extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-19 04:41:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Clean up release notes.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-27 06:42:56 -07:00
parent fbfe7b9f93
commit 8a0dc9f0f6
1 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Shorewall/releasenotes.txt
View File

@ -20,7 +20,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
unallocated number when no device number is explicitly allocated. unallocated number when no device number is explicitly allocated.
2) Network developers have discovered an exploit that allows hosts to 2) Network developers have discovered an exploit that allows hosts to
poke holes in the firewall. The known ways to protect against the poke holes in a firewall. The known ways to protect against the
exploit are: exploit are:
a) rt_filter (Shorewall's routefilter). Only applicable to IPv4 a) rt_filter (Shorewall's routefilter). Only applicable to IPv4
@ -31,34 +31,33 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
This approach is not appropriate for bridges and other cases, This approach is not appropriate for bridges and other cases,
where the 'routeback' option is specified or implied. where the 'routeback' option is specified or implied.
For non-bridges, Shorewall will insert a hairpin rule, provided For non-routeback interfaces, Shorewall and Shorewall6 will insert
that the following options are not specified: a hairpin rule, provided that the routefilter option is not
specified. The rule will dispose of hairpins according to the
setting of two new options in shorewall.conf and shorewall6.conf:
- routefilter FILTER_LOG_LEVEL
- routeback Specifies the logging level; default is 'info'. To omit
logging, specify FILTER_LOG_LEVEL=none.
The rule will handle hairpins according to the setting of two new
options in shorewall.conf and shorewall6.conf:
FILTER_LOG_LEVEL specifies the logging level; default is 'info'. FILTER_DISPOSITION
To omit logging, specify FILTER_LOG_LEVEL=none. Specifies the disposition. Default is DROP and the possible
values are DROP, A_DROP, REJECT and A_REJECT.
FILTER_DISPOSITION specifies the disposition. Default is DROP and
the possible values are DROP, A_DROP, REJECT and A_REJECT.
To deal with bridges and other routeback interfaces , there is now To deal with bridges and other routeback interfaces , there is now
a 'filter' option in /shorewall/interfaces and a 'filter' option in /shorewall/interfaces and
/etc/shorewall6/interfaces. /etc/shorewall6/interfaces.
The value of the 'filter' option is a list of addresses enclosed in The value of the 'filter' option is a list of network addresses
in parentheses. Where only a single address is listed, the enclosed in in parentheses. Where only a single address is listed,
parentheses may be deleted. When a packet from a filtered address the parentheses may be omitted. When a packet from a filtered
is received on the interface, it is handled based on the new address is received on the interface, it is disposed of based on
options described above. the new FILTER_ options described above.
For each bridge, you should list all of your other local networks For a bridge or other routeback interface, you should list all of
(those networks not attached to the bridge) in the bridge's filter your other local networks (those networks not attached to the
list. bridge) in the bridge's filter list.
Example: Example: