file to /usr/lib/shorewall/firewall.
+
+9/28/2002 - Shorewall 1.3.9
+
+
+In this version:
+
- You may download the Beta from:
-
-
-
-10/10/2002 - Debian 1.3.9b Packages Available
-
-
-
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-10/9/2002 - Shorewall 1.3.9b
- This release rolls up fixes to the installer
- and to the firewall script.
-
-10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server here at shorewall.net
- are now running RedHat release 8.0.
-
- 9/30/2002 - Shorewall 1.3.9a
- Roles up the fix for broken tunnels.
-
-9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
- -- copy that file to /usr/lib/shorewall/firewall.
-
-9/28/2002 - Shorewall 1.3.9
-
-In this version:
-
-
-
- - DNS Names are
- now allowed in Shorewall config files (although I recommend against
- using them).
- - The connection SOURCE may now
-be qualified by both interface and IP address in a DNS Names are
+now allowed in Shorewall config files (although I recommend against
+ using them).
+ - The connection SOURCE may now
+ be qualified by both interface and IP address in a Shorewall rule.
- - Shorewall startup is now disabled
- after initial installation until the file /etc/shorewall/startup_disabled
- is removed. This avoids nasty surprises during reboot for
+
- Shorewall startup is now disabled
+ after initial installation until the file /etc/shorewall/startup_disabled
+ is removed. This avoids nasty surprises during reboot for
users who install Shorewall but don't configure it.
- - The 'functions' and 'version' files
- and the 'firewall' symbolic link have been moved from /var/lib/shorewall
- to /usr/lib/shorewall to appease the LFS police at Debian.
-
-
+ - The 'functions' and 'version'
+files and the 'firewall' symbolic link have been moved
+from /var/lib/shorewall to /usr/lib/shorewall to appease
+ the LFS police at Debian.
+
+
+
-
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- ![]()
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+ 
- A couple of recent configuration
-changes at www.shorewall.net broke the Search facility:
+ A couple of recent configuration
+ changes at www.shorewall.net broke the Search facility:
-
-
-
+
+
+
- - Mailing List Archive Search
-was not available.
- - The Site Search index was incomplete
- - Only one page of matches was
-presented.
-
-
-
-
-
- Hopefully these problems are now
-corrected.
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- A couple of recent configuration changes
- at www.shorewall.net had the negative effect of breaking
- the Search facility:
-
-
-
- - Mailing List Archive Search was
- not available.
- - The Site Search index was incomplete
- - Only one page of matches was
-presented.
-
-
-
- Hopefully these problems are now corrected.
-
-
-9/18/2002 - Debian 1.3.8 Packages Available
-
-
-
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-
-9/16/2002 - Shorewall 1.3.8
-
-
-In this version:
-
-
-
-
- - A NEWNOTSYN option has been
- added to shorewall.conf. This option determines whether Shorewall
- accepts TCP packets which are not part of an established
- connection and that are not 'SYN' packets (SYN flag on and ACK
-flag off).
- - The need for the 'multi' option
- to communicate between zones za and zb on the same interface
- is removed in the case where the chain 'za2zb' and/or 'zb2za'
- exists. 'za2zb' will exist if:
-
-
-
-
- - There is a policy
-for za to zb; or
- - There is at least one
-rule for za to zb.
+ - Mailing List Archive Search
+ was not available.
+ - The Site Search index was
+incomplete
+ - Only one page of matches
+was presented.
+
+
+ Hopefully these problems are
+now corrected.
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+ A couple of recent configuration
+changes at www.shorewall.net had the negative effect of
+breaking the Search facility:
+
+
+
+ - Mailing List Archive Search
+ was not available.
+ - The Site Search index was
+incomplete
+ - Only one page of matches was
+ presented.
+
+
+
+ Hopefully these problems are now
+corrected.
+
+
+9/18/2002 - Debian 1.3.8 Packages Available
+
+
+
+Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+
+
+9/16/2002 - Shorewall 1.3.8
+
+
+In this version:
+
+
+
+
+ - A NEWNOTSYN option has been
+ added to shorewall.conf. This option determines whether Shorewall
+ accepts TCP packets which are not part of an established
+ connection and that are not 'SYN' packets (SYN flag on and ACK
+ flag off).
+ - The need for the 'multi'
+ option to communicate between zones za and zb on the
+same interface is removed in the case where the chain 'za2zb'
+ and/or 'zb2za' exists. 'za2zb' will exist if:
+
+
+
+
+ - There is a policy
+ for za to zb; or
+ - There is at least
+one rule for za to zb.
+
+
+
-
+
-
+
- - The /etc/shorewall/blacklist
- file now contains three columns. In addition to the SUBNET/ADDRESS
- column, there are optional PROTOCOL and PORT columns to
+
- The /etc/shorewall/blacklist
+ file now contains three columns. In addition to the SUBNET/ADDRESS
+ column, there are optional PROTOCOL and PORT columns to
block only certain applications from the blacklisted addresses.
-
+
-
+
-
+
9/11/2002 - Debian 1.3.7c Packages Available
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/2/2002 - Shorewall 1.3.7c
-
-This is a role up of a fix for "DNAT" rules where the source zone is $FW
- (fw).
+
+This is a role up of a fix for "DNAT" rules where the source zone is $FW
+ (fw).
-
+
8/31/2002 - I'm not available
-
-I'm currently on vacation -- please respect my need for a couple of
- weeks free of Shorewall problem reports.
+
+I'm currently on vacation -- please respect my need for a couple of
+weeks free of Shorewall problem reports.
-
+
-Tom
-
+
8/26/2002 - Shorewall 1.3.7b
-
-This is a role up of the "shorewall refresh" bug fix and the change which
- reverses the order of "dhcp" and "norfc1918" checking.
+
+This is a role up of the "shorewall refresh" bug fix and the change which
+ reverses the order of "dhcp" and "norfc1918" checking.
-
+
8/26/2002 - French FTP Mirror is Operational
-
+
ftp://france.shorewall.net/pub/mirrors/shorewall
- is now available.
+ href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall
+ is now available.
-
+
8/25/2002 - Shorewall Mirror in France
-
-Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
- at Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
+ at http://france.shorewall.net.
-
+
8/25/2002 - Shorewall 1.3.7a Debian Packages Available
-
-Lorenzo Martignoni reports that the packages for version 1.3.7a are available
- at Lorenzo Martignoni reports that the packages for version 1.3.7a are available
+ at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
- -- Shorewall 1.3.7a released![]()
8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
+ -- Shorewall 1.3.7a released
-
+
-
-1.3.7a corrects problems occurring in rules file processing when starting
- Shorewall 1.3.7.
+
+1.3.7a corrects problems occurring in rules file processing when starting
+ Shorewall 1.3.7.
-
+
8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
-
+
Features in this release include:
-
+
- - The 'icmp.def' file is now
- empty! The rules in that file were required in ipchains
- firewalls but are not required in Shorewall. Users who have
- ALLOWRELATED=No in shorewall.conf
- should see the Upgrade Issues.
- - A 'FORWARDPING' option has
- been added to shorewall.conf.
- The effect of setting this variable to Yes is the same
- as the effect of adding an ACCEPT rule for ICMP echo-request
- in /etc/shorewall/icmpdef.
- Users who have such a rule in icmpdef are encouraged
- to switch to FORWARDPING=Yes.
- - The loopback CLASS A Network
- (127.0.0.0/8) has been added to the rfc1918 file.
- - Shorewall now works with
-iptables 1.2.7
- - The documentation and web
- site no longer uses FrontPage themes.
+ - The 'icmp.def' file is
+ now empty! The rules in that file were required in
+ ipchains firewalls but are not required in Shorewall. Users
+ who have ALLOWRELATED=No in shorewall.conf should see
+the Upgrade Issues.
+ - A 'FORWARDPING' option
+ has been added to shorewall.conf.
+ The effect of setting this variable to Yes is the same
+ as the effect of adding an ACCEPT rule for ICMP echo-request
+ in /etc/shorewall/icmpdef.
+ Users who have such a rule in icmpdef are encouraged
+ to switch to FORWARDPING=Yes.
