mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
Shorewall 1.3.7b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@221 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
580cfb6c61
commit
8dc5bd0ed8
@ -533,7 +533,9 @@ problem are:</p>
|
||||
over my console making it unusable!</h4>
|
||||
|
||||
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command to your startup
|
||||
scripts or place it in /etc/shorewall/start.</p>
|
||||
scripts or place it in /etc/shorewall/start. Under RedHat, the max log level
|
||||
that is sent to the console is specified in /etc/sysconfig/init in the
|
||||
LOGLEVEL variable.</p>
|
||||
|
||||
<h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my
|
||||
interfaces properly?</h4>
|
||||
@ -566,7 +568,7 @@ over my console making it unusable!</h4>
|
||||
zone is defined as all hosts connected through eth1.</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated
|
||||
8/15/2002 - <a href="support.htm">Tom
|
||||
8/24/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
|
||||
@ -42,7 +42,25 @@ parameter to the type of tunnel that you want to create.</p>
|
||||
<blockquote>
|
||||
<p align="left">tunnel_type=gre</p>
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>gw</b> zone. In
|
||||
<p align="left">On each firewall, you will need to declare a zone to represent
|
||||
the remote subnet. We'll assume that this zone is called 'vpn' and declare it in
|
||||
/etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone. In
|
||||
/etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||||
@ -53,7 +71,7 @@ parameter to the type of tunnel that you want to create.</p>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>gw</td>
|
||||
<td>vpn</td>
|
||||
<td>tosysb</td>
|
||||
<td>10.255.255.255</td>
|
||||
<td> </td>
|
||||
@ -88,7 +106,7 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
|
||||
gateway=134.28.54.2<br>
|
||||
subnet=10.0.0.0/8</p>
|
||||
</blockquote>
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>gw</b>
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
zone. In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||||
@ -99,7 +117,7 @@ zone. In /etc/shorewall/interfaces:</p>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>gw</td>
|
||||
<td>vpn</td>
|
||||
<td>tosysa</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
@ -135,7 +153,7 @@ zone. In /etc/shorewall/interfaces:</p>
|
||||
<p>You can rename the modified tunnel scripts if you like; be sure that they are
|
||||
secured so that root can execute them. </p>
|
||||
|
||||
<p align="Left"> You will need to allow traffic between the "gw" zone and
|
||||
<p align="Left"> You will need to allow traffic between the "vpn" zone and
|
||||
the "loc" zone on both systems -- if you simply want to admit all traffic
|
||||
in both directions, you can use the policy file:</p>
|
||||
|
||||
@ -150,13 +168,13 @@ secured so that root can execute them. </p>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>gw</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td>gw</td>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
@ -168,7 +186,7 @@ secured so that root can execute them. </p>
|
||||
run the modified tunnel script with the "start" argument on each
|
||||
system. The systems in the two masqueraded subnetworks can now talk to each
|
||||
other</p>
|
||||
<p><font size="2">Updated 5/18/2002 - <a href="support.htm">Tom
|
||||
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a> </font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
@ -17,6 +17,31 @@
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
|
||||
|
||||
<p>This is a role up of the "shorewall refresh" bug fix and the change which
|
||||
reverses the order of "dhcp" and "norfc1918" checking.</p>
|
||||
|
||||
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
|
||||
|
||||
<p><a href="ftp://france.shorewall.net/pub/mirrors/shorewall">
|
||||
ftp://france.shorewall.net/pub/mirrors/shorewall</a> is now available.</p>
|
||||
|
||||
<p><b>8/25/2002 - Shorewall Mirror in France</b></p>
|
||||
|
||||
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
|
||||
at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
|
||||
|
||||
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
|
||||
|
||||
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
