- | + |
-
+
Shorewall FAQs- |
-
1a. Ok -- I followed those instructions
- but it doesn't work.
-
1b. I'm still having problems with - port forwarding
- + port forwarding + - + +3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. - What do I do?
- + or MSN Instant Messenger with Shorewall. + What do I do? +4a. I just ran an nmap UDP scan
- of my firewall and it showed 100s of ports as
- open!!!!
-
5. I've installed Shorewall and now
- I can't ping through the firewall
-
- 15. My local systems can't see
- out to the net
6. Where are the log messages - written and how do I change the destination?
- + written and how do I change the destination? +6a. Are there any log parsers - that work with Shorewall?
- + that work with Shorewall? +6b. DROP messages on port 10619 are flooding the logs with their connect
- requests. Can i exclude these error messages for this port temporarily
- from logging in Shorewall?
-
16. Shorewall is writing log messages
- all over my console making it unusable!
-
8. When I try to start Shorewall
- on RedHat I get messages about insmod failing
- -- what's wrong?
-
8a. When I try to start Shorewall
- on RedHat I get a message referring me to FAQ #8
-
9. Why can't Shorewall detect - my interfaces properly at startup?
- 22. I - have some iptables commands that I want to run -when Shorewall starts. Which file do I put them in?10. What distributions does - it work with?
- + it work with? +11. What features does it support?
- +12. Is there a GUI?
- +13. Why do you call it "Shorewall"?
- 23. Why do you - use such ugly fonts on your web site?Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format - of a port-forwarding rule to a local system is as follows:
- -+ do port forwarding under Shorewall. The format + of a port-forwarding rule to a local system is as follows: + ++- +- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - + +DNAT -net -loc:<local - IP address>[:<local port>] -<protocol> -<port - #> --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + +DNAT +net +loc:<local + IP address>[:<local port>] +<protocol> +<port + #> ++ +
++ +
+
So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:
- -+ the rule is: + ++- +- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - + +DNAT -net -loc:192.168.1.5 -udp -7777 --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + +DNAT +net +loc:192.168.1.5 +udp +7777 ++ +
++ +
+
+ you want to forward requests directed to a particular +address ( <external IP> ) on your firewall to +an internal system: + ++ Finally, if you need to forward a range of ports, + in the PORT column specify the range as low-port:high-port.- Finally, if you need to forward a range of ports, - in the PORT column specify the range as low-port:high-port.- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - + +DNAT -net -loc:<local - IP address>[:<local port>] -<protocol> -<port - #> -- -<external - IP> -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + +DNAT +net +loc:<local + IP address>[:<local port>] +<protocol> +<port + #> +- +<external + IP> +
- +
Answer: That is usually the result of one of three - things:
- + things: ++ to connect to port 1022 on my firewall and have the firewall forward + the connection to port 22 on local system 192.168.1.3. How do I do that? + +++- +-- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - + +DNAT -net -
-loc:192.168.1.3:22 -tcp -1022 -
--
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + +DNAT +net +
+loc:192.168.1.3:22 +tcp +1022 +
++
++
+
Answer: I have two objections to this setup.
- +If you insist on an IP solution to the accessibility problem
- rather than a DNS solution, then assuming that
+ rather than a DNS solution, then assuming that
your external interface is eth0 and your internal
interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24.
-
If you are running Shorewall 1.4.0 or earlier see the 1.3 FAQ for instructions suitable for those
releases.
-
If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
- upgrade to Shorewall 1.4.2 or later.
-
Otherwise:
-
-- -- -
-- -ZONE -
-INTERFACE -
-BROADCAST -
-OPTIONS -
-- - - -loc -
-eth1 -
-detect -
-routeback -
-
-- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - -DNAT -
-loc -web:192.168.1.5 -
-tcp -www -- -
-130.151.100.69:192.168.1.254 -
-
That rule only works of course if you have a static external - IP address. If you have a dynamic IP address - and are running Shorewall 1.3.4 or later then include - this in /etc/shorewall/init:
-ETH0_IP=`find_interface_address eth0`-
and make your DNAT rule:
---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - -DNAT -loc -web:192.168.1.5 -tcp -www -- -$ETH0_IP:192.168.1.254 -
Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each - time that you get a new IP address.
-Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both -external and internal clients to access a NATed host -using the host's DNS name.
- -Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts - in Z have non-RFC1918 addresses and can be accessed - externally and internally using the same address.
- -If you don't like those solutions and prefer routing all -Z->Z traffic through your firewall then:
- -a) Set the Z->Z policy to ACCEPT.
- b) Masquerade
- Z to itself.
-
- Example:
Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24
In /etc/shorewall/interfaces:
- --- -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - -dmz -eth2 -192.168.2.255 --
-
In /etc/shorewall/policy:
- --- -- -
-- -SOURCE - -DESTINATION -POLICY -LIMIT:BURST -- - - -dmz -dmz -ACCEPT --
-
In /etc/shorewall/masq:
- --- -- -
-- -INTERFACE -SUBNET -ADDRESS -- - - -eth2 -192.168.2.0/24 --
-
Answer: There is an H.323 connection
- tracking/NAT module that may help with Netmeeting.
- Look here for
-a solution for MSN IM but be aware that there are significant security
- risks involved with this solution. Also check the Netfilter
-mailing list archives at http://www.netfilter.org.
+ upgrade to Shorewall 1.4.2 or later.
Otherwise:
+
++ ++ +
++ +ZONE +
+INTERFACE +
+BROADCAST +
+OPTIONS +
++ + + +loc +
+eth1 +
+detect +
+routeback +
+
++ ++ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ + + +DNAT +
+loc +web:192.168.1.5 +
+tcp +www +- +
+130.151.100.69:192.168.1.254 +
+
That rule only works of course if you have a static external + IP address. If you have a dynamic IP address + and are running Shorewall 1.3.4 or later then include + this in /etc/shorewall/init:
+ETH0_IP=`find_interface_address eth0`+
and make your DNAT rule:
++++ +
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + + +DNAT +loc +web:192.168.1.5 +tcp +www +- +$ETH0_IP:192.168.1.254 +
Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each + time that you get a new IP address.
+Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both + external and internal clients to access a NATed +host using the host's DNS name.
+ +Another good way to approach this problem is to switch from + static NAT to Proxy ARP. That way, the hosts + in Z have non-RFC1918 addresses and can be accessed + externally and internally using the same address.
+ +If you don't like those solutions and prefer routing all +Z->Z traffic through your firewall then:
+ +a) Set the Z->Z policy to ACCEPT.
+ b) Masquerade
+ Z to itself.
+
+ Example:
Zone: dmz
+ Interface:
+eth2
+ Subnet: 192.168.2.0/24
In /etc/shorewall/interfaces:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +dmz +eth2 +192.168.2.255 ++
+
In /etc/shorewall/policy:
+ +++ ++ +
++ +SOURCE + +DESTINATION +POLICY +LIMIT:BURST ++ + + +dmz +dmz +ACCEPT ++ +
+
In /etc/shorewall/masq:
+ +++ ++ +
++ +INTERFACE +SUBNET +ADDRESS ++ + + +eth2 +192.168.2.0/24 ++
+
Answer: There is an H.323 connection + tracking/NAT module that may help with Netmeeting. + Look here for + a solution for MSN IM but be aware that there are significant +security risks involved with this solution. Also check the Netfilter + mailing list archives at http://www.netfilter.org. +
+ +Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP -port 113 rather than dropping them. This is necessary - to prevent outgoing connection problems to services - that use the 'Auth' mechanism for identifying requesting - users. Shorewall also rejects TCP ports 135, 137 and -139 as well as UDP ports 137-139. These are ports that are + always rejects connection requests on TCP + port 113 rather than dropping them. This is necessary + to prevent outgoing connection problems to services + that use the 'Auth' mechanism for identifying requesting + users. Shorewall also rejects TCP ports 135, 137 and + 139 as well as UDP ports 137-139. These are ports that are used by Windows (Windows can be configured to use the DCE cell locator on port 135). Rejecting these connection requests rather than dropping them cuts down slightly on the amount of Windows chatter on LAN segments connected to the Firewall.
- +If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web - server in violation of your Service Agreement.
- + your ISP preventing you from running a web + server in violation of your Service Agreement. +Answer: Take a deep breath and read the nmap man page
- section about UDP scans. If nmap gets nothing
- back from your firewall then it reports the port
+ section about UDP scans. If nmap gets nothing
+ back from your firewall then it reports the port
as open. If you want to see which UDP ports are really
open, temporarily change your net->all policy to
REJECT, restart Shorewall and do the nmap UDP scan again.
-
Answer: If you want your firewall to be totally open - for "ping",
- + for "ping", +a) Create /etc/shorewall/common if it doesn't already exist.