+ - The loopback CLASS A
+Network (127.0.0.0/8) has been added to the rfc1918
+ file.
+ - Shorewall now works with
+ iptables 1.2.7
+ - The documentation and
+web site no longer uses FrontPage themes.
-
+
-
-I would like to thank John Distler for his valuable input regarding TCP
- SYN and ICMP treatment in Shorewall. That input has
-led to marked improvement in Shorewall in the last two releases.
+
+I would like to thank John Distler for his valuable input regarding TCP
+ SYN and ICMP treatment in Shorewall. That input has
+ led to marked improvement in Shorewall in the last two
+ releases.
-
+
8/13/2002 - Documentation in the CVS Repository
-
-The Shorewall-docs project now contains just the HTML and image files -
-the Frontpage files have been removed.
+
+The Shorewall-docs project now contains just the HTML and image files
+- the Frontpage files have been removed.
-
+
8/7/2002 - STABLE branch added to CVS Repository
-
-This branch will only be updated after I release a new version of Shorewall
- so you can always update from this branch to get the
- latest stable tree.
+
+This branch will only be updated after I release a new version of Shorewall
+ so you can always update from this branch to get
+the latest stable tree.
-
-8/7/2002 - Upgrade Issues section added
- to the Errata Page
+
+8/7/2002 - Upgrade Issues section
+added to the Errata Page
-
-Now there is one place to go to look for issues involved with upgrading
- to recent versions of Shorewall.
+
+Now there is one place to go to look for issues involved with upgrading
+ to recent versions of Shorewall.
-
+
8/7/2002 - Shorewall 1.3.6
-
+
This is primarily a bug-fix rollup with a couple of new features:
-
+
-
+
7/30/2002 - Shorewall 1.3.5b Released
-
+
This interim release:
-
+
-
+
7/29/2002 - New Shorewall Setup Guide Available
-
+
The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm.
- The guide is intended for use by people who are setting
- up Shorewall to manage multiple public IP addresses and
- by people who want to learn more about Shorewall than is described
- in the single-address guides. Feedback on the new guide is
-welcome.
+ href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm.
+ The guide is intended for use by people who are setting
+ up Shorewall to manage multiple public IP addresses
+and by people who want to learn more about Shorewall than
+is described in the single-address guides. Feedback on the
+new guide is welcome.
-
+
7/28/2002 - Shorewall 1.3.5 Debian Package Available
-
-Lorenzo Martignoni reports that the packages are version 1.3.5a and are
- available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are
+ available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/27/2002 - Shorewall 1.3.5a Released
-
+
This interim release restores correct handling of REDIRECT rules.
-
+
7/26/2002 - Shorewall 1.3.5 Released
-
-This will be the last Shorewall release for a while. I'm going to be
- focusing on rewriting a lot of the documentation.
+
+This will be the last Shorewall release for a while. I'm going to be
+focusing on rewriting a lot of the documentation.
-
+
In this version:
-
+
- - Empty and invalid source
-and destination qualifiers are now detected in the
-rules file. It is a good idea to use the 'shorewall check' command
- before you issue a 'shorewall restart' command be be sure
- that you don't have any configuration problems that will prevent
- a successful restart.
- - Added MERGE_HOSTS
-variable in shorewall.conf
-to provide saner behavior of the /etc/shorewall/hosts
- file.
- - The time that the counters
- were last reset is now displayed in the heading of the
- 'status' and 'show' commands.
- - A proxyarp option
-has been added for entries in /etc/shorewall/interfaces.
- This option facilitates Proxy ARP sub-netting as described in
- the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
- Specifying the proxyarp option for an interface causes
- Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
- - The Samples have been updated
- to reflect the new capabilities in this release.
+ - Empty and invalid source
+ and destination qualifiers are now detected in the
+ rules file. It is a good idea to use the 'shorewall check'
+ command before you issue a 'shorewall restart' command be
+ be sure that you don't have any configuration problems that
+will prevent a successful restart.
+ - Added MERGE_HOSTS
+ variable in shorewall.conf
+ to provide saner behavior of the /etc/shorewall/hosts
+ file.
+ - The time that the counters
+ were last reset is now displayed in the heading of
+ the 'status' and 'show' commands.
+ - A proxyarp option
+ has been added for entries in /etc/shorewall/interfaces.
+ This option facilitates Proxy ARP sub-netting as described in
+ the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
+ Specifying the proxyarp option for an interface
+causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+ - The Samples have been
+updated to reflect the new capabilities in this release.
+
-
+
-
+
7/16/2002 - New Mirror in Argentina
-
-Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
- Argentina. Thanks Buanzo!!!
+
+Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
+ Argentina. Thanks Buanzo!!!
-
+
7/16/2002 - Shorewall 1.3.4 Released
-
+
In this version:
-
+
- - A new /etc/shorewall/routestopped
- file has been added. This file is intended to eventually
- replace the routestopped option in the /etc/shorewall/interface
- and /etc/shorewall/hosts files. This new file makes
+
- A new /etc/shorewall/routestopped
+ file has been added. This file is intended to eventually
+ replace the routestopped option in the /etc/shorewall/interface
+ and /etc/shorewall/hosts files. This new file makes
remote firewall administration easier by allowing any IP or
subnet to be enabled while Shorewall is stopped.
- - An /etc/shorewall/stopped
- extension script has been
- added. This script is invoked after Shorewall has
- stopped.
- - A DETECT_DNAT_ADDRS option
- has been added to /etc/shoreall/shorewall.conf.
- When this option is selected, DNAT rules only apply
- when the destination address is the external interface's
+
- An /etc/shorewall/stopped
+ extension script has been
+ added. This script is invoked after Shorewall has
+ stopped.
+ - A DETECT_DNAT_ADDRS
+ option has been added to /etc/shoreall/shorewall.conf.
+ When this option is selected, DNAT rules only apply when
+ the destination address is the external interface's
primary IP address.
- - The QuickStart Guide has
- been broken into three guides and has been almost entirely
- rewritten.
- - The Samples have been updated
- to reflect the new capabilities in this release.
+ - The QuickStart Guide has
+ been broken into three guides and has been almost entirely
+ rewritten.
+ - The Samples have been
+updated to reflect the new capabilities in this release.
+
-
+
-
+
7/8/2002 - Shorewall 1.3.3 Debian Package Available
-
+
Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/6/2002 - Shorewall 1.3.3 Released
-
+
In this version:
-
+
- - Entries in /etc/shorewall/interface
- that use the wildcard character ("+") now have the
-"multi" option assumed.
- - The 'rfc1918' chain in the
- mangle table has been renamed 'man1918' to make log
- messages generated from that chain distinguishable from those
- generated by the 'rfc1918' chain in the filter table.
- - Interface names appearing
- in the hosts file are now validated against the interfaces
- file.
- - The TARGET column in the
-rfc1918 file is now checked for correctness.
- - The chain structure in the
- nat table has been changed to reduce the number of rules
- that a packet must traverse and to correct problems with
- NAT_BEFORE_RULES=No
- - The "hits" command has been
- enhanced.
+ - Entries in /etc/shorewall/interface
+ that use the wildcard character ("+") now have the
+ "multi" option assumed.
+ - The 'rfc1918' chain in
+ the mangle table has been renamed 'man1918' to make
+ log messages generated from that chain distinguishable from
+ those generated by the 'rfc1918' chain in the filter table.
+ - Interface names appearing
+ in the hosts file are now validated against the interfaces
+ file.
+ - The TARGET column in
+the rfc1918 file is now checked for correctness.
+ - The chain structure in
+ the nat table has been changed to reduce the number
+ of rules that a packet must traverse and to correct problems
+ with NAT_BEFORE_RULES=No
+ - The "hits" command has
+ been enhanced.
-
+
-
+
6/25/2002 - Samples Updated for 1.3.2
-
-The comments in the sample configuration files have been updated to reflect
- new features introduced in Shorewall 1.3.2.
+
+The comments in the sample configuration files have been updated to reflect
+ new features introduced in Shorewall 1.3.2.
-
+
6/25/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/19/2002 - Documentation Available in PDF Format
-
-Thanks to Mike Martinez, the Shorewall Documentation is now available for
- download in Adobe
- PDF format.