||||
|
||||
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author -- Shorewall 1.3.7a
|
||||
released</b></p>
|
||||
|
||||
<p>1.3.7a corrects problems occurring in rules file processing when starting Shorewall
|
||||
1.3.7.</p>
|
||||
|
||||
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002</b></p>
|
||||
|
||||
<p>Features in this release include:</p>
|
||||
@ -1024,7 +1049,7 @@ version:</p>
|
||||
additional "gw" (gateway) zone for tunnels and it supports IPSEC
|
||||
tunnels with end-points on the firewall. There is also a .lrp available now.</b></p>
|
||||
|
||||
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
|
||||
<p><font size="2">Updated 8/26/2002 - <a href="support.htm">Tom
|
||||
Eastep</a> </font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
|
||||
|
||||
@ -55,6 +55,7 @@
|
||||
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
@ -66,7 +66,7 @@ AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED
|
||||
FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO
|
||||
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
|
||||
ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p>
|
||||
<p>Download Latest Version (<b>1.3.7</b>): <b>Remember that updates to the mirrors
|
||||
<p>Download Latest Version (<b>1.3.7a</b>): <b>Remember that updates to the mirrors
|
||||
occur 1-12 hours after an update to the primary site.</b></p>
|
||||
<blockquote>
|
||||
<table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
|
||||
@ -118,8 +118,8 @@ occur 1-12 hours after an update to the primary site.</b></p>
|
||||
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">Download
|
||||
.rpm</a></td>
|
||||
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">
|
||||
Download .lrp</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
@ -154,6 +154,20 @@ occur 1-12 hours after an update to the primary site.</b></p>
|
||||
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
|
||||
.lrp</a></td>
|
||||
<td>
|
||||
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download .lrp</a></td>
|
||||
</tr>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>Browse Download Sites:</p>
|
||||
@ -198,6 +212,13 @@ occur 1-12 hours after an update to the primary site.</b></p>
|
||||
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">
|
||||
Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td>
|
||||
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>California, USA (Incomplete)</td>
|
||||
<td>Sourceforge.net</td>
|
||||
@ -216,7 +237,7 @@ Shorewall component. There's no guarantee that what you find there will work at
|
||||
all.</p>
|
||||
|
||||
</blockquote>
|
||||
<p align="left"><font size="2">Last Updated 8/22/2002 - <a href="support.htm">Tom
|
||||
<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
|
||||
@ -65,15 +65,15 @@ dos2unix</a></u>
|
||||
<ul>
|
||||
<li><b><a href="#Upgrade">Upgrade Issues</a></b></li>
|
||||
<li>
|
||||
|
||||
<b><font color="#660066">
|
||||
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
|
||||
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
|
||||
<li>
|
||||
|
||||
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li>
|
||||
|
||||
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
|
||||
<b><font color="#660066">
|
||||
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li>
|
||||
|
||||
<b><font color="#660066"><a href="#iptables">
|
||||
@ -88,112 +88,58 @@ dos2unix</a></u>
|
||||
</ul>
|
||||
<hr>
|
||||
|
||||
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||||
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
||||
|
||||
<h3>Version >= 1.3.7</h3>
|
||||
<h3>Version 1.3.7a</h3>
|
||||
|
||||
<p>Users specifying ALLOWRELATED=No in
|
||||
/etc/shorewall.conf will need to include the
|
||||
following rules in their /etc/shorewall/icmpdef
|
||||
file (creating this file if necessary):</p>
|
||||
<p>"shorewall refresh" is not creating the proper
|
||||
rule for FORWARDPING=Yes. Consequently, after
|
||||
"shorewall refresh", the firewall will not forward
|
||||
icmp echo-request (ping) packets. Installing
|
||||
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects this problem.</p>
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
|
||||
<p>Users having an /etc/shorewall/icmpdef file may remove the ".