-
- b) Be sure that
- the first command in the file is ". /etc/shorewall/common.def"
- c) Add the following
- to /etc/shorewall/common
++ For a complete description of Shorewall + 'ping' management, see this page. +
+ b) Be sure +that the first command in the file is ". /etc/shorewall/common.def"
+ c) Add the +following to /etc/shorewall/common + +- For a complete description of Shorewall - 'ping' management, see this page. - + -j ACCEPTrun_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-
-
+ +
Answer: NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure - to restart syslogd (on a RedHat system, "service syslog - restart").
- + When you have changed /etc/syslog.conf, be sure + to restart syslogd (on a RedHat system, "service syslog + restart"). +By default, older versions of Shorewall ratelimited log messages - through settings - in /etc/shorewall/shorewall.conf -- If you want - to log all messages, set:
- -LOGLIMIT=""- Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages - to a separate file.
LOGBURST=""
Answer: Here are several links that may be helpful: -
- -+ + ++ I personnaly use Logwatch. It +emails me a report each day from my various systems with +each report summarizing the logged activity on the corresponding + system.- I personnaly use Logwatch. It emails - me a report each day from my various systems with each -report summarizing the logged activity on the corresponding - system. + http://www.logwatch.orghttp://www.shorewall.net/pub/shorewall/parsefw/
-
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
-
+ http://gege.org/iptables
+ +
DROP net fw udp 10619- +
Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00- Answer: There are two possibilities:
SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
+ logged twice, they are corrupted. I solve this problem by using + an /etc/shorewall/common file like this:+ New Features:
+ +- The above file is also include in all of my -sample configurations available in the + The above file is also include in all of my + sample configurations available in the Quick Start Guides and in - the common.def file in Shorewall 1.4.0 and later.#-
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
- + the common.def file in Shorewall 1.4.0 and later.
+6d. Why is the MAC address in - Shorewall log messages so long? I thought MAC addresses were only - 6 bytes in length.
- What is labeled as the MAC address in a Shorewall log message - is actually the Ethernet frame header. IT contains:
- + Shorewall log messages so long? I thought MAC addresses were only + 6 bytes in length. + What is labeled as the MAC address in a Shorewall log message + is actually the Ethernet frame header. IT contains:
+-
- Example:- the destination MAC address (6 bytes)
-- the source MAC address (6 bytes)
-- the ethernet frame type (2 bytes)
- +- the destination MAC address (6 bytes)
+- the source MAC address (6 bytes)
+- the ethernet frame type (2 bytes)
+
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
- + Example:
+
+ MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
+-
- +- Destination MAC address = 00:04:4c:dc:e2:28
-- Source MAC address = 00:b0:8e:cf:3c:4c
-- Ethernet Frame Type = 08:00 (IP Version 4)
- +- Destination MAC address = 00:04:4c:dc:e2:28
+- Source MAC address = 00:b0:8e:cf:3c:4c
+- Ethernet Frame Type = 08:00 (IP Version 4)
+7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't - that command work?
- + stop', I can't connect to anything. Why doesn't + that command work? +The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed -in /etc/shorewall/routestopped' are activated. If -you want to totally open up your firewall, you must use the -'shorewall clear' command.
- + a safe state whereby only those hosts listed + in /etc/shorewall/routestopped' are activated. +If you want to totally open up your firewall, you must use +the 'shorewall clear' command. +8. When I try to start Shorewall on RedHat, - I get messages about insmod failing -- what's wrong?
- + I get messages about insmod failing -- what's wrong? +Answer: The output you will see looks something like - this:
- + this: +/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy- +
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.This is usually cured by the following sequence of commands: -
- -+ + ++- -service ipchains stop-
chkconfig --delete ipchains
rmmod ipchains++ +- + I get a message referring me to FAQ #8 + Answer: This is usually cured by the sequence of commands + shown above in FAQ #8 +Also, be sure to check the errata - for problems concerning the version of iptables - (v1.2.3) shipped with RH7.2.
- + for problems concerning the version of iptables + (v1.2.3) shipped with RH7.2.
-
+ +8a. When I try to start Shorewall on RedHat - I get a message referring me to FAQ #8
- Answer: This is usually cured by the sequence of commands - shown above in FAQ #8 -9. Why can't Shorewall detect my interfaces - properly at startup?
- + properly at startup? +I just installed Shorewall and when I issue the start command, - I see the following:
- -+ I see the following: + ++- -Processing /etc/shorewall/params ...-
Processing /etc/shorewall/shorewall.conf ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...++ +- -Why can't Shorewall detect my interfaces properly?
-++ +- +Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1
-10. What Distributions does it work with?
- +Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.
- +11. What Features does it have?
- +Answer: See the Shorewall - Feature List.
- + Feature List. +12. Is there a GUI?
- +Answer: Yes. Shorewall support is included in Webmin - 1.060 and later versions. See http://www.webmin.com -
- + 1.060 and later versions. See http://www.webmin.com +13. Why do you call it "Shorewall"?
- +Answer: Shorewall is a concatenation of "Shoreline" - (the - city where I live) and "Firewall". The full - name of the product is actually "Shoreline Firewall" but "Shorewall" - is must more commonly used.
- + (the + city where I live) and "Firewall". The full + name of the product is actually "Shoreline Firewall" but "Shorewall" + is must more commonly used. +14. I'm connected via a cable modem - and it has an internal web server that allows - me to configure/monitor it but as expected if I -enable rfc1918 blocking for my eth0 interface (the internet + and it has an internal web server that allows + me to configure/monitor it but as expected if I + enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks the cable modems web server.
- +Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 - address of the modem in/out but still block all other - rfc1918 addresses?
- + that will let all traffic to and from the 192.168.100.1 + address of the modem in/out but still block all +other rfc1918 addresses? +Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:
- -+ ++- -run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT-++ +- -If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:
--+ +++- --- -
-- -SUBNET - -TARGET -- - - + +192.168.100.1 -RETURN -+ +SUBNET + +TARGET ++ + +192.168.100.1 +RETURN ++ ++ +- -Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
- + +
-Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, -you must also make an entry in /etc/shorewall/rfc1918 -for that address. For example, if you configure the address - 192.168.100.2 on your firewall, then you would add two entries - to /etc/shorewall/rfc1918:
- -
-+ interface to correspond to the modem address, + you must also make an entry in /etc/shorewall/rfc1918 + for that address. For example, if you configure the address + 192.168.100.2 on your firewall, then you would add two entries + to /etc/shorewall/rfc1918:
+ + +-- -
-- + + -SUBNET -
-+ TARGET -
-- ++ + -192.168.100.1 -
-+ RETURN -
-- ++ + - - + + + +192.168.100.2 -
-+ RETURN -
-+ ++ +- -14a. Even though it assigns public IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease.
-++ +- + the IP address of your ISPs DHCP server. +The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.
-15. My local systems can't see out to - the net
- + the net +Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers - with eyes and what those computers will "see" when - things are working properly. That aside, the most -common causes of this problem are:
- + the net", I wonder where the poster bought +computers with eyes and what those computers will +"see" when things are working properly. That aside, + the most common causes of this problem are: +-
- +- - +
- +
-The default gateway on each local system isn't set to - the IP address of the local firewall interface.
-- - + the IP address of the local firewall interface. +
+- +
-The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.
-- - + file is wrong or missing. +
+- +
- + user is running a DNS server on the firewall + and hasn't enabled UDP and TCP port 53 from +the firewall to the internet. + +The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall - and hasn't enabled UDP and TCP port 53 from the - firewall to the internet.
-16. Shorewall is writing log messages - all over my console making it unusable!
- + all over my console making it unusable! +Answer: If you are running Shorewall version 1.4.4 - or 1.4.4a then check the errata. Otherwise, see -the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. - Under RedHat, the max log level that is sent - to the console is specified in /etc/sysconfig/init in - the LOGLEVEL variable.
- + or 1.4.4a then check the errata. Otherwise, see + the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command + to your startup scripts or place it in /etc/shorewall/start. + Under RedHat, the max log level that is sent + to the console is specified in /etc/sysconfig/init +in the LOGLEVEL variable.
-
+ +17. How do I find out why this traffic is getting - logged?
- Answer: Logging - occurs out of a number of chains (as indicated in - the log message) in Shorewall:
- + logged? + Answer: Logging + occurs out of a number of chains (as indicated in + the log message) in Shorewall:
+-
- +- man1918 - or logdrop - The destination address is +
- man1918 + or logdrop - The destination address is listed in /etc/shorewall/rfc1918 with a logdrop target - -- see /etc/shorewall/rfc1918.
-- rfc1918 - or logdrop - The source address is listed in /etc/shorewall/rfc1918 - with a logdrop target -- see /etc/shorewall/rfc1918.