+
+Thanks to Mike Martinez, the Shorewall Documentation is now available
+for download in Adobe PDF format.
-
+
6/16/2002 - Shorewall 1.3.2 Released
-
+
In this version:
-
+
-
+
6/6/2002 - Why CVS Web access is Password Protected
-
-Last weekend, I installed the CVS Web package to provide brower-based access
- to the Shorewall CVS repository. Since then, I have had several instances
-where my server was almost unusable due to the high load generated by website
-copying tools like HTTrack and WebStripper. These mindless tools:
+
+Last weekend, I installed the CVS Web package to provide brower-based
+access to the Shorewall CVS repository. Since then, I have had several
+instances where my server was almost unusable due to the high load generated
+by website copying tools like HTTrack and WebStripper. These mindless tools:
-
+
- - Ignore robot.txt files.
- - Recursively copy everything
- that they find.
- - Should be classified as
-weapons rather than tools.
+ - Ignore robot.txt files.
+ - Recursively copy everything
+ that they find.
+ - Should be classified
+as weapons rather than tools.
-
+
-
-These tools/weapons are particularly damaging when combined with CVS Web
- because they doggedly follow every link in the cgi-generated
- HTML resulting in 1000s of executions of the cvsweb.cgi
- script. Yesterday, I spend several hours implementing measures
- to block these tools but unfortunately, these measures resulted
- in my server OOM-ing under even moderate load.
+
+These tools/weapons are particularly damaging when combined with CVS Web
+ because they doggedly follow every link in the cgi-generated
+ HTML resulting in 1000s of executions of the cvsweb.cgi
+ script. Yesterday, I spend several hours implementing
+measures to block these tools but unfortunately, these measures
+ resulted in my server OOM-ing under even moderate load.
-
-Until I have the time to understand the cause of the OOM (or until I buy
- more RAM if that is what is required), CVS Web access
- will remain Password Protected.
+
+Until I have the time to understand the cause of the OOM (or until I buy
+ more RAM if that is what is required), CVS Web access
+ will remain Password Protected.
-
+
6/5/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/2/2002 - Samples Corrected
-
-The 1.3.0 samples configurations had several serious problems that prevented
- DNS and SSH from working properly. These problems have
- been corrected in the The 1.3.0 samples configurations had several serious problems that prevented
+ DNS and SSH from working properly. These problems
+have been corrected in the 1.3.1 samples.
-
+
6/1/2002 - Shorewall 1.3.1 Released
-
+
Hot on the heels of 1.3.0, this release:
-
+
-
+
5/29/2002 - Shorewall 1.3.0 Released
-
-In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
- includes:
+
+In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
+ includes:
-
+
- - A 'filterping' interface
-option that allows ICMP echo-request (ping) requests
-addressed to the firewall to be handled by entries in /etc/shorewall/rules
- and /etc/shorewall/policy.
+ - A 'filterping' interface
+ option that allows ICMP echo-request (ping) requests
+ addressed to the firewall to be handled by entries in
+/etc/shorewall/rules and /etc/shorewall/policy.
-
+
-
+
5/23/2002 - Shorewall 1.3 RC1 Available
-
-In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
- incorporates the following:
+
+In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
+ incorporates the following:
-
+
- - Support for the /etc/shorewall/whitelist
- file has been withdrawn. If you need whitelisting,
-see these instructions.
+ - Support for the /etc/shorewall/whitelist
+ file has been withdrawn. If you need whitelisting,
+ see these instructions.
-
+
-
+
5/19/2002 - Shorewall 1.3 Beta 2 Available
-
-In addition to the changes in Beta 1, this release which carries the
- designation 1.2.91 adds:
+
+In addition to the changes in Beta 1, this release which carries the
+designation 1.2.91 adds:
-
+
- - The structure of the firewall
- is changed markedly. There is now an INPUT and a FORWARD
- chain for each interface; this reduces the number of rules
- that a packet must traverse, especially in complicated setups.
- - Sub-zones may now be excluded
- from DNAT and REDIRECT rules.
- - The names of the columns
-in a number of the configuration files have been changed
- to be more consistent and self-explanatory and the documentation
- has been updated accordingly.
- - The sample configurations
- have been updated for 1.3.
+ - The structure of the
+firewall is changed markedly. There is now an INPUT
+ and a FORWARD chain for each interface; this reduces the
+ number of rules that a packet must traverse, especially in
+complicated setups.
+ - Sub-zones may now be excluded
+ from DNAT and REDIRECT rules.
+ - The names of the columns
+ in a number of the configuration files have been
+changed to be more consistent and self-explanatory and the
+ documentation has been updated accordingly.
+ - The sample configurations
+ have been updated for 1.3.
-
+
-
+
5/17/2002 - Shorewall 1.3 Beta 1 Available
-
-Beta 1 carries the version designation 1.2.90 and implements the following
- features:
+
+Beta 1 carries the version designation 1.2.90 and implements the following
+ features:
-
+
- - Simplified rule syntax which
- makes the intent of each rule clearer and hopefully
-makes Shorewall easier to learn.
- - Upward compatibility with
- 1.2 configuration files has been maintained so that
- current users can migrate to the new syntax at their convenience.
- - WARNING: Compatibility with the old
- parameterized sample configurations has NOT been maintained.
- Users still running those configurations should migrate
- to the new sample configurations before upgrading to 1.3
-Beta 1.
+ - Simplified rule syntax
+ which makes the intent of each rule clearer and hopefully
+ makes Shorewall easier to learn.
+ - Upward compatibility
+with 1.2 configuration files has been maintained so
+ that current users can migrate to the new syntax at their
+convenience.
+ - WARNING: Compatibility with the old
+ parameterized sample configurations has NOT been maintained.
+ Users still running those configurations should migrate
+ to the new sample configurations before upgrading to 1.3
+ Beta 1.
-
+
-
+
5/4/2002 - Shorewall 1.2.13 is Available
-
+
In this version:
-
+
-
+
4/30/2002 - Shorewall Debian News
-
-Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian
-Testing Branch and the Debian
-Unstable Branch.
+
+Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
+Debian
+ Testing Branch and the Debian
+ Unstable Branch.
-
+
4/20/2002 - Shorewall 1.2.12 is Available
-
+
- - The 'try' command works
-again
- - There is now a single RPM
- that also works with SuSE.
+ - The 'try' command works
+ again
+ - There is now a single
+RPM that also works with SuSE.
-
+
-
+
4/17/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that:
-
+
-
-
-Thanks, Lorenzo!
-
-
-4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
-
-
-Thanks to Stefan Mohr, there
- is now a Shorewall 1.2.11
- SuSE RPM available.
-
-
-4/13/2002 - Shorewall 1.2.11 Available
-
-
-In this version:
-
-
-
- - The 'try' command now accepts
- an optional timeout. If the timeout is given in the
-command, the standard configuration will automatically be
- restarted after the new configuration has been running for
-that length of time. This prevents a remote admin from being
-locked out of the firewall in the case where the new configuration
- starts but prevents access.
- - Kernel route filtering may
- now be enabled globally using the new ROUTE_FILTER
-parameter in /etc/shorewall/shorewall.conf.
- - Individual IP source addresses
- and/or subnets may now be excluded from masquerading/SNAT.
- - Simple "Yes/No" and "On/Off"
- values are now case-insensitive in /etc/shorewall/shorewall.conf.
-
-
-
-
-
-4/13/2002 - Hamburg Mirror now has FTP
-
-
-Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
- Thanks Stefan!
-
-
-4/12/2002 - New Mirror in Hamburg
-
-
-Thanks to Stefan Mohr, there
- is now a mirror of the Shorewall website at http://germany.shorewall.net.
-
-
-
-4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
-
-
-Version 1.1 of the QuickStart
- Guide is now available. Thanks to those who have
- read version 1.0 and offered their suggestions. Corrections
- have also been made to the sample scripts.
-
-
-4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
-
-
-Version 1.0 of the QuickStart
- Guide is now available. This Guide and its accompanying
- sample configurations are expected to provide a replacement
- for the recently withdrawn parameterized samples.
-
-
-4/8/2002 - Parameterized Samples Withdrawn
-
-
-Although the parameterized
- samples have allowed people to get a firewall up
- and running quickly, they have unfortunately set the wrong
- level of expectation among those who have used them. I am
- therefore withdrawing support for the samples and I am recommending
- that they not be used in new Shorewall installations.
-
-
-4/2/2002 - Updated Log Parser
-
-
-John Lodge has provided an updated
- version of his CGI-based
- log parser with corrected date handling.
-
-
-3/30/2002 - Shorewall Website Search Improvements
-
-
-The quick search on the home page now excludes the mailing list archives.
- The Extended Search
-allows excluding the archives or restricting the search
-to just the archives. An archive search form is also available
-on the mailing
- list information page.
-
-
-3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
-
-
-
-
+
+Thanks, Lorenzo!
+
+
+4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
+
+
+Thanks to Stefan Mohr, there
+ is now a Shorewall 1.2.11
+ SuSE RPM available.
+
+
+4/13/2002 - Shorewall 1.2.11 Available
+
+
+In this version:
+
+
+
+ - The 'try' command now
+accepts an optional timeout. If the timeout is given
+in the command, the standard configuration will automatically
+ be restarted after the new configuration has been running
+for that length of time. This prevents a remote admin from
+being locked out of the firewall in the case where the new configuration
+ starts but prevents access.
+ - Kernel route filtering
+ may now be enabled globally using the new ROUTE_FILTER
+ parameter in /etc/shorewall/shorewall.conf.
+ - Individual IP source
+addresses and/or subnets may now be excluded from
+ masquerading/SNAT.
+ - Simple "Yes/No" and "On/Off"
+ values are now case-insensitive in /etc/shorewall/shorewall.conf.
+
+
+
+
+
+4/13/2002 - Hamburg Mirror now has FTP
+
+
+Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
+ Thanks Stefan!
+
+
+4/12/2002 - New Mirror in Hamburg
+
+
+Thanks to Stefan Mohr, there
+ is now a mirror of the Shorewall website at http://germany.shorewall.net.
+
+
+
+4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
+
+
+Version 1.1 of the QuickStart
+ Guide is now available. Thanks to those who have
+ read version 1.0 and offered their suggestions. Corrections
+ have also been made to the sample scripts.
+
+
+4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
+
+
+Version 1.0 of the QuickStart
+ Guide is now available. This Guide and its accompanying
+ sample configurations are expected to provide a replacement
+ for the recently withdrawn parameterized samples.
+
+
+4/8/2002 - Parameterized Samples Withdrawn
+
+
+Although the parameterized
+ samples have allowed people to get a firewall
+up and running quickly, they have unfortunately set the
+wrong level of expectation among those who have used them.
+I am therefore withdrawing support for the samples and I am
+recommending that they not be used in new Shorewall installations.
+
+
+4/2/2002 - Updated Log Parser
+
+
+John Lodge has provided an updated
+ version of his CGI-based
+ log parser with corrected date handling.
+
+
+3/30/2002 - Shorewall Website Search Improvements
+
+
+The quick search on the home page now excludes the mailing list archives.
+ The Extended Search
+ allows excluding the archives or restricting the search
+ to just the archives. An archive search form is also available
+ on the mailing
+ list information page.
+
+
+3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
+
+
+
+
+
3/25/2002 - Log Parser Available
-
+
John Lodge has provided a CGI-based log parser for Shorewall. Thanks
- John.
+ href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks
+ John.
-
+
3/20/2002 - Shorewall 1.2.10 Released
-
+
In this version:
-
+
- - A "shorewall try" command
- has been added (syntax: shorewall try <configuration
- directory>). This command attempts "shorewall -c
- <configuration directory> start" and if that results
- in the firewall being stopped due to an error, a "shorewall
-start" command is executed. The 'try' command allows you to
-create a new configuration
- and attempt to start it; if there is an error that leaves your
- firewall in the stopped state, it will automatically be restarted
- using the default configuration (in /etc/shorewall).
- - A new variable ADD_SNAT_ALIASES
- has been added to /etc/shorewall/shorewall.conf.
- If this variable is set to "Yes", Shorewall will
-automatically add IP addresses listed in the third
-column of the /etc/shorewall/masq
+
- A "shorewall try" command
+ has been added (syntax: shorewall try <configuration
+ directory>). This command attempts "shorewall -c
+ <configuration directory> start" and if
+that results in the firewall being stopped due to an error,
+a "shorewall start" command is executed. The 'try' command
+ allows you to create a new configuration
+ and attempt to start it; if there is an error that leaves
+your firewall in the stopped state, it will automatically be restarted
+ using the default configuration (in /etc/shorewall).
+ - A new variable ADD_SNAT_ALIASES
+ has been added to /etc/shorewall/shorewall.conf.
+ If this variable is set to "Yes", Shorewall will
+automatically add IP addresses listed in the third
+column of the /etc/shorewall/masq
file.
- - Copyright notices have been
- added to the documenation.
+ - Copyright notices have
+ been added to the documenation.
-
+
-
+
3/11/2002 - Shorewall 1.2.9 Released
-
+
In this version:
-
+
-
+
3/1/2002 - 1.2.8 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/25/2002 - New Two-interface Sample
-
-I've enhanced the two interface sample to allow access from the firewall
- to servers in the local zone -
- http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+
+I've enhanced the two interface sample to allow access from the firewall
+ to servers in the local zone -
+ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
-
+
2/23/2002 - Shorewall 1.2.8 Released
-
-Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
- problems associated with the lock file used to prevent multiple state-changing
- operations from occuring simultaneously. My apologies
- for any inconvenience my carelessness may have caused.
+
+Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
+ problems associated with the lock file used to prevent multiple state-changing
+ operations from occuring simultaneously. My apologies
+ for any inconvenience my carelessness may have caused.
-
+
2/22/2002 - Shorewall 1.2.7 Released
-
+
In this version:
-
+
- - UPnP probes (UDP destination
- port 1900) are now silently dropped in the common
- chain
- - RFC 1918 checking in the
-mangle table has been streamlined to no longer require
-packet marking. RFC 1918 checking in the filter table has
-been changed to require half as many rules as previously.
- - A 'shorewall check' command
- has been added that does a cursory validation of the
- zones, interfaces, hosts, rules and policy files.
+ - UPnP probes (UDP destination
+ port 1900) are now silently dropped in the common
+ chain
+ - RFC 1918 checking in
+the mangle table has been streamlined to no longer
+ require packet marking. RFC 1918 checking in the filter
+ table has been changed to require half as many rules as previously.
+ - A 'shorewall check' command
+ has been added that does a cursory validation of the
+ zones, interfaces, hosts, rules and policy files.
-
+
-
+
2/18/2002 - 1.2.6 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/8/2002 - Shorewall 1.2.6 Released
-
+
In this version:
-
+
- - $-variables may now be used
- anywhere in the configuration files except /etc/shorewall/zones.
- - The interfaces and hosts
-files now have their contents validated before any
-changes are made to the existing Netfilter configuration. The
-appearance of a zone name that isn't defined in /etc/shorewall/zones
- causes "shorewall start" and "shorewall restart" to abort without
- changing the Shorewall state. Unknown options in either file
-cause a warning to be issued.
- - A problem occurring when
-BLACKLIST_LOGLEVEL was not set has been corrected.
+ - $-variables may now be
+ used anywhere in the configuration files except /etc/shorewall/zones.
+ - The interfaces and hosts
+ files now have their contents validated before any
+ changes are made to the existing Netfilter configuration.
+ The appearance of a zone name that isn't defined in /etc/shorewall/zones
+ causes "shorewall start" and "shorewall restart" to abort
+ without changing the Shorewall state. Unknown options in either
+ file cause a warning to be issued.
+ - A problem occurring when
+ BLACKLIST_LOGLEVEL was not set has been corrected.
-
+
-
+
2/4/2002 - Shorewall 1.2.5 Debian Package Available
-
+
see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/1/2002 - Shorewall 1.2.5 Released
-
-Due to installation problems with Shorewall 1.2.4, I have released Shorewall
- 1.2.5. Sorry for the rapid-fire development.