|
||||
/etc/shorewall/icmp.def" command from that file since the icmp.def file is now
|
||||
empty.</p>
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to
|
||||
Shorewall >= 1.3.3</b></h3>
|
||||
<h3>Version <= 1.3.7a</h3>
|
||||
|
||||
<p>To properly upgrade with Shorewall version
|
||||
1.3.3 and later:</p>
|
||||
<p>If "norfc1918" and "dhcp" are both specified as
|
||||
options on a given interface then RFC 1918
|
||||
checking is occurring before DHCP checking. This
|
||||
means that if a DHCP client broadcasts using an
|
||||
RFC 1918 source address, then the firewall will
|
||||
reject the broadcast (usually logging it). This
|
||||
has two problems:</p>
|
||||
|
||||
<ol>
|
||||
<li>Be sure you have a backup -- you will need
|
||||
to transcribe any Shorewall configuration
|
||||
changes that you have made to the new
|
||||
configuration.</li>
|
||||
<li>Replace the shorwall.lrp package provided on
|
||||
the Bering floppy with the later one. If you did
|
||||
not obtain the later version from Jacques's
|
||||
site, see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall entry if
|
||||
present. Then do not forget to backup root.lrp !</li>
|
||||
<li>If the firewall is running a DHCP server,
|
||||
the client won't be able to obtain an IP address
|
||||
lease from that server.</li>
|
||||
<li>With this order of checking, the "dhcp"
|
||||
option cannot be used as a noise-reduction
|
||||
measure where there are both dynamic and static
|
||||
clients on a LAN segment.</li>
|
||||
</ol>
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
|
||||
setting up a two-interface firewall</a> plus you also need to add the following
|
||||
two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
<blockquote>
|
||||
<pre># Bering specific rules:
|
||||
# allow loc to fw udp/53 for dnscache to work
|
||||
# allow loc to fw tcp/80 for weblet to work
|
||||
#
|
||||
ACCEPT loc fw udp 53
|
||||
ACCEPT loc fw tcp 80</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="Left">Version >= 1.3.6</h3>
|
||||
|
||||
<p align="Left">If you have a pair of firewall systems configured for
|
||||
failover, you will need to modify your firewall setup slightly under
|
||||
Shorewall versions >= 1.3.6. </p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
|
||||
connection tracking table can be rebuilt<br>
|
||||
|
||||
# from non-SYN packets after takeover.<br>
|
||||
</font></li>
|
||||
<li>
|
||||
|
||||
<p align="Left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
|
||||
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font></li>
|
||||
</ol>
|
||||
|
||||
<h3 align="Left">Versions >= 1.3.5</h3>
|
||||
|
||||
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
|
||||
longer supported. </p>
|
||||
|
||||
<p align="Left">Example 1:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
||||
</div>
|
||||
|
||||
<p align="Left">Must be replaced with:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Example 2:</div>
|
||||
<div align="left">
|
||||
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Must be replaced with:</div>
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
|
||||
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
||||
<p>
|
||||
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
This version of the 1.3.7a firewall script </a>
|
||||
corrects the problem. It must be installed in /var/lib/shorewall
|
||||
as described above.</p>
|
||||
|
||||
<h3>Version 1.3.7</h3>
|
||||
|
||||
<p>Version 1.3.7 dead on arrival -- please use
|
||||
version 1.3.7a and check your version against
|
||||
these md5sums -- if there's a difference, please
|
||||
download again.</p>
|
||||
|
||||
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
|
||||
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
|
||||
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
|
||||
<p>In other words, type "md5sum <<i>whatever package you downloaded</i>> and
|
||||
compare the result with what you see above.</p>
|
||||
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7
|
||||
version in each sequence from now on.</p>
|
||||
|
||||
<h3 align="Left">Version 1.3.6</h3>
|
||||
|
||||
@ -352,6 +298,120 @@ ACCEPT loc fw tcp 80</pre>
|
||||
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
|
||||
corrected version is here</a>.</li>
|
||||
</ul>
|
||||
<hr>
|
||||
|
||||
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||||
|
||||
<h3>Version >= 1.3.7</h3>
|
||||
|
||||
<p>Users specifying ALLOWRELATED=No in
|
||||
/etc/shorewall.conf will need to include the
|
||||
following rules in their /etc/shorewall/icmpdef
|
||||
file (creating this file if necessary):</p>
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
|
||||
<p>Users having an /etc/shorewall/icmpdef file may remove the ".