+- rfc1918 + or logdrop - The source address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
-- all2<zone>, - <zone>2all or all2all - - You have a policy that - specifies a log level and this packet is being logged -under that policy. If you intend to ACCEPT this traffic +
- all2<zone>, + <zone>2all or all2all + - You have a policy +that specifies a log level and this packet is being +logged under that policy. If you intend to ACCEPT this traffic then you need a rule to that effect.
-
-- <zone1>2<zone2> - - Either you have a +
+- <zone1>2<zone2> + - Either you have a policy for <zone1> to <zone2> that specifies a log level and - this packet is being logged under that policy or this packet - matches a rule that -includes a log level.
-- <interface>_mac - - The packet is being logged under the maclist - interface option.
-
-- logpkt - - The packet is being logged under the logunclean - interface option.
-- badpkt - - The packet is being logged under the dropunclean - interface option - as specified in the LOGUNCLEAN setting in rule that + includes a log level.
+- <interface>_mac + - The packet is being logged under the maclist + interface option.
+
+- logpkt + - The packet is being logged under the logunclean + interface option.
+- badpkt + - The packet is being logged under the dropunclean + interface option + as specified in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
-- blacklst - - The packet is being logged because the source IP - is blacklisted in the /etc/shorewall/blacklist - file.
-- newnotsyn - - The packet is being logged because it is a - TCP packet that is not part of any current connection yet - it is not a syn packet. Options affecting the logging of such - packets include NEWNOTSYN and LOGNEWNOTSYN - in /etc/shorewall/shorewall.conf.
-- INPUT -or FORWARD - The packet has a source IP address +
- blacklst + - The packet is being logged because the source IP + is blacklisted in the /etc/shorewall/blacklist + file.
+- newnotsyn + - The packet is being logged because it is +a TCP packet that is not part of any current connection +yet it is not a syn packet. Options affecting the logging + of such packets include NEWNOTSYN and + LOGNEWNOTSYN in /etc/shorewall/shorewall.conf.
+- INPUT + or FORWARD - The packet has a source IP address that isn't in any of your defined zones ("shorewall check" and look at the printed zone definitions) or the chain is FORWARD and the destination IP isn't in any of your defined zones.
-- logflags - The -packet is being logged because it failed the checks implemented +
- logflags - The + packet is being logged because it failed the checks implemented by the tcpflags interface option.
- +
-18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for - different IPs?
- Answer: Yes. See - Shorewall and Aliased Interfaces. - + with Shorewall, and maintain separate rulesets for + different IPs? + Answer: Yes. +See Shorewall and Aliased +Interfaces.19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?
- You probably haven't set -TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so -the contents of the tcrules file are simply being ignored.
- + but they don't seem to do anything. Why? + You probably haven't set + TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so + the contents of the tcrules file are simply being ignored.
+20. I have just set up a server. Do I have - to change Shorewall to allow access to my server from - the internet?
- Yes. Consult the
-
+ + Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.
- +21. I see these strange log entries occasionally; - what are they?
- -
-+ what are they?+ 192.0.2.3 is external on my + firewall... 172.16.0.0/24 is my internal LAN
+ + +- 192.0.2.3 is external on my -firewall... 172.16.0.0/24 is my internal LANNov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00-
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- Answer: While most people - associate the Internet Control Message Protocol (ICMP) - with 'ping', ICMP is a key piece of the internet. ICMP is - used to report problems back to the sender of a packet; this - is what is happening here. Unfortunately, where NAT is involved -(including SNAT, DNAT and Masquerade), there are a lot of broken -implementations. That is what you are seeing with these messages.
-
- Here is my interpretation of -what is happening -- to confirm this analysis, one would -have to have packet sniffers placed a both ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway - 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and - your DNS server tried to send a response (the response information - is in the brackets -- note source port 53 which marks this as -a DNS reply). When the response was returned to to 206.124.146.179, - it rewrote the destination IP TO 172.16.1.10 and forwarded the -packet to 172.16.1.10 who no longer had a connection on UDP port -2857. This causes a port unreachable (type 3, code 3) to be generated -back to 192.0.2.3. As this packet is sent back through 206.124.146.179, - that box correctly changes the source address in the packet to 206.124.146.179 - but doesn't reset the DST IP in the original DNS response similarly. - When the ICMP reaches your firewall (192.0.2.3), your firewall has - no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't - appear to be related to anything that was sent. The final result - is that the packet gets logged and dropped in the all2all chain. I - have also seen cases where the source IP in the ICMP itself isn't set -back to the external IP of the remote NAT gateway; that causes your +
+
+ Answer: While most +people associate the Internet Control Message Protocol +(ICMP) with 'ping', ICMP is a key piece of the internet. + ICMP is used to report problems back to the sender of a packet; +this is what is happening here. Unfortunately, where NAT is involved + (including SNAT, DNAT and Masquerade), there are a lot of broken + implementations. That is what you are seeing with these messages.
+
+ Here is my interpretation of + what is happening -- to confirm this analysis, one would + have to have packet sniffers placed a both ends of the connection.
+
+ Host 172.16.1.10 behind NAT +gateway 206.124.146.179 sent a UDP DNS query to 192.0.2.3 +and your DNS server tried to send a response (the response information + is in the brackets -- note source port 53 which marks this as + a DNS reply). When the response was returned to to 206.124.146.179, + it rewrote the destination IP TO 172.16.1.10 and forwarded the + packet to 172.16.1.10 who no longer had a connection on UDP port + 2857. This causes a port unreachable (type 3, code 3) to be generated + back to 192.0.2.3. As this packet is sent back through 206.124.146.179, + that box correctly changes the source address in the packet to 206.124.146.179 + but doesn't reset the DST IP in the original DNS response similarly. + When the ICMP reaches your firewall (192.0.2.3), your firewall has + no record of having sent a DNS reply to 172.16.1.10 so this ICMP +doesn't appear to be related to anything that was sent. The final + result is that the packet gets logged and dropped in the all2all chain. +I have also seen cases where the source IP in the ICMP itself isn't +set back to the external IP of the remote NAT gateway; that causes your firewall to log and drop the packet out of the rfc1918 chain because -the source IP is reserved by RFC 1918.
- + the source IP is reserved by RFC 1918.
+22. I have some iptables commands that - I want to run when Shorewall starts. Which file do - I put them in?
- You can place these commands -in one of the Shorewall Extension + I want to run when Shorewall starts. Which file +do I put them in? + You can place these commands + in one of the Shorewall Extension Scripts. Be sure that you look at the contents of the chain(s) that you will be modifying with your commands to be sure that the commands will do what they are intended. Many iptables @@ -1270,47 +1288,64 @@ use the -A command which adds the rules to the end of the chain. Most chains that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT rule and any rules that you add after that will be ignored. Check "man iptables" and look at the -I (--insert) command.
- +23. Why do you use such ugly fonts on your - web site?
- The Shorewall web site is almost font -neutral (it doesn't explicitly specify fonts except on a few -pages) so the fonts you see are largely the default fonts configured - in your browser. If you don't like them then reconfigure your -browser.
- + web site? + The Shorewall web site is almost font + neutral (it doesn't explicitly specify fonts except on a +few pages) so the fonts you see are largely the default fonts +configured in your browser. If you don't like them then reconfigure + your browser.
+24. How can I allow conections to let's say - the ssh port only from specific IP Addresses on the -internet?
- In the SOURCE column of the rule, follow -"net" by a colon and a list of the host/subnet addresses as -a comma-separated list.
- + the ssh port only from specific IP Addresses on the + internet? + In the SOURCE column of the rule, follow + "net" by a colon and a list of the host/subnet addresses as + a comma-separated list.
+net:<ip1>,<ip2>,...- Example:
- + Example:
+ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22- +- +25. How to I tell which version of Shorewall - I am running?
- At the shell prompt, type:
-
-
- /sbin/shorewall version
- + I am running?
+ + At the shell prompt, type:
+
+ /sbin/shorewall version
+26. When I try to use any of the SYN options -in nmap on or behind the firewall, I get "operation not permitted". How can -I use nmap with Shorewall?"
- Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes" -then restart Shorewall.
-
- Last updated 7/5/2003 - Tom Eastep + in nmap on or behind the firewall, I get "operation not permitted". How can + I use nmap with Shorewall?" + Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes" + then restart Shorewall.
+ +27. I'm compiling a new kernel for my firewall. What should +I look out for?
+ First take a look at the Shorewall kernel configuration +page. You probably also want to be sure that you have selected the "NAT +of local connections (READ HELP)" on the Netfilter Configuration menu. +Otherwise, DNAT rules with your firewall as the source zone won't work with +your new kernel.
+28. How do I use Shorewall as a Bridging Firewall?
+ Basically, you don't. While there are kernel patches that allow you to route +bridge traffic through Netfilter, the environment is so different from the +Layer 3 firewalling environment that very little of Shorewall works. In fact, +so much of Shorewall doesn't work that my official position is that "Shorewall +doesn't work with Layer 2 Bridging".