+
+Due to installation problems with Shorewall 1.2.4, I have released Shorewall
+ 1.2.5. Sorry for the rapid-fire development.
-
+
In version 1.2.5:
-
+
- - The installation problems
-have been corrected.
- - The installation problems
+ have been corrected.
+ - SNAT is now supported.
- - A "shorewall version" command
- has been added
- - The default value of the
-STATEDIR variable in /etc/shorewall/shorewall.conf has
-been changed to /var/lib/shorewall in order to conform to
-the GNU/Linux File Hierarchy Standard, Version 2.2.
+ - A "shorewall version"
+command has been added
+ - The default value of the
+ STATEDIR variable in /etc/shorewall/shorewall.conf has
+ been changed to /var/lib/shorewall in order to conform to
+ the GNU/Linux File Hierarchy Standard, Version 2.2.
-
+
-
+
1/28/2002 - Shorewall 1.2.4 Released
-
+
- - The "fw" zone The "fw" zone may now be given a different name.
- - You may now place end-of-line
- comments (preceded by '#') in any of the configuration
- files
- - There is now protection against
- against two state changing operations occuring concurrently.
- This is implemented using the 'lockfile' utility if it
- is available (lockfile is part of procmail); otherwise, a less
- robust technique is used. The lockfile is created in the STATEDIR
- defined in /etc/shorewall/shorewall.conf and has the name
-"lock".
- - "shorewall start" no longer
- fails if "detect" is specified in /etc/shorewall/interfaces
- for an interface with subnet mask 255.255.255.255.
+ - You may now place end-of-line
+ comments (preceded by '#') in any of the configuration
+ files
+ - There is now protection
+ against against two state changing operations occuring
+ concurrently. This is implemented using the 'lockfile' utility
+ if it is available (lockfile is part of procmail); otherwise,
+ a less robust technique is used. The lockfile is created
+ in the STATEDIR defined in /etc/shorewall/shorewall.conf
+ and has the name "lock".
+ - "shorewall start" no longer
+ fails if "detect" is specified in /etc/shorewall/interfaces
+ for an interface with subnet mask 255.255.255.255.
-
+
-
+
1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
1/20/2002 - Corrected firewall script available
-
-Corrects a problem with BLACKLIST_LOGLEVEL. See the
- errata for details.
+
+Corrects a problem with BLACKLIST_LOGLEVEL. See the
+ errata for details.
-
+
1/19/2002 - Shorewall 1.2.3 Released
-
+
This is a minor feature and bugfix release. The single new feature is:
-
+
- - Support for TCP MSS Clamp
-to PMTU -- This support is usually required when the
-internet connection is via PPPoE or PPTP and may be enabled
-using the CLAMPMSS option
-in /etc/shorewall/shorewall.conf.
+ - Support for TCP MSS Clamp
+ to PMTU -- This support is usually required when the
+ internet connection is via PPPoE or PPTP and may be enabled
+ using the CLAMPMSS
+option in /etc/shorewall/shorewall.conf.
-
+
-
+
The following problems were corrected:
-
+
- - The "shorewall status" command
- no longer hangs.
- - The "shorewall monitor" command
- now displays the icmpdef chain
- - The CLIENT PORT(S) column
-in tcrules is no longer ignored
+ - The "shorewall status"
+command no longer hangs.
+ - The "shorewall monitor"
+ command now displays the icmpdef chain
+ - The CLIENT PORT(S) column
+ in tcrules is no longer ignored
-
+
-
+
1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
-
-Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
- that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
- for details.
+
+Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
+ that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
+ for details.
-
+
1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
- Shorewall Debian package is now available. There is a
-link to Lorenzo's site from the Shorewall
- download page.
+ href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni, a 1.2.2
+ Shorewall Debian package is now available. There is
+a link to Lorenzo's site from the Shorewall download page.
-
+
1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores
- the "shorewall status" command to health.
+ href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores
+ the "shorewall status" command to health.
-
+
1/8/2002 - Shorewall 1.2.2 Released
-
+
In version 1.2.2
-
+
- - Support for IP blacklisting
- has been added
+
- Support for IP blacklisting
+ has been added
-
+
- - You specify whether you
-want packets from blacklisted hosts dropped or
-rejected using the BLACKLIST_DISPOSITION
- setting in /etc/shorewall/shorewall.conf
- - You specify whether you
-want packets from blacklisted hosts logged and
-at what syslog level using the BLACKLIST_LOGLEVEL
-setting in /etc/shorewall/shorewall.conf
- - You list the IP addresses/subnets
- that you wish to blacklist in You specify whether
+you want packets from blacklisted hosts dropped or
+ rejected using the BLACKLIST_DISPOSITION
+ setting in /etc/shorewall/shorewall.conf
+ - You specify whether
+you want packets from blacklisted hosts logged and
+ at what syslog level using the BLACKLIST_LOGLEVEL
+ setting in /etc/shorewall/shorewall.conf
+ - You list the IP addresses/subnets
+ that you wish to blacklist in /etc/shorewall/blacklist
- - You specify the interfaces
- you want checked against the blacklist using
-the new "blacklist"
- option in /etc/shorewall/interfaces.
- - The black list is refreshed
- from /etc/shorewall/blacklist by the "shorewall
- refresh" command.
+ - You specify the interfaces
+ you want checked against the blacklist using
+the new "blacklist"
+ option in /etc/shorewall/interfaces.
+ - The black list is refreshed
+ from /etc/shorewall/blacklist by the "shorewall
+ refresh" command.
+
+
+
+ - Use of TCP RST replies
+has been expanded
+
+
-
-
- Use of TCP RST replies has
- been expanded
-
-
-
- - TCP connection requests
-rejected because of a REJECT policy are now replied
-with a TCP RST packet.
- - TCP connection requests
-rejected because of a protocol=all rule in /etc/shorewall/rules
- are now replied with a TCP RST packet.
+ - TCP connection requests
+ rejected because of a REJECT policy are now replied
+ with a TCP RST packet.
+ - TCP connection requests
+ rejected because of a protocol=all rule in /etc/shorewall/rules
+ are now replied with a TCP RST packet.
-
+
-
- A LOGFILE specification
-has been added to /etc/shorewall/shorewall.conf. LOGFILE is used
- to tell the /sbin/shorewall program where to look for Shorewall
- messages.
+
+ A LOGFILE specification has
+ been added to /etc/shorewall/shorewall.conf. LOGFILE is used
+ to tell the /sbin/shorewall program where to look for Shorewall
+ messages.
-
+
-
+
1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates
- to the previously-released samples. There are two new
-rules added:
+ target="_blank">version 1.2.0) released. These are minor updates
+ to the previously-released samples. There are two new
+ rules added:
-
+
- - Unless you have explicitly
- enabled Auth connections (tcp port 113) to your firewall,
- these connections will be REJECTED rather than DROPPED.
+
- Unless you have explicitly
+ enabled Auth connections (tcp port 113) to your firewall,
+ these connections will be REJECTED rather than DROPPED.
This speeds up connection establishment to some servers.
- - Orphan DNS replies are now
- silently dropped.
+ - Orphan DNS replies are
+now silently dropped.
-
+
-
+
See the README file for upgrade instructions.
-
+
1/1/2002 - Shorewall Mailing List Moving
-
-The Shorewall mailing list hosted at
- Sourceforge is moving to Shorewall.net. If you are
- a current subscriber to the list at Sourceforge, please see these instructions.
- If you would like to subscribe to the new list, visit
-http://www.shorewall.net/mailman/listinfo/shorewall-users.
+
+The Shorewall mailing list hosted at
+ Sourceforge is moving to Shorewall.net. If you
+are a current subscriber to the list at Sourceforge, please
+ see these instructions.
+ If you would like to subscribe to the new list, visit
+ http://www.shorewall.net/mailman/listinfo/shorewall-users.
-
+
12/31/2001 - Shorewall 1.2.1 Released
-
+
In version 1.2.1:
-
+
-
-12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing
-1.2 on 12/21/2001
+
+12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist
+releasing 1.2 on 12/21/2001
-
+
Version 1.2 contains the following new features:
-
+
-
-For the next month or so, I will continue to provide corrections to version
- 1.1.18 as necessary so that current version 1.1.x users
- will not be forced into a quick upgrade to 1.2.0 just to
-have access to bug fixes.