|
||||
/etc/shorewall/icmp.def" command from that file since the icmp.def file is now
|
||||
empty.</p>
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to
|
||||
Shorewall >= 1.3.3</b></h3>
|
||||
|
||||
<p>To properly upgrade with Shorewall version
|
||||
1.3.3 and later:</p>
|
||||
|
||||
<ol>
|
||||
<li>Be sure you have a backup -- you will need
|
||||
to transcribe any Shorewall configuration
|
||||
changes that you have made to the new
|
||||
configuration.</li>
|
||||
<li>Replace the shorwall.lrp package provided on
|
||||
the Bering floppy with the later one. If you did
|
||||
not obtain the later version from Jacques's
|
||||
site, see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall entry if
|
||||
present. Then do not forget to backup root.lrp !</li>
|
||||
</ol>
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
|
||||
setting up a two-interface firewall</a> plus you also need to add the following
|
||||
two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
<blockquote>
|
||||
<pre># Bering specific rules:
|
||||
# allow loc to fw udp/53 for dnscache to work
|
||||
# allow loc to fw tcp/80 for weblet to work
|
||||
#
|
||||
ACCEPT loc fw udp 53
|
||||
ACCEPT loc fw tcp 80</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="Left">Version >= 1.3.6</h3>
|
||||
|
||||
<p align="Left">If you have a pair of firewall systems configured for
|
||||
failover, you will need to modify your firewall setup slightly under
|
||||
Shorewall versions >= 1.3.6. </p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
|
||||
connection tracking table can be rebuilt<br>
|
||||
|
||||
# from non-SYN packets after takeover.<br>
|
||||
</font></li>
|
||||
<li>
|
||||
|
||||
<p align="Left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
|
||||
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font></li>
|
||||
</ol>
|
||||
|
||||
<h3 align="Left">Versions >= 1.3.5</h3>
|
||||
|
||||
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
|
||||
longer supported. </p>
|
||||
|
||||
<p align="Left">Example 1:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
||||
</div>
|
||||
|
||||
<p align="Left">Must be replaced with:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Example 2:</div>
|
||||
<div align="left">
|
||||
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Must be replaced with:</div>
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
|
||||
<h3 align="Left">Version >= 1.3.2</h3>
|
||||
|
||||
<p align="Left">The functions and versions files together with the
|
||||
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
|
||||
If you have applications that access these files, those applications
|
||||
should be modified accordingly.</p>
|
||||
|
||||
<hr>
|
||||
|
||||
<h3 align="Left"><a name="iptables"></a><font color="#660066">
|
||||
@ -435,9 +495,9 @@ Aborted (core dumped)
|
||||
installed, simply use the "--nodeps" option to
|
||||
rpm.</p>
|
||||
|
||||
<p>Installing: rpm -ivh <i><shorewall rpm></i></p>
|
||||
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
<p>Upgrading: rpm -Uvh <i><shorewall rpm></i></p>
|
||||
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
<h3><a name="Multiport"></a><b>Problems with
|
||||
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
|
||||
@ -445,7 +505,8 @@ Aborted (core dumped)
|
||||
<p>The iptables 1.2.7 release of iptables has made
|
||||
an incompatible change to the syntax used to
|
||||
specify multiport match rules; as a consequence,
|
||||
if you install iptables 1.2.7 you must</p>
|
||||
if you install iptables 1.2.7 you must be running
|
||||
Shorewall 1.3.7a or later or:</p>
|
||||
|
||||
<ul>
|
||||
<li>set MULTIPORT=No in
|
||||
@ -457,7 +518,7 @@ Aborted (core dumped)
|
||||
as described above.</li>
|
||||
</ul>
|
||||
<p><font size="2">
|
||||
Last updated 8/22/2002 -
|
||||
Last updated 8/26/2002 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
|
||||
Binary file not shown.