+
+
+ Last updated 7/9/2003 - Tom EastepCopyright © 2001, 2002, 2003 Thomas M. Eastep.
+ +
-
+
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm index 0cb348f92..082effe75 100644 --- a/Shorewall-docs/News.htm +++ b/Shorewall-docs/News.htm @@ -5,6 +5,7 @@ +Shorewall News @@ -15,1455 +16,1608 @@ + + - +- + -
- -+ - + - - + + ++ - + + -Shorewall News Archive
-7/7/2003 - Shorewall-1.4.6 Beta 2
- + +7/15/2003 - Shorewall-1.4.6 RC 1
+
+Problems Corrected:
- + +
--
- +- A problem seen on RH7.3 systems where Shorewall encountered start errors +
- A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around.
+
-
-
+- Where a list of IP addresses appears in the DEST column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat table (one for each element in the list). Shorewall now correctly creates a single DNAT rule with multiple "--to-destination" clauses.
-
+
- Corrected a problem in Beta 1 where DNS names containing a "-" were mis-handled when they appeared in the DEST column of a rule.
+
-
+ +- A number of problems with rule parsing have been corrected. Corrections +involve the handling of "z1!z2" in the SOURCE column as well as lists in +the ORIGINAL DESTINATION column.
+Migration Issues:
+ +
-+
- In earlier versions, an undocumented feature allowed entries in the host file as follows:
+
-
- z eth1:192.168.1.0/24,eth2:192.168.2.0/24
-
-This capability was never documented and has been removed in 1.4.6 to allow +
+ z eth1:192.168.1.0/24,eth2:192.168.2.0/24
+
+ This capability was never documented and has been removed in 1.4.6 to allow entries of the following format:
-
- z eth1:192.168.1.0/24,192.168.2.0/24
-
-
+ z eth1:192.168.1.0/24,192.168.2.0/24
+
+- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically -detected by Shorewall (see below).
+ detected by Shorewall (see below).
-
+New Features:
- + +
--
- A 'newnotsyn' interface option has been added. This option may be specified -in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No for packets -arriving on the associated interface.
-
-
-- The means for specifying a range of IP addresses in /etc/shorewall/masq - to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address +in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No for +packets arriving on the associated interface.
+
+
+- The means for specifying a range of IP addresses in /etc/shorewall/masq + to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
+
-
-
+- Shorewall can now add IP addresses to subnets other than the first one on an interface.
+
-
-
+- DNAT[-] rules may now be used to load balance (round-robin) over a - set of servers. Servers may be specified in a range of addresses given -as <first address>-<last address>.
-
-
- Example:
-
- DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
-
-- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options - have been removed and have been replaced by code that detects whether these - capabilities are present in the current kernel. The output of the start, + set of servers. Servers may be specified in a range of addresses given as +<first address>-<last address>.
+
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options + have been removed and have been replaced by code that detects whether these + capabilities are present in the current kernel. The output of the start, restart and check commands have been enhanced to report the outcome:
+
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Verifying Configuration...
-
-
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+- Support for the Connection Tracking Match Extension has been added. This extension is available in recent kernel/iptables releases and allows for rules which match against elements in netfilter's connection tracking table. Shorewall automatically detects the availability of this extension and reports its availability in the output of the start, restart and check commands.
+
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Connection Tracking Match: Available
- Verifying Configuration...
-
- If this extension is available, the ruleset generated by Shorewall is changed - in the following ways:
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall is +changed in the following ways:-
- To handle 'norfc1918' filtering, Shorewall will not create chains in the mangle table but will rather do all 'norfc1918' filtering in the filter table (rfc1918 chain).
- Recall that Shorewall DNAT rules generate two netfilter rules; one - in the nat table and one in the filter table. If the Connection Tracking -Match Extension is available, the rule in the filter table is extended to -check that the original destination address was the same as specified (or + in the nat table and one in the filter table. If the Connection Tracking +Match Extension is available, the rule in the filter table is extended to +check that the original destination address was the same as specified (or defaulted to) in the DNAT rule.
+
-
-
+- The shell used to interpret the firewall script (/usr/share/shorewall/firewall) +
- The shell used to interpret the firewall script (/usr/share/shorewall/firewall) may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
-
+
- An 'ipcalc' command has been added to /sbin/shorewall.
+
-
- ipcalc [ <address> <netmask> | <address>/<vlsm> +
+ ipcalc [ <address> <netmask> | <address>/<vlsm> ]
-
-Examples:
-
- [root@wookie root]# shorewall ipcalc 192.168.1.0/24
- CIDR=192.168.1.0/24
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- BROADCAST=192.168.1.255
- [root@wookie root]#
-
- [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
- CIDR=192.168.1.0/24
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- BROADCAST=192.168.1.255
- [root@wookie root]#
-
-Warning:
-
-If your shell only supports 32-bit signed arithmatic (ash or dash), then -the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1 -and for /1 networks. Bash should produce correct information for all valid -IP addresses.
-
-
+ Examples:
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0/24
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ Warning:
+
+ If your shell only supports 32-bit signed arithmatic (ash or dash), then + the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1 + and for /1 networks. Bash should produce correct information for all valid + IP addresses.
+
+- An 'iprange' command has been added to /sbin/shorewall.
-
-
- iprange <address>-<address>
-
-This command decomposes a range of IP addressses into a list of network and -host addresses. The command can be useful if you need to construct an efficient -set of rules that accept connections from a range of network addresses.
-
-Note: If your shell only supports 32-bit signed arithmetic (ash or dash) +
+ iprange <address>-<address>
+
+ This command decomposes a range of IP addressses into a list of network +and host addresses. The command can be useful if you need to construct an +efficient set of rules that accept connections from a range of network addresses.
+
+ Note: If your shell only supports 32-bit signed arithmetic (ash or dash) then the range may not span 128.0.0.0.
-
-Example:
-
- [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
- 192.168.1.4/30
- 192.168.1.8/29
- 192.168.1.16/28
- 192.168.1.32/27
- 192.168.1.64/26
- 192.168.1.128/25
- 192.168.2.0/23
- 192.168.4.0/22
- 192.168.8.0/22
- 192.168.12.0/29
- 192.168.12.8/31
- [root@gateway root]#
-
-- A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
-
-
-Example:
-
- foo eth1:192.168.1.0/24,192.168.2.0/24
-
-7/4/2003 - Shorewall-1.4.6 Beta 1
- -Problems Corrected:
- -
--
- -- A problem seen on RH7.3 systems where Shorewall encountered start -errors when started using the "service" mechanism has been worked around.
-
-
-- Where a list of IP addresses appears in the DEST column of a DNAT[-] - rule, Shorewall incorrectly created multiple DNAT rules in the nat table -(one for each element in the list). Shorewall now correctly creates a single -DNAT rule with multiple "--to-destination" clauses.
- -
-New Features:
- -
--
- -- A 'newnotsyn' interface option has been added. This option may be -specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No -for packets arriving on the associated interface.
-
-
-- The means for specifying a range of IP addresses in /etc/shorewall/masq - to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address - ranges.
-
-
-- Shorewall can now add IP addresses to subnets other than the first - one on an interface.
-
-
-- DNAT[-] rules may now be used to load balance (round-robin) over -a set of servers. Up to 256 servers may be specified in a range of addresses - given as <first address>-<last address>.
-
Example:
- DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
-
- Note that this capability has previously been available using a combination - of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable - for load-balancing over a large number of servers (> 16) since specifying - a range in the DNAT rule causes one filter table ACCEPT rule to be generated - for each IP address in the range.
+ [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
+ 192.168.1.4/30
+ 192.168.1.8/29
+ 192.168.1.16/28
+ 192.168.1.32/27
+ 192.168.1.64/26
+ 192.168.1.128/25
+ 192.168.2.0/23
+ 192.168.4.0/22
+ 192.168.8.0/22
+ 192.168.12.0/29
+ 192.168.12.8/31
+ [root@gateway root]#
- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options - have been removed and have been replaced by code that detects whether these - capabilities are present in the current kernel. The output of the start, -restart and check commands have been enhanced to report the outcome:
+- A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Verifying Configuration...
+ Example:
-- Support for the Connection Tracking Match Extension has been added. - This extension is available in recent kernel/iptables releases and allows - for rules which match against elements in netfilter's connection tracking - table. Shorewall automatically detects the availability of this extension - and reports its availability in the output of the start, restart and check - commands.
- -
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Connection Tracking Match: Available
- Verifying Configuration...
-
- If this extension is available, the ruleset generated by Shorewall is changed - in the following ways:- -
- --
-- To handle 'norfc1918' filtering, Shorewall will not create chains - in the mangle table but will rather do all 'norfc1918' filtering in the -filter table (rfc1918 chain).