+
+For the next month or so, I will continue to provide corrections to version
+ 1.1.18 as necessary so that current version 1.1.x users
+ will not be forced into a quick upgrade to 1.2.0 just to
+ have access to bug fixes.
-
-For those of you who have installed one of the Beta RPMS, you will need
- to use the "--oldpackage" option when upgrading to 1.2.0:
+
+For those of you who have installed one of the Beta RPMS, you will need
+ to use the "--oldpackage" option when upgrading to
+1.2.0:
+
+
+
-
-
-
rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
+
-
-12/19/2001 - Thanks to Steve
- Cowles, there is now a Shorewall mirror in Texas.
- This web site is mirrored at http://www.infohiiway.com/shorewall
- and the ftp site is at 12/19/2001 - Thanks to Steve
+ Cowles, there is now a Shorewall mirror in Texas.
+ This web site is mirrored at http://www.infohiiway.com/shorewall
+ and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
-
+
11/30/2001 - A new set of the parameterized Sample
-Configurations has been released. In this version:
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
+ Configurations has been released. In this version:
-
+
- - Ping is now allowed between
- the zones.
- - In the three-interface configuration,
- it is now possible to configure the internet services
- that are to be available to servers in the DMZ.
+ - Ping is now allowed between
+ the zones.
+ - In the three-interface
+configuration, it is now possible to configure the
+internet services that are to be available to servers in the
+DMZ.
-
+
-
+
11/20/2001 - The current version of Shorewall is 1.1.18.
-
+
In this version:
-
+
- - The spelling of ADD_IP_ALIASES
- has been corrected in the shorewall.conf file
- - The logic for deleting user-defined
- chains has been simplified so that it avoids a bug in
- the LRP version of the 'cut' utility.
- - The /var/lib/lrpkg/shorwall.conf
- file has been corrected to properly display the NAT
- entry in that file.
+ - The spelling of ADD_IP_ALIASES
+ has been corrected in the shorewall.conf file
+ - The logic for deleting
+user-defined chains has been simplified so that it
+avoids a bug in the LRP version of the 'cut' utility.
+ - The /var/lib/lrpkg/shorwall.conf
+ file has been corrected to properly display the NAT
+ entry in that file.
-
+
-
-11/19/2001 - Thanks to Juraj
- Ontkanin, there is now a Shorewall mirror
-in the Slovak Republic. The website is now mirrored
-at http://www.nrg.sk/mirror/shorewall
- and the FTP site is mirrored at 11/19/2001 - Thanks to Juraj
+ Ontkanin, there is now a Shorewall mirror
+in the Slovak Republic. The website is now mirrored at
+http://www.nrg.sk/mirror/shorewall
+ and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
+
+11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
+ There are three sample configurations:
+
-11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
- There are three sample configurations:
-
-
- - One Interface -- for a standalone
- system.
- - Two Interfaces -- A masquerading
- firewall.
- - Three Interfaces -- A masquerading
- firewall with DMZ.
+ - One Interface -- for a
+standalone system.
+ - Two Interfaces -- A masquerading
+ firewall.
+ - Three Interfaces -- A
+masquerading firewall with DMZ.
-
+
-
+
Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
- . See the README file for instructions.
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
+ . See the README file for instructions.
-
-11/1/2001 - The current version of Shorewall is 1.1.17. I intend
- this to be the last of the 1.1 Shorewall releases.
+
+11/1/2001 - The current version of Shorewall is 1.1.17. I intend
+ this to be the last of the 1.1 Shorewall releases.
-
+
In this version:
-
+
-
-10/22/2001 - The current version of Shorewall is 1.1.16. In this
- version:
+
+10/22/2001 - The current version of Shorewall is 1.1.16. In this
+ version:
-
+
- - A new "shorewall show connections"
- command has been added.
- - In the "shorewall monitor"
- output, the currently tracked connections are now
+
- A new "shorewall show
+connections" command has been added.
+ - In the "shorewall monitor"
+ output, the currently tracked connections are now
shown on a separate page.
- - Prior to this release, Shorewall
- unconditionally added the external IP adddress(es)
- specified in /etc/shorewall/nat. Beginning with version
- 1.1.16, a new parameter (ADD_IP_ALIASES)
- may be set to "no" (or "No") to inhibit this behavior.
- This allows IP aliases created using your distribution's
- network configuration tools to be used in static
+
- Prior to this release,
+Shorewall unconditionally added the external IP adddress(es)
+ specified in /etc/shorewall/nat. Beginning with version
+ 1.1.16, a new parameter (ADD_IP_ALIASES)
+ may be set to "no" (or "No") to inhibit this behavior.
+ This allows IP aliases created using your distribution's
+ network configuration tools to be used in static
NAT.
-
+
+
+
+
+10/15/2001 - The current version of Shorewall is 1.1.15. In this
+ version:
+
+
+
+ - Support for nested zones
+ has been improved. See the documentation for details
+ - Shorewall now correctly
+ checks the alternate configuration directory for
+ the 'zones' file.
+
+
-10/15/2001 - The current version of Shorewall is 1.1.15. In this
- version:
+10/4/2001 - The current version of Shorewall is 1.1.14. In this
+ version
-
+
- - Support for nested zones
-has been improved. See
- the documentation for details
- - Shorewall now correctly checks
- the alternate configuration directory for the 'zones'
- file.
-
-
-
-
-
-10/4/2001 - The current version of Shorewall is 1.1.14. In this
- version
-
-
-
- - Shorewall now supports alternate
- configuration directories. When an alternate directory
- is specified when starting or restarting Shorewall
-(e.g., "shorewall -c /etc/testconf restart"), Shorewall will
-first look for configuration files in the alternate directory then
- in /etc/shorewall. To create an alternate configuration simply:
- 1. Create a New Directory
- 2. Copy to that directory any
- of your configuration files that you want to change.
- 3. Modify the copied files
-as needed.
- 4. Restart Shorewall specifying
- the new directory.
- - The rules for allowing/disallowing
- icmp echo-requests (pings) are now moved after rules
- created when processing the rules file. This allows you to
- add rules that selectively allow/deny ping based on source
+
- Shorewall now supports
+alternate configuration directories. When an alternate
+directory is specified when starting or restarting Shorewall
+ (e.g., "shorewall -c /etc/testconf restart"), Shorewall
+ will first look for configuration files in the alternate directory
+ then in /etc/shorewall. To create an alternate configuration
+ simply:
+ 1. Create a New Directory
+ 2. Copy to that directory
+ any of your configuration files that you want to
+change.
+ 3. Modify the copied files
+ as needed.
+ 4. Restart Shorewall specifying
+ the new directory.
+ - The rules for allowing/disallowing
+ icmp echo-requests (pings) are now moved after rules
+ created when processing the rules file. This allows you to
+ add rules that selectively allow/deny ping based on source
or destination address.
- - Rules that specify multiple
- client ip addresses or subnets no longer cause startup
- failures.
- - Zone names in the policy
-file are now validated against the zones file.
- - If you have packet mangling support
- enabled, the "norfc1918"
- interface option now logs and drops any incoming packets
- on the interface that have an RFC 1918 destination address.
+ - Rules that specify multiple
+ client ip addresses or subnets no longer cause startup
+ failures.
+ - Zone names in the policy
+ file are now validated against the zones file.
+ - If you have packet mangling support
+ enabled, the "norfc1918"
+ interface option now logs and drops any incoming packets
+ on the interface that have an RFC 1918 destination address.
-
+
-
-9/12/2001 - The current version of Shorewall is 1.1.13. In this
- version
+
+9/12/2001 - The current version of Shorewall is 1.1.13. In this
+ version
-
+
- - Shell variables can now be
- used to parameterize Shorewall rules.
- - The second column in the
-hosts file may now contain a comma-separated list.
-
- Example:
- sea eth0:130.252.100.0/24,206.191.149.0/24
- - Handling of multi-zone interfaces
- has been improved. See the documentation for the /etc/shorewall/interfaces
- file.
+ - Shell variables can now
+ be used to parameterize Shorewall rules.