@ -6,16 +6,18 @@
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Mailing Lists</title>
|
||||
<meta name="Microsoft Theme" content="boldstri 011">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
|
||||
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
|
||||
<p align="right"><font color="#FFFFFF"><b>Powered by Postfix
|
||||
</b></font>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
@ -26,6 +26,7 @@ to at least one address in each of the following domains:</h2>
|
||||
<pre>2020ca - delivery to this domain has been disabled (cause unknown)
|
||||
excite.com - delivery to this domain has been disabled (cause unknown)
|
||||
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
|
||||
familie-fleischhacker.de - (connection timed out)
|
||||
gmx.net - delivery to this domain has been disabled (cause unknown)
|
||||
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
|
||||
intercom.net - delivery to this domain has been disabled (cause unknown)
|
||||
@ -33,6 +34,7 @@ initialcs.com - delivery to this domain has been disabled (cause unknown)
|
||||
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
|
||||
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
|
||||
kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)
|
||||
littleblue.de - (connection timed out)
|
||||
opermail.net - delivery to this domain has been disabled (cause unknown)
|
||||
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
|
||||
scip-online.de - delivery to this domain has been disabled (cause unknown)
|
||||
@ -42,7 +44,7 @@ yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
|
||||
</div>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last updated 7/26/2002 19:39 GMT -
|
||||
<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
|
||||
<a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
|
||||
@ -63,9 +63,38 @@
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
|
||||
<p><b>8/26/2002 - Shorewall 1.3.7b
|
||||
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
|
||||
|
||||
<p>This is a role up of the "shorewall refresh" bug fix and the change which
|
||||
reverses the order of "dhcp" and "norfc1918" checking.</p>
|
||||
|
||||
<p><b>8/26/2002 - French FTP Mirror is Operational
|
||||
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
|
||||
|
||||
<p><a href="ftp://france.shorewall.net/pub/mirrors/shorewall">
|
||||
ftp://france.shorewall.net/pub/mirrors/shorewall</a> is now available.</p>
|
||||
|
||||
<p><b>8/25/2002 - Shorewall Mirror in France
|
||||
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
|
||||
|
||||
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
|
||||
at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
|
||||
|
||||
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available
|
||||
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
|
||||
|
||||
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
||||
|
||||
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
|
||||
-- Shorewall 1.3.7a released
|
||||
<img border="0" src="images/j0233056.gif" width="50" height="80" align="middle"></b></p>
|
||||
|
||||
<p>1.3.7a corrects problems occurring in rules file processing when starting Shorewall
|
||||
1.3.7.</p>
|
||||
|
||||
<p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
|
||||
|
||||
<p>Features in this release include:</p>
|
||||
|
||||
<ul>
|
||||
@ -150,7 +179,7 @@
|
||||
</table>
|
||||
|
||||
<p><font size="2">Updated
|
||||
8/22/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
8/26/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font>
|
||||
|
||||
|
||||
|
||||
@ -73,17 +73,20 @@ Washington</a>
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE HDs and LNE100TX
|
||||
(Tulip) NIC - My personal Windows system.</li>
|
||||
<li>Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My
|
||||
personal Linux System which runs Samba configured as a WINS server.</li>
|
||||
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My
|
||||
personal Linux System which runs Samba configured as a WINS server. This
|
||||
system also has <a href="http://www.vmware.com/">VMware</a> installed and
|
||||
can run both <a href="http://www.debian.org">Debian</a> and
|
||||
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
|
||||
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
|
||||
- Mail (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
|
||||
(Bind).</li>
|
||||
<li>PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3
|
||||
<li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3
|
||||
LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.6 and a DHCP
|
||||
server. Also runs PoPToP for road warrior access.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li>
|
||||
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100
|
||||
in expansion base - My main work system.</li>
|
||||
in expansion base and LinkSys WAC11 - My main work system.</li>
|
||||
</ul>
|
||||
<p>For more about our network see <a href="myfiles.htm">my Shorewall
|
||||
Configuration</a>.</p>