-- Recall that Shorewall DNAT rules generate two netfilter rules; -one in the nat table and one in the filter table. If the Connection Tracking -Match Extension is available, the rule in the filter table is extended to -check that the original destination address was the same as specified (or -defaulted to) in the DNAT rule.
- -
-
-- The shell used to interpret the firewall script (/usr/share/shorewall/firewall) - may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
- + foo eth1:192.168.1.0/24,192.168.2.0/24
-6/17/2003 - Shorewall-1.4.5
+7/7/2003 - Shorewall-1.4.6 Beta 2
-Problems Corrected:
+Problems Corrected:
-
+ +- The command "shorewall debug try <directory>" now correctly - traces the attempt.
-- The INCLUDE directive now works properly in the zones file; previously, - INCLUDE in that file was ignored.
-- /etc/shorewall/routestopped records with an empty second column -are no longer ignored.
+- A problem seen on RH7.3 systems where Shorewall encountered start +errors when started using the "service" mechanism has been worked around.
+
+
+- Where a list of IP addresses appears in the DEST column of a DNAT[-] + rule, Shorewall incorrectly created multiple DNAT rules in the nat table +(one for each element in the list). Shorewall now correctly creates a single +DNAT rule with multiple "--to-destination" clauses.
+
+
+- Corrected a problem in Beta 1 where DNS names containing a "-" were +mis-handled when they appeared in the DEST column of a rule.
+ +
+Migration Issues:
+ +
++
+ +- In earlier versions, an undocumented feature allowed entries in the +host file as follows:
+
+
+ z eth1:192.168.1.0/24,eth2:192.168.2.0/24
+
+ This capability was never documented and has been removed in 1.4.6 to allow +entries of the following format:
+
+ z eth1:192.168.1.0/24,192.168.2.0/24
+
+- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed +from /etc/shorewall/shorewall.conf. These capabilities are now automatically +detected by Shorewall (see below).
+ +
+New Features:
+ +
++
+ +- A 'newnotsyn' interface option has been added. This option may be +specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No +for packets arriving on the associated interface.
+
+
+- The means for specifying a range of IP addresses in /etc/shorewall/masq + to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address + ranges.
+
+
+- Shorewall can now add IP addresses to subnets other than the first + one on an interface.
+
+
+- DNAT[-] rules may now be used to load balance (round-robin) over a + set of servers. Servers may be specified in a range of addresses given as +<first address>-<last address>.
+
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options + have been removed and have been replaced by code that detects whether these + capabilities are present in the current kernel. The output of the start, +restart and check commands have been enhanced to report the outcome:
+
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+- Support for the Connection Tracking Match Extension has been added. + This extension is available in recent kernel/iptables releases and allows + for rules which match against elements in netfilter's connection tracking + table. Shorewall automatically detects the availability of this extension + and reports its availability in the output of the start, restart and check + commands.
+ +
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall is +changed in the following ways:+
+- To handle 'norfc1918' filtering, Shorewall will not create chains + in the mangle table but will rather do all 'norfc1918' filtering in the filter + table (rfc1918 chain).
+- Recall that Shorewall DNAT rules generate two netfilter rules; one + in the nat table and one in the filter table. If the Connection Tracking +Match Extension is available, the rule in the filter table is extended to +check that the original destination address was the same as specified (or +defaulted to) in the DNAT rule.
+ +
+
+- The shell used to interpret the firewall script (/usr/share/shorewall/firewall) + may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
+
+
+- An 'ipcalc' command has been added to /sbin/shorewall.
+
+
+ ipcalc [ <address> <netmask> | <address>/<vlsm> +]
+
+ Examples:
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0/24
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ Warning:
+
+ If your shell only supports 32-bit signed arithmatic (ash or dash), then +the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1 +and for /1 networks. Bash should produce correct information for all valid +IP addresses.
+
+- An 'iprange' command has been added to /sbin/shorewall.
+
+
+ iprange <address>-<address>
+
+ This command decomposes a range of IP addressses into a list of network +and host addresses. The command can be useful if you need to construct an +efficient set of rules that accept connections from a range of network addresses.
+
+ Note: If your shell only supports 32-bit signed arithmetic (ash or dash) +then the range may not span 128.0.0.0.
+
+ Example:
+
+ [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
+ 192.168.1.4/30
+ 192.168.1.8/29
+ 192.168.1.16/28
+ 192.168.1.32/27
+ 192.168.1.64/26
+ 192.168.1.128/25
+ 192.168.2.0/23
+ 192.168.4.0/22
+ 192.168.8.0/22
+ 192.168.12.0/29
+ 192.168.12.8/31
+ [root@gateway root]#
+
+- A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
+ +
+
+ Example:
+
+ foo eth1:192.168.1.0/24,192.168.2.0/24
+
+7/4/2003 - Shorewall-1.4.6 Beta 1
+ +Problems Corrected:
+ +
++
-- A problem seen on RH7.3 systems where Shorewall encountered start + errors when started using the "service" mechanism has been worked around.
+
+
+- Where a list of IP addresses appears in the DEST column of a DNAT[-] + rule, Shorewall incorrectly created multiple DNAT rules in the nat table +(one for each element in the list). Shorewall now correctly creates a single +DNAT rule with multiple "--to-destination" clauses.
New Features:
+New Features:
-
-- The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now - contain a list of addresses. If the list begins with "!' then the rule will - take effect only if the original destination address in the connection request - does not match any of the addresses listed.
+- A 'newnotsyn' interface option has been added. This option may be + specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No + for packets arriving on the associated interface.
+
+
+- The means for specifying a range of IP addresses in /etc/shorewall/masq + to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address + ranges.
+
+
+- Shorewall can now add IP addresses to subnets other than the first + one on an interface.
+
+
+- DNAT[-] rules may now be used to load balance (round-robin) over +a set of servers. Up to 256 servers may be specified in a range of addresses + given as <first address>-<last address>.
+
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+ Note that this capability has previously been available using a combination + of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable + for load-balancing over a large number of servers (> 16) since specifying + a range in the DNAT rule causes one filter table ACCEPT rule to be generated + for each IP address in the range.
+
+- The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options + have been removed and have been replaced by code that detects whether these + capabilities are present in the current kernel. The output of the start, +restart and check commands have been enhanced to report the outcome:
+
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+- Support for the Connection Tracking Match Extension has been added. + This extension is available in recent kernel/iptables releases and allows + for rules which match against elements in netfilter's connection tracking + table. Shorewall automatically detects the availability of this extension + and reports its availability in the output of the start, restart and check + commands.
+ +
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall is +changed in the following ways:+ +
+ ++
+- To handle 'norfc1918' filtering, Shorewall will not create chains + in the mangle table but will rather do all 'norfc1918' filtering in the filter + table (rfc1918 chain).
+- Recall that Shorewall DNAT rules generate two netfilter rules; +one in the nat table and one in the filter table. If the Connection Tracking +Match Extension is available, the rule in the filter table is extended to +check that the original destination address was the same as specified (or +defaulted to) in the DNAT rule.
+ +
+
+- The shell used to interpret the firewall script (/usr/share/shorewall/firewall) + may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
+6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8
+6/17/2003 - Shorewall-1.4.5
-The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and - iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems - have been encountered with this set of software. The Shorewall version -is 1.4.4b plus the accumulated changes for 1.4.5.
+Problems Corrected:
+
+
+ +- The command "shorewall debug try <directory>" now correctly + traces the attempt.
+- The INCLUDE directive now works properly in the zones file; previously, + INCLUDE in that file was ignored.
+- /etc/shorewall/routestopped records with an empty second column +are no longer ignored.
+ +
+New Features:
+ +
++
+ +- The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now + contain a list of addresses. If the list begins with "!' then the rule will + take effect only if the original destination address in the connection request + does not match any of the addresses listed.
+ +6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8
+ +The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and + iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems + have been encountered with this set of software. The Shorewall version is + 1.4.4b plus the accumulated changes for 1.4.5.
+
+6/8/2003 - Updated Samples
- -Thanks to Francesca Smith, the samples have been updated to Shorewall version -1.4.4.
- + +Thanks to Francesca Smith, the samples have been updated to Shorewall +version 1.4.4.
+5/29/2003 - Shorewall-1.4.4b
- -Groan -- This version corrects a problem whereby the --log-level was not - being set when logging via syslog. The most commonly reported symptom -was that Shorewall messages were being written to the console even though -console logging was correctly configured per FAQ 16.
- + +
-Groan -- This version corrects a problem whereby the --log-level was not + being set when logging via syslog. The most commonly reported symptom was + that Shorewall messages were being written to the console even though console + logging was correctly configured per FAQ 16.
+
+5/27/2003 - Shorewall-1.4.4a
- The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed - out that the code in 1.4.4 restricts the length of short zone names to - 4 characters. I've produced version 1.4.4a that restores the previous 5-character - limit by conditionally omitting the log rule number when the LOGFORMAT - doesn't contain '%d'.