+ - The second column in the
+ hosts file may now contain a comma-separated list.
+
+ Example:
+ sea eth0:130.252.100.0/24,206.191.149.0/24
+ - Handling of multi-zone
+interfaces has been improved. See the documentation for the /etc/shorewall/interfaces
+ file.
-
+
-
-8/28/2001 - The current version of Shorewall is 1.1.12. In this
- version
+
+8/28/2001 - The current version of Shorewall is 1.1.12. In this
+ version
-
+
- - Several columns in the rules
- file may now contain comma-separated lists.
- - Shorewall is now more rigorous
- in parsing the options in /etc/shorewall/interfaces.
- - Complementation using "!"
-is now supported in rules.
+ - Several columns in the
+rules file may now contain comma-separated lists.
+ - Shorewall is now more
+rigorous in parsing the options in /etc/shorewall/interfaces.
+ - Complementation using
+"!" is now supported in rules.
-
+
-
-7/28/2001 - The current version of Shorewall is 1.1.11. In this
- version
+
+7/28/2001 - The current version of Shorewall is 1.1.11. In this
+ version
-
+
- - A "shorewall refresh" command
- has been added to allow for refreshing the rules associated
- with the broadcast address on a dynamic interface. This
- command should be used in place of "shorewall restart" when
-the internet interface's IP address changes.
- - The /etc/shorewall/start
-file (if any) is now processed after all temporary
-rules have been deleted. This change prevents the accidental
+
- A "shorewall refresh"
+command has been added to allow for refreshing the
+rules associated with the broadcast address on a dynamic
+ interface. This command should be used in place of "shorewall
+ restart" when the internet interface's IP address changes.
+ - The /etc/shorewall/start
+ file (if any) is now processed after all temporary
+rules have been deleted. This change prevents the accidental
removal of rules added during the processing of that file.
- - The "dhcp" interface option
- is now applicable to firewall interfaces used by a DHCP
- server running on the firewall.
- - The RPM can now be built
-from the .tgz file using "rpm -tb"
+ - The "dhcp" interface option
+ is now applicable to firewall interfaces used by a
+DHCP server running on the firewall.
+ - The RPM can now be built
+ from the .tgz file using "rpm -tb"
-
+
-
-7/6/2001 - The current version of Shorewall is 1.1.10. In this version
+
+7/6/2001 - The current version of Shorewall is 1.1.10. In this
+version
-
+
- - Shorewall now enables Ipv4
- Packet Forwarding by default. Packet forwarding may
-be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
- If you don't want Shorewall to enable or disable packet
- forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
- file.
- - The "shorewall hits" command
- no longer lists extraneous service names in its last
- report.
- - Erroneous instructions in
-the comments at the head of the firewall script have
-been corrected.
+ - Shorewall now enables
+Ipv4 Packet Forwarding by default. Packet forwarding
+ may be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
+ If you don't want Shorewall to enable or disable packet
+ forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
+ file.
+ - The "shorewall hits" command
+ no longer lists extraneous service names in its last
+ report.
+ - Erroneous instructions
+in the comments at the head of the firewall script
+have been corrected.
-
+
-
-6/23/2001 - The current version of Shorewall is 1.1.9. In this version
+
+6/23/2001 - The current version of Shorewall is 1.1.9. In this
+version
-
+
- - The "tunnels" file really
- is in the RPM now.
- - SNAT can now be applied to
- port-forwarded connections.
- - A bug which would cause firewall
- start failures in some dhcp configurations has been
- fixed.
- - The firewall script now issues
- a message if you have the name of an interface in
-the second column in an entry in /etc/shorewall/masq and
-that interface is not up.
- - You can now configure Shorewall
- so that it doesn't require the
- NAT and/or mangle netfilter modules.
- - Thanks to Alex Polishchuk,
- the "hits" command from seawall is now in shorewall.
- - Support for The "tunnels" file really
+ is in the RPM now.
+ - SNAT can now be applied
+ to port-forwarded connections.
+ - A bug which would cause
+ firewall start failures in some dhcp configurations
+ has been fixed.
+ - The firewall script now
+ issues a message if you have the name of an interface
+ in the second column in an entry in /etc/shorewall/masq
+ and that interface is not up.
+ - You can now configure
+Shorewall so that it doesn't
+require the NAT and/or mangle netfilter modules.
+ - Thanks to Alex Polishchuk,
+ the "hits" command from seawall is now in shorewall.
+ - Support for IPIP tunnels has been added.
-
+
-
-6/18/2001 - The current version of Shorewall is 1.1.8. In this version
+
+6/18/2001 - The current version of Shorewall is 1.1.8. In this
+version
-
+
-
+
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
-
+
- - The TOS rules are now deleted
- when the firewall is stopped.
- - The .rpm will now install
-regardless of which version of iptables is installed.
- - The .rpm will now install
-without iproute2 being installed.
- - The documentation has been
- cleaned up.
- - The sample configuration
-files included in Shorewall have been formatted
+
- The TOS rules are now
+deleted when the firewall is stopped.
+ - The .rpm will now install
+ regardless of which version of iptables is installed.
+ - The .rpm will now install
+ without iproute2 being installed.
+ - The documentation has
+been cleaned up.
+ - The sample configuration
+ files included in Shorewall have been formatted
to 80 columns for ease of editing on a VGA console.
-
+
-
-5/25/2001 - The current version of Shorewall is 1.1.6. In this version
+
+5/25/2001 - The current version of Shorewall is 1.1.6. In this
+version
-
+
- - You may now rate-limit the
- packet log.
- - Previous versions
- of Shorewall have an implementation of Static NAT which violates
- the principle of least surprise. NAT only occurs for packets
- arriving at (DNAT) or send from (SNAT) the interface named
- in the INTERFACE column of /etc/shorewall/nat. Beginning with
- version 1.1.6, NAT effective regardless of which interface
- packets come from or are destined to. To get compatibility with
- prior versions, I have added a new "ALL "ALL INTERFACES" column to /etc/shorewall/nat.
- By placing "no" or "No" in the new column, the NAT behavior
- of prior versions may be retained.
- - The treatment of IPSEC Tunnels where the remote gateway
-is a standalone system has been improved. Previously, it was
- necessary to include an additional rule allowing UDP port 500 traffic
-to pass through the tunnel. Shorewall will now create this rule
-automatically when you place the name of the remote peer's zone in
-a new GATEWAY ZONE column in /etc/shorewall/tunnels.
+ - You may now rate-limit the
+packet log.
+ - Previous versions
+ of Shorewall have an implementation of Static NAT which violates
+ the principle of least surprise. NAT only occurs for
+ packets arriving at (DNAT) or send from (SNAT) the interface
+ named in the INTERFACE column of /etc/shorewall/nat. Beginning
+ with version 1.1.6, NAT effective regardless of which interface
+ packets come from or are destined to. To get compatibility with
+ prior versions, I have added a new "ALL "ALL INTERFACES" column to /etc/shorewall/nat.
+ By placing "no" or "No" in the new column, the NAT behavior
+ of prior versions may be retained.
+ - The treatment of IPSEC Tunnels where the remote
+gateway is a standalone system has been improved. Previously,
+ it was necessary to include an additional rule allowing UDP port
+500 traffic to pass through the tunnel. Shorewall will now create
+ this rule automatically when you place the name of the remote peer's
+ zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels.
-
+
-
-5/20/2001 - The current version of Shorewall is 1.1.5. In this version
+
+5/20/2001 - The current version of Shorewall is 1.1.5. In this
+version
-
+
-
-5/10/2001 - The current version of Shorewall is 1.1.4. In this version
+
+5/10/2001 - The current version of Shorewall is 1.1.4. In this
+version
-
+
- - Accepting RELATED connections
- is now optional.
- - Corrected problem where if
- "shorewall start" aborted early (due to kernel configuration
- errors for example), superfluous 'sed' error messages
- were reported.
- - Corrected rules generated
-for port redirection.
- - The order in which iptables
- kernel modules are loaded has been corrected (Thanks
- to Mark Pavlidis).
+ - Accepting RELATED connections
+ is now optional.