|
||||
|
||||
@ -50,7 +50,7 @@
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
|
||||
IP addresses and subnetworks is supported.</li>
|
||||
<li><a href="Documentation.htm#Starting"><b>Operational support</b></a>:
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
|
||||
<ul>
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring
|
||||
|
||||
@ -43,7 +43,11 @@ from the internet and from the DMZ and in some cases, from each other.</li
|
||||
network hosts.</p>
|
||||
<p>While zones are normally disjoint (no two zones have a host in common),
|
||||
there are cases where nested or overlapping zone definitions are appropriate.</p>
|
||||
<p>Packets entering the firewall first pass through the <i>mangle </i>table's
|
||||
<p>For a general picture of how packets traverse a Netfilter firewall, see
|
||||
<a href="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES">
|
||||
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES.</a><br>
|
||||
<br>
|
||||
Packets entering the firewall first pass through the <i>mangle </i>table's
|
||||
PREROUTING chain (you can see the mangle table by typing "shorewall show
|
||||
mangle"). If the packet entered through an interface that has the <b>norfc1918</b>
|
||||
option, then the packet is sent down the <b>man1918</b> which will drop
|
||||
@ -55,10 +59,25 @@ from the internet and from the DMZ and in some cases, from each other.</li
|
||||
control.</p>
|
||||
<p>Next, if the packet isn't part of an established connection, it passes
|
||||
through the<i> nat</i> table's PREROUTING chain (you can see the nat table by
|
||||
typing "shorewall show nat"). </p>
|
||||
typing "shorewall show nat"). If you are doing both static nat and
|
||||
port forwarding, the order in which chains are traversed is dependent on the
|
||||
setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then
|
||||
packets will ender a chain called <i>interface_</i>in where <i>interface</i> is
|
||||
the name of the interface on which the packet entered. Here it's destination IP
|
||||
is compared to each of the <i>EXTERNAL</i> IP addresses from /etc/shorewall/nat
|
||||
that correspond to this interface; if there is a match, DNAT is applied and the
|
||||
packet header is modified to the IP in the <i>INTERNAL</i> column of the nat
|
||||
file record. If the destination address doesn't match any of the rules in the
|
||||
<i>interface_</i>in chain then the packet enters a chain called <i>sourcezone</i>_dnat
|
||||
where <i>sourcezone</i> is the source zone of the packet. There it is compared
|
||||
for a match against each of the DNAT records in the rules file that specify <i>
|
||||
sourcezone </i>as the source zone. If a match is found, the destination IP
|
||||
address (and possibly the destination port) is modified based on the rule
|
||||
matched. If NAT_BEFORE_RULES is off, then the order of traversal of the <i>
|
||||
interface_</i>in and <i>sourcezone</i>_dnat is reversed.</p>
|
||||
<p>
|
||||
Traffic entering the
|
||||
firewall is sent to an<i> input </i>chain. If the traffic is destined for the
|
||||
Traffic is next sent to an<i> input </i>chain in the mail Netfilter table
|
||||
(called 'filter'). If the traffic is destined for the
|
||||
firewall itself, the name of the input chain is formed by appending "_in" to
|
||||
the interface name. So traffic on eth0 destined for the firewall will enter a
|
||||
chain called <i>eth0_in</i>. The input chain for traffic that will be routed to
|
||||
@ -151,6 +170,6 @@ its own separate connection from the firewall to zone B.</p>
|
||||
zone and you are having problems connecting from a local client to an internet
|
||||
server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font>
|
||||
(see point 3 above).</p>
|
||||
<p><font size="2">Last modified 7/26/2002 - <a href="support.htm">Tom
|
||||
<p><font size="2">Last modified 8/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
|
||||
@ -36,6 +36,8 @@ It is mirrored at:</p>
|
||||
<li><a target="_top" href="http://germany.shorewall.net">
|
||||
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
|
||||
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li>
|
||||
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
|
||||
(Paris, France)</li>
|
||||
</ul>
|
||||
<p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
|
||||
and is located in Washington State, USA.
|
||||
@ -50,8 +52,11 @@ It is mirrored at:</p>
|
||||
ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li>
|
||||
<li>
|
||||
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li>
|
||||
<li>
|
||||
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
|
||||
(Paris, France)</li>
|
||||
</ul>
|
||||
<p align="left"><font size="2">Last Updated 7/16/2002 - <a href="support.htm">Tom
|
||||
<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
</tr>
|
||||
</table>
|
||||
<ul>
|
||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm">
|
||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm">
|
||||
Check here for kernel configuration information