- + The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed + out that the code in 1.4.4 restricts the length of short zone names +to 4 characters. I've produced version 1.4.4a that restores the previous +5-character limit by conditionally omitting the log rule number when +the LOGFORMAT doesn't contain '%d'.
+5/23/2003 - Shorewall-1.4.4
- I apologize for the rapid-fire releases but since there is a potential - configuration change required to go from 1.4.3a to 1.4.4, I decided -to make it a full release rather than just a bug-fix release.
-
- Problems corrected:
- + I apologize for the rapid-fire releases but since there is a potential + configuration change required to go from 1.4.3a to 1.4.4, I decided to + make it a full release rather than just a bug-fix release.
+
+ Problems corrected:
+None.- New Features:
-
- +
5/20/2003 - Shorewall-1.4.3a
-
5/18/2003 - Shorewall 1.4.3
-
5/10/2003 - Shorewall Mirror in Asia
-
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
-
5/8/2003 - Shorewall Mirror in Chile
- Thanks to Darcy Ganga, there is now an HTTP mirror -in Santiago Chile. -4/21/2003 - Samples updated for Shorewall version 1.4.2
- -Thanks to Francesca Smith, the sample configurations are now upgraded -to Shorewall version 1.4.2.
- -4/9/2003 - Shorewall 1.4.2
-
Problems Corrected:
- -- -- --
-- TCP connection requests rejected out of the common - chain are now properly rejected with TCP RST; previously, some of -these requests were rejected with an ICMP port-unreachable response.
-- 'traceroute -I' from behind the firewall previously - timed out on the first hop (e.g., to the firewall). This has been -worked around.
- -
New Features:
- -3/24/2003 - Shorewall 1.4.1
- - - - - - - - - - - - - - - - - - - - - -This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
-and removes additional warts.
-
- Problems Corrected:
5/10/2003 - Shorewall Mirror in Asia
+
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
+
5/8/2003 - Shorewall Mirror in Chile
+ Thanks to Darcy Ganga, there is now an HTTP mirror +in Santiago Chile. +4/21/2003 - Samples updated for Shorewall version 1.4.2
+ +Thanks to Francesca Smith, the sample configurations are now upgraded to +Shorewall version 1.4.2.
+ +4/9/2003 - Shorewall 1.4.2
+
Problems Corrected:
+ ++ ++ ++
+- TCP connection requests rejected out of the common + chain are now properly rejected with TCP RST; previously, some of + these requests were rejected with an ICMP port-unreachable response.
+- 'traceroute -I' from behind the firewall previously + timed out on the first hop (e.g., to the firewall). This has been + worked around.
+ + +
New Features:
+ +Note: In the list that follows, the term group refers -to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be -a host address) accessed through a particular interface. Examples:- + +
+ +3/24/2003 - Shorewall 1.4.1
+ - + + + + + + + + + + + + + + + + + + + +This release follows up on 1.4.0. It corrects a problem introduced in +1.4.0 and removes additional warts.
+ +
+
+ Problems Corrected:
++
+ New Features:- When Shorewall 1.4.0 is run under the ash shell +(such as on Bering/LEAF), it can attempt to add ECN disabling rules +even if the /etc/shorewall/ecn file is empty. That problem has been +corrected so that ECN disabling rules are only added if there are entries +in /etc/shorewall/ecn.
+ +
+ +Note: In the list that follows, the term group refers to +a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a +host address) accessed through a particular interface. Examples:+ You can use the "shorewall check" command to see the groups associated with each of your zones.
+ +eth0:0.0.0.0/0- You can use the "shorewall check" command to see the + eth2:192.168.1.0/24
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
+ eth3:192.0.2.123
+
-
3/17/2003 - Shorewall 1.4.0
- Shorewall - 1.4 represents the next step in the evolution of Shorewall. -The main thrust of the initial release is simply to remove the -cruft that has accumulated in Shorewall over time.3/10/2003 - Shoreall 1.3.14a
- -A roleup of the following bug fixes and other updates:
- -2/8/2003 - Shoreawall 1.3.14
- -New features include
- -[root@gateway test]# cat /etc/shorewall/masq- - - - -
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2- - - - -
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# shorewall start-
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
[root@gateway test]# cat /etc/shorewall/masq- - - - -
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
[root@gateway test]# cat /etc/shorewall/masq- - - - -
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
#INTERFACE SUBNET ADDRESS-
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- 2/5/2003 - Shorewall Support included
-in Webmin 1.060
Webmin version 1.060 now has Shorewall support included as standard. See
- http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1
Includes the Beta 2 content plus support for OpenVPN tunnels.
- -1/28/2003 - Shorewall 1.3.14-Beta2
- -Includes the Beta 1 content plus restores VLAN device names of the form - $dev.$vid (e.g., eth0.1)
- -1/25/2003 - Shorewall 1.3.14-Beta1
-
The Beta includes the following changes:
-
3/10/2003 - Shoreall 1.3.14a
+ +A roleup of the following bug fixes and other updates:
+ +2/8/2003 - Shoreawall 1.3.14
+ +New features include
+ +[root@gateway test]# cat /etc/shorewall/masq- +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2- +
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# shorewall start-
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
[root@gateway test]# cat /etc/shorewall/masq- +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
[root@gateway test]# cat /etc/shorewall/masq- +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
#INTERFACE SUBNET ADDRESS+
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+ 2/5/2003 - Shorewall Support included
+in Webmin 1.060
Webmin version 1.060 now has Shorewall support included as standard. See
+ http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1
Includes the Beta 2 content plus support for OpenVPN tunnels.
+ +1/28/2003 - Shorewall 1.3.14-Beta2
+ +Includes the Beta 1 content plus restores VLAN device names of the form + $dev.$vid (e.g., eth0.1)
+ +1/25/2003 - Shorewall 1.3.14-Beta1
+
The Beta includes the following changes:
+
[root@gateway test]# cat /etc/shorewall/masq+ + + + +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2+ + + + +
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# shorewall start+
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
[root@gateway test]# cat /etc/shorewall/masq+ + + + +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2+
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
[root@gateway test]# cat /etc/shorewall/masq+ + + + +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2+
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
#INTERFACE SUBNET ADDRESS-
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
- -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. - the PDF may be downloaded from
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. + the PDF may be downloaded from
- ftp://slovakia.shorewall.net/mirror/shorewall/pdf/1/17/2003 - shorewall.net has MOVED
- +Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and
-ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
-big thanks to Alex for making this happen.
-
1/13/2003 - Shorewall 1.3.13
-
Just includes a few things that I had on the burner:
-
1/6/2003 - BURNOUT -
+ +1/6/2003 - BURNOUT +
- -Until further notice, I will not be involved in either Shorewall Development + +
Until further notice, I will not be involved in either Shorewall Development or Shorewall Support
- +-Tom Eastep
-
12/30/2002 - Shorewall Documentation in PDF Format
- -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. - the PDF may be downloaded from
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. + the PDF may be downloaded from
- + ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
12/27/2002 - Shorewall 1.3.12 Released
- + Features include:
-
12/20/2002 - Shorewall 1.3.12 Beta 3
-
12/20/2002 - Shorewall 1.3.12 Beta 3
+
12/20/2002 - Shorewall 1.3.12 Beta 2
- -The first public Beta version of Shorewall 1.3.12 is now available (Beta + +
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available only to a limited audience).
-
http://www.shorewall.net/pub/shorewall/Beta+ - +
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
12/12/2002 - Mandrake Multi Network Firewall
-
12/7/2002 - Shorewall Support for Mandrake 9.0
- -Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I -am now in a position to support Shorewall users who run -Mandrake 9.0.
+ +Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. + I have installed 9.0 on one of my systems and +I am now in a position to support Shorewall users who +run Mandrake 9.0.
- +12/6/2002 - Debian 1.3.11a Packages Available
-
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +12/3/2002 - Shorewall 1.3.11a
- -This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current - 1.3.11 users who don't need rules of this type need - not upgrade to 1.3.11.
+ +This is a bug-fix roll up which includes Roger Aich's fix for DNAT with + excluded subnets (e.g., "DNAT foo!bar ..."). +Current 1.3.11 users who don't need rules of this +type need not upgrade to 1.3.11.
- +11/24/2002 - Shorewall 1.3.11
- +In this version:
- +11/14/2002 - Shorewall Documentation in PDF Format
- -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. - the PDF may be downloaded from
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. + the PDF may be downloaded from
- + ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
11/09/2002 - Shorewall is Back at SourceForge -
+ +11/09/2002 - Shorewall is Back at SourceForge +
+ + + +The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
+
The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
11/09/2002 - Shorewall 1.3.10
- +In this version:
- -10/24/2002 - Shorewall is now in Gentoo Linux
-
10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:10/10/2002 - Debian 1.3.9b Packages Available
-
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- - -10/9/2002 - Shorewall 1.3.9b
- This release - rolls up fixes to the installer and to the firewall - script.10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall
- and server here at shorewall.net are now running
- RedHat release 8.0.