+ - Corrected problem where
+ if "shorewall start" aborted early (due to kernel
+configuration errors for example), superfluous 'sed' error
+ messages were reported.
+ - Corrected rules generated
+ for port redirection.
+ - The order in which iptables
+ kernel modules are loaded has been corrected (Thanks
+ to Mark Pavlidis).
-
+
-
-4/28/2001 - The current version of Shorewall is 1.1.3. In this version
+
+4/28/2001 - The current version of Shorewall is 1.1.3. In this
+version
-
+
- - Correct message issued when
- Proxy ARP address added (Thanks to Jason Kirtland).
- - /tmp/shorewallpolicy-$$ is
- now removed if there is an error while starting the
-firewall.
- - /etc/shorewall/icmp.def and
- /etc/shorewall/common.def are now used to define the
- icmpdef and common chains unless overridden by the presence
- of /etc/shorewall/icmpdef or /etc/shorewall/common.
- - In the .lrp, the file /var/lib/lrpkg/shorwall.conf
- has been corrected. An extra space after "/etc/shorwall/policy"
- has been removed and "/etc/shorwall/rules" has been
-added.
- - When a sub-shell encounters
- a fatal error and has stopped the firewall, it now kills
- the main shell so that the main shell will not continue.
- - A problem has been corrected
- where a sub-shell stopped the firewall and main shell
- continued resulting in a perplexing error message referring
- to "common.so" resulted.
- - Previously, placing "-" in
- the PORT(S) column in /etc/shorewall/rules resulted in
- an error message during start. This has been corrected.
- - The first line of "install.sh"
- has been corrected -- I had inadvertently deleted the
-initial "#".
+ - Correct message issued
+when Proxy ARP address added (Thanks to Jason Kirtland).
+ - /tmp/shorewallpolicy-$$
+ is now removed if there is an error while starting
+the firewall.
+ - /etc/shorewall/icmp.def
+ and /etc/shorewall/common.def are now used to define
+ the icmpdef and common chains unless overridden by the
+ presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
+ - In the .lrp, the file
+/var/lib/lrpkg/shorwall.conf has been corrected. An
+extra space after "/etc/shorwall/policy" has been removed
+ and "/etc/shorwall/rules" has been added.
+ - When a sub-shell encounters
+ a fatal error and has stopped the firewall, it now
+kills the main shell so that the main shell will not continue.
+ - A problem has been corrected
+ where a sub-shell stopped the firewall and main shell
+ continued resulting in a perplexing error message referring
+ to "common.so" resulted.
+ - Previously, placing "-"
+ in the PORT(S) column in /etc/shorewall/rules resulted
+ in an error message during start. This has been corrected.
+ - The first line of "install.sh"
+ has been corrected -- I had inadvertently deleted the
+ initial "#".
-
+
-
-4/12/2001 - The current version of Shorewall is 1.1.2. In this version
+
+4/12/2001 - The current version of Shorewall is 1.1.2. In this
+version
-
+
- - Port redirection now works
- again.
- - The icmpdef and common chains
- may now be user-defined.
- - The firewall no longer fails
- to start if "routefilter" is specified for an interface
- that isn't started. A warning message is now issued
- in this case.
- - The LRP Version is renamed
- "shorwall" for 8,3 MSDOS file system compatibility.
- - A couple of LRP-specific
-problems were corrected.
+ - Port redirection now works
+ again.
+ - The icmpdef and common
+chains may now be user-defined.
+ - The firewall no longer
+fails to start if "routefilter" is specified for an
+interface that isn't started. A warning message is now
+ issued in this case.
+ - The LRP Version is renamed
+ "shorwall" for 8,3 MSDOS file system compatibility.
+ - A couple of LRP-specific
+ problems were corrected.
-
+
-
+
4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
+
-
+
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
-
+
- - The common chain is traversed
- from INPUT, OUTPUT and FORWARD before logging occurs
- - The source has been cleaned
- up dramatically
- - DHCP DISCOVER packets with
- RFC1918 source addresses no longer generate log messages.
- Linux DHCP clients generate such packets and it's
- annoying to see them logged.
+ - The common chain is traversed
+ from INPUT, OUTPUT and FORWARD before logging
+occurs
+ - The source has been cleaned
+ up dramatically
+ - DHCP DISCOVER packets
+with RFC1918 source addresses no longer generate
+log messages. Linux DHCP clients generate such packets and
+ it's annoying to see them logged.
-
+
-
+
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
-
+
- - Log messages now indicate
-the packet disposition.
- - Error messages have been
-improved.
- - The ability to define zones
- consisting of an enumerated set of hosts and/or subnetworks
- has been added.
- - The zone-to-zone chain matrix
- is now sparse so that only those chains that contain
- meaningful rules are defined.
- - 240.0.0.0/4 and 169.254.0.0/16
- have been added to the source subnetworks whose packets
- are dropped under the norfc1918 interface
+
- Log messages now indicate
+ the packet disposition.
+ - Error messages have been
+ improved.
+ - The ability to define
+zones consisting of an enumerated set of hosts
+and/or subnetworks has been added.
+ - The zone-to-zone chain
+matrix is now sparse so that only those chains that
+contain meaningful rules are defined.
+ - 240.0.0.0/4 and 169.254.0.0/16
+ have been added to the source subnetworks whose packets
+ are dropped under the norfc1918 interface
option.
- - Exits are now provided for
- executing an user-defined script when a chain is
-defined, when the firewall is initialized, when the firewall
- is started, when the firewall is stopped and when the
+
- Exits are now provided
+for executing an user-defined script when a chain
+is defined, when the firewall is initialized, when the firewall
+ is started, when the firewall is stopped and when the
firewall is cleared.
- - The Linux kernel's route
-filtering facility can now be specified selectively
-on network interfaces.
+ - The Linux kernel's route
+ filtering facility can now be specified selectively
+ on network interfaces.
-
+
-
+
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
-
+
- - Allows user-defined zones.
- Shorewall now has only one pre-defined zone (fw)
-with the remaining zones being defined in the new configuration
- file /etc/shorewall/zones. The /etc/shorewall/zones
- file released in this version provides behavior that
-is compatible with Shorewall 1.0.3.
- - Adds the ability to specify
- logging in entries in the /etc/shorewall/rules file.
- - Correct handling of the icmp-def
- chain so that only ICMP packets are sent through
-the chain.
- - Compresses the output of
-"shorewall monitor" if awk is installed. Allows the
-command to work if awk isn't installed (although it's
+
- Allows user-defined zones.
+ Shorewall now has only one pre-defined zone (fw)
+ with the remaining zones being defined in the new configuration
+ file /etc/shorewall/zones. The /etc/shorewall/zones
+ file released in this version provides behavior that is
+compatible with Shorewall 1.0.3.
+ - Adds the ability to specify
+ logging in entries in the /etc/shorewall/rules file.
+ - Correct handling of the
+ icmp-def chain so that only ICMP packets are sent
+ through the chain.
+ - Compresses the output
+of "shorewall monitor" if awk is installed. Allows
+the command to work if awk isn't installed (although it's
not pretty).
-
+
-
-3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
- release with no new features.
+
+3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
+ release with no new features.
-
+
- - The PATH variable in the
-firewall script now includes /usr/local/bin and
+
- The PATH variable in the
+ firewall script now includes /usr/local/bin and
/usr/local/sbin.
- - DMZ-related chains are now
- correctly deleted if the DMZ is deleted.
- - The interface OPTIONS for
-"gw" interfaces are no longer ignored.
+ - DMZ-related chains are
+now correctly deleted if the DMZ is deleted.
+ - The interface OPTIONS
+for "gw" interfaces are no longer ignored.
-
+
-
-3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
- additional "gw" (gateway) zone for tunnels and it
-supports IPSEC tunnels with end-points on the firewall.
+
+
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
+ additional "gw" (gateway) zone for tunnels and it
+supports IPSEC tunnels with end-points on the firewall.
There is also a .lrp available now.
-
-Updated 2/7/2003 - Tom Eastep
-
+
+Updated 2/13/2003 - Tom Eastep
+
-
+
Copyright © 2001, 2002 Thomas M. Eastep.
-
-
-
-
-
-
-
-
+