-
-
- 9/30/2002
-- Shorewall 1.3.9a
9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is -an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.10/24/2002 - Shorewall is now in Gentoo Linux
+
9/28/2002 - Shorewall 1.3.9
+10/23/2002 - Shorewall 1.3.10 Beta 1
+ In this version:In this version:
-
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
+
+
10/10/2002 - Debian 1.3.9b Packages Available
+
- A
-couple of recent configuration changes at www.shorewall.net
- broke the Search facility:- - - -- -Hopefully these problems are now corrected. - -- -
- -- Mailing List Archive Search was not available.
- -- The Site Search index was incomplete
- -- Only one page of matches was presented.
- - - - -
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
9/18/2002 - Debian 1.3.8 Packages Available
-
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +10/9/2002 - Shorewall 1.3.9b
+ This release + rolls up fixes to the installer and to the firewall + script.10/6/2002 - Shorewall.net now running on RH8.0
+
+ The firewall
+ and server here at shorewall.net are now running
+RedHat release 8.0.
+
+
+ 9/30/2002
+- Shorewall 1.3.9a
9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is +an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.9/28/2002 - Shorewall 1.3.9
+ + +In this version:
+
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+
+
+A couple of recent configuration changes at www.shorewall.net
+ broke the Search facility:+ + + ++ + Hopefully these problems are now corrected. + ++ +
+ +- Mailing List Archive Search was not available.
+ +- The Site Search index was incomplete
+ +- Only one page of matches was presented.
+ + + + +
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
9/18/2002 - Debian 1.3.8 Packages Available
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +9/16/2002 - Shorewall 1.3.8
+In this version:
-
9/11/2002 - Debian 1.3.7c Packages Available
- +Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +9/2/2002 - Shorewall 1.3.7c
- -This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).
+ +This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).
- +8/31/2002 - I'm not available
- -I'm currently on vacation -- please respect my need for a couple of - weeks free of Shorewall problem reports.
+ +I'm currently on vacation -- please respect my need for a couple of +weeks free of Shorewall problem reports.
- +-Tom
- +8/26/2002 - Shorewall 1.3.7b
- -This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" - checking.
+ +This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" + checking.
- +8/26/2002 - French FTP Mirror is Operational
- +ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.
+ href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available. - +8/25/2002 - Shorewall Mirror in France
- -Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.
- +8/25/2002 - Shorewall 1.3.7a Debian Packages Available
- -Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at Lorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
- -- Shorewall 1.3.7a released8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
+ -- Shorewall 1.3.7a released
-
1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.
+ +1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.
- +8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
- +Features in this release include:
- +I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. - That input has led to marked improvement in - Shorewall in the last two releases.
+ +I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. + That input has led to marked improvement in + Shorewall in the last two releases.
- +8/13/2002 - Documentation in the CVS Repository
- -The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.
+ +The Shorewall-docs project now contains just the HTML and image files +- the Frontpage files have been removed.
- +8/7/2002 - STABLE branch added to CVS Repository
- -This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch - to get the latest stable tree.
+ +This branch will only be updated after I release a new version of Shorewall + so you can always update from this +branch to get the latest stable tree.
- -8/7/2002 - Upgrade Issues section added - to the Errata Page
+ +8/7/2002 - Upgrade Issues section +added to the Errata Page
- -Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.
+ +Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.
- +8/7/2002 - Shorewall 1.3.6
- +This is primarily a bug-fix rollup with a couple of new features:
- +7/30/2002 - Shorewall 1.3.5b Released
- +This interim release:
- +7/29/2002 - New Shorewall Setup Guide Available
- +The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people - who are setting up Shorewall to manage multiple - public IP addresses and by people who want to learn - more about Shorewall than is described in the single-address - guides. Feedback on the new guide is welcome.
+ href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people + who are setting up Shorewall to manage multiple + public IP addresses and by people who want to learn + more about Shorewall than is described in the single-address + guides. Feedback on the new guide is welcome. - +7/28/2002 - Shorewall 1.3.5 Debian Package Available
- -Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/27/2002 - Shorewall 1.3.5a Released
- +This interim release restores correct handling of REDIRECT rules.
- +7/26/2002 - Shorewall 1.3.5 Released
- -This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.
+ +This will be the last Shorewall release for a while. I'm going to be +focusing on rewriting a lot of the documentation.
- +In this version:
- +7/16/2002 - New Mirror in Argentina
- -Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!
+ +Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!
- +7/16/2002 - Shorewall 1.3.4 Released
- +In this version:
- +7/8/2002 - Shorewall 1.3.3 Debian Package Available
- +Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/6/2002 - Shorewall 1.3.3 Released
- +In this version:
- +6/25/2002 - Samples Updated for 1.3.2
- -The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall - 1.3.2.
+ +The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall + 1.3.2.
- +6/25/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/19/2002 - Documentation Available in PDF Format
- -Thanks to Mike Martinez, the Shorewall Documentation is now available for - download in Adobe - PDF format.
+ +Thanks to Mike Martinez, the Shorewall Documentation is now available +for download in Adobe PDF format.
- +6/16/2002 - Shorewall 1.3.2 Released
- +In this version:
- +6/6/2002 - Why CVS Web access is Password Protected
- -Last weekend, I installed the CVS Web package to provide brower-based access - to the Shorewall CVS repository. Since then, I have had several instances -where my server was almost unusable due to the high load generated by website -copying tools like HTTrack and WebStripper. These mindless tools:
+ +Last weekend, I installed the CVS Web package to provide brower-based +access to the Shorewall CVS repository. Since then, I have had several +instances where my server was almost unusable due to the high load generated +by website copying tools like HTTrack and WebStripper. These mindless tools:
- +These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link - in the cgi-generated HTML resulting in 1000s - of executions of the cvsweb.cgi script. Yesterday, - I spend several hours implementing measures to block - these tools but unfortunately, these measures resulted - in my server OOM-ing under even moderate load.
+ +These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every +link in the cgi-generated HTML resulting in + 1000s of executions of the cvsweb.cgi script. Yesterday, + I spend several hours implementing measures to block + these tools but unfortunately, these measures resulted + in my server OOM-ing under even moderate load.
- -Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), - CVS Web access will remain Password Protected. -
+ +Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), + CVS Web access will remain Password Protected. +
- +6/5/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/2/2002 - Samples Corrected
- -The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These - problems have been corrected in the 1.3.1 samples.
+ +The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. +These problems have been corrected in the + 1.3.1 samples.
- +6/1/2002 - Shorewall 1.3.1 Released
- +Hot on the heels of 1.3.0, this release:
- +5/29/2002 - Shorewall 1.3.0 Released
- -In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:
+ +In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:
- +5/23/2002 - Shorewall 1.3 RC1 Available
- -In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:
+ +In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:
- +5/19/2002 - Shorewall 1.3 Beta 2 Available
- -In addition to the changes in Beta 1, this release which carries the - designation 1.2.91 adds:
+ +In addition to the changes in Beta 1, this release which carries the +designation 1.2.91 adds:
- +5/17/2002 - Shorewall 1.3 Beta 1 Available
- -Beta 1 carries the version designation 1.2.90 and implements the following - features:
+ +Beta 1 carries the version designation 1.2.90 and implements the following + features:
- +5/4/2002 - Shorewall 1.2.13 is Available
- +In this version:
- +4/30/2002 - Shorewall Debian News
- -Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch and the Debian -Unstable Branch.
+ +Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian + Testing Branch and the Debian + Unstable Branch.
- +4/20/2002 - Shorewall 1.2.12 is Available
- +4/17/2002 - Shorewall Debian News
- +Lorenzo Marignoni reports that:
- +Thanks, Lorenzo!
- +4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
- -Thanks to Stefan Mohr, there
- is now a Shorewall 1.2.11
+
+ Thanks to Stefan Mohr, there
+ is now a Shorewall 1.2.11
SuSE RPM available. 4/13/2002 - Shorewall 1.2.11 Available In this version: 4/13/2002 - Hamburg Mirror now has FTP Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
- Thanks Stefan!
-
-
+
4/12/2002 - New Mirror in Hamburg
- -Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website - at http://germany.shorewall.net. -
+ +Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website + at http://germany.shorewall.net. +
- +4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
- -Version 1.1 of the QuickStart - Guide is now available. Thanks to - those who have read version 1.0 and offered their - suggestions. Corrections have also been made to -the sample scripts.
+ +Version 1.1 of the QuickStart + Guide is now available. Thanks +to those who have read version 1.0 and offered +their suggestions. Corrections have also been made + to the sample scripts.
- +4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
- -Version 1.0 of the QuickStart - Guide is now available. This Guide - and its accompanying sample configurations -are expected to provide a replacement for the recently - withdrawn parameterized samples.
+ +Version 1.0 of the QuickStart + Guide is now available. This Guide + and its accompanying sample configurations + are expected to provide a replacement for the recently + withdrawn parameterized samples.
- +4/8/2002 - Parameterized Samples Withdrawn
- +Although the parameterized - samples have allowed people to get - a firewall up and running quickly, they have - unfortunately set the wrong level of expectation among - those who have used them. I am therefore withdrawing -support for the samples and I am recommending that -they not be used in new Shorewall installations.
+ href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to +get a firewall up and running quickly, they + have unfortunately set the wrong level of expectation + among those who have used them. I am therefore + withdrawing support for the samples and I am recommending + that they not be used in new Shorewall installations. - +4/2/2002 - Updated Log Parser
- -John Lodge has provided an updated - version of his CGI-based log parser - with corrected date handling.
+ +John Lodge has provided an updated + version of his CGI-based log parser + with corrected date handling.
- +3/30/2002 - Shorewall Website Search Improvements
- -The quick search on the home page now excludes the mailing list archives. - The Extended - Search allows excluding the archives - or restricting the search to just the archives. An archive - search form is also available on the mailing list information - page.
+ +The quick search on the home page now excludes the mailing list archives. + The Extended + Search allows excluding the archives + or restricting the search to just the archives. An archive + search form is also available on the mailing list information + page.
- +3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
- +3/25/2002 - Log Parser Available
- +John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.
+ href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks + John. - +3/20/2002 - Shorewall 1.2.10 Released
- +In this version:
- +3/11/2002 - Shorewall 1.2.9 Released
- +In this version:
- +3/1/2002 - 1.2.8 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/25/2002 - New Two-interface Sample
- -I've enhanced the two interface sample to allow access from the firewall
- to servers in the local zone -
+
+ I've enhanced the two interface sample to allow access from the firewall
+ to servers in the local zone -
http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz 2/23/2002 - Shorewall 1.2.8 Released Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
- problems associated with the lock file used to prevent multiple state-changing
- operations from occuring simultaneously.
- My apologies for any inconvenience my carelessness
- may have caused. Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
+ problems associated with the lock file used to prevent multiple state-changing
+ operations from occuring simultaneously.
+ My apologies for any inconvenience my carelessness
+ may have caused. 2/22/2002 - Shorewall 1.2.7 Released In this version: 2/18/2002 - 1.2.6 Debian Package is Available See http://security.dsi.unimi.it/~lorenzo/debian.html 2/8/2002 - Shorewall 1.2.6 Released In this version: 2/4/2002 - Shorewall 1.2.5 Debian Package Available see http://security.dsi.unimi.it/~lorenzo/debian.html 2/1/2002 - Shorewall 1.2.5 Released Due to installation problems with Shorewall 1.2.4, I have released Shorewall
+
+ Due to installation problems with Shorewall 1.2.4, I have released Shorewall
1.2.5. Sorry for the rapid-fire development. In version 1.2.5: 1/28/2002 - Shorewall 1.2.4 Released 1/28/2002 - Shorewall 1.2.4 Released 1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html 1/20/2002 - Corrected firewall script available Corrects a problem with BLACKLIST_LOGLEVEL. See the
+
+ Corrects a problem with BLACKLIST_LOGLEVEL. See the
errata for details. 1/19/2002 - Shorewall 1.2.3 Released This is a minor feature and bugfix release. The single new feature is: The following problems were corrected: 1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
+
+ Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
+ href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo 1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
- Shorewall Debian package is now available.
- There is a link to Lorenzo's site from the Shorewall download page.
-
-
+
-
+
-
+
-
-
-
+
+
+
+
+
+
+
-
-
+
-
-
+
1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.
+ href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores + the "shorewall status" command to health. - +1/8/2002 - Shorewall 1.2.2 Released
- +In version 1.2.2
- +1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There - are two new rules added:
+ target="_blank">version 1.2.0) released. These are minor updates + to the previously-released samples. +There are two new rules added: - +See the README file for upgrade instructions.
- +1/1/2002 - Shorewall Mailing List Moving
- -The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. - If you are a current subscriber to the list -at Sourceforge, please see these instructions. - If you would like to subscribe to the new - list, visit The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. + If you are a current subscriber to the list + at Sourceforge, please see these instructions. + If you would like to subscribe to the +new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
- +12/31/2001 - Shorewall 1.2.1 Released
- +In version 1.2.1:
- +12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing -1.2 on 12/21/2001
- - - -Version 1.2 contains the following new features:
- - - -For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current -version 1.1.x users will not be forced into -a quick upgrade to 1.2.0 just to have access to bug fixes.
+ +12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist +releasing 1.2 on 12/21/2001
- -For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when - upgrading to 1.2.0:
+ +Version 1.2 contains the following new features:
- -+ +- -+ +
+ + + +- Support for Traffic + Control/Shaping
+ +- Support for Filtering + of Mangled/Invalid Packets
+ +- Support for GRE Tunnels
- + +For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current +version 1.1.x users will not be forced into a + quick upgrade to 1.2.0 just to have access to bug fixes.
+ + + +For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when + upgrading to 1.2.0:
+ + + ++ + ++rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall -mirror in Texas. This web site is mirrored -at http://www.infohiiway.com/shorewall + +
12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall +mirror in Texas. This web site is mirrored +at http://www.infohiiway.com/shorewall and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
- +11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample + Configurations has been released. In this version: - +11/20/2001 - The current version of Shorewall is 1.1.18.
- +In this version:
- +11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall - mirror in the Slovak Republic. The website + +
11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall + mirror in the Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall + href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
- -11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + +
11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. There are three sample configurations:
- +Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 . See the README file for instructions.
- -11/1/2001 - The current version of Shorewall is 1.1.17. I intend - this to be the last of the 1.1 + +
11/1/2001 - The current version of Shorewall is 1.1.17. I intend + this to be the last of the 1.1 Shorewall releases.
- +In this version:
- +10/22/2001 - The current version of Shorewall is 1.1.16. In this + +
10/22/2001 - The current version of Shorewall is 1.1.16. In this version:
- +10/15/2001 - The current version of Shorewall is 1.1.15. In this + +
10/15/2001 - The current version of Shorewall is 1.1.15. In this version:
- +10/4/2001 - The current version of Shorewall is 1.1.14. In this - version
+ +10/4/2001 - The current version of Shorewall is 1.1.14. In this + version
- +9/12/2001 - The current version of Shorewall is 1.1.13. In this - version
+ +9/12/2001 - The current version of Shorewall is 1.1.13. In this + version
- +8/28/2001 - The current version of Shorewall is 1.1.12. In this - version
+ +8/28/2001 - The current version of Shorewall is 1.1.12. In this + version
- +7/28/2001 - The current version of Shorewall is 1.1.11. In this - version
+ +7/28/2001 - The current version of Shorewall is 1.1.11. In this + version
- +7/6/2001 - The current version of Shorewall is 1.1.10. In this version
+ +7/6/2001 - The current version of Shorewall is 1.1.10. In this +version
- +6/23/2001 - The current version of Shorewall is 1.1.9. In this version
+ +6/23/2001 - The current version of Shorewall is 1.1.9. In this +version
- +6/18/2001 - The current version of Shorewall is 1.1.8. In this version
+ +6/18/2001 - The current version of Shorewall is 1.1.8. In this +version
- +6/2/2001 - The current version of Shorewall is 1.1.7. In this version
- +5/25/2001 - The current version of Shorewall is 1.1.6. In this version
+ +5/25/2001 - The current version of Shorewall is 1.1.6. In this +version
- +5/20/2001 - The current version of Shorewall is 1.1.5. In this version
+ +5/20/2001 - The current version of Shorewall is 1.1.5. In this +version
- +5/10/2001 - The current version of Shorewall is 1.1.4. In this version
+ +5/10/2001 - The current version of Shorewall is 1.1.4. In this +version
- +4/28/2001 - The current version of Shorewall is 1.1.3. In this version
+ +4/28/2001 - The current version of Shorewall is 1.1.3. In this +version
- +4/12/2001 - The current version of Shorewall is 1.1.2. In this version
+ - + +4/12/2001 - The current version of Shorewall is 1.1.2. In this +version
+ + +4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
- +3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
- +3/19/2001 - The current version of Shorewall is 1.0.4. This version:
- +3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + + + + +
3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix release with no new features.
- +3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for -tunnels and it supports IPSEC tunnels with -end-points on the firewall. There is also a .lrp available - now.
+ - -Updated 7/7/2003 - Tom Eastep -
+ +3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for +tunnels and it supports IPSEC tunnels with end-points + on the firewall. There is also a .lrp available now.
- + +Updated 7/15/2003 - Tom Eastep +
+ + + Copyright © 2001, 2002 Thomas M. Eastep.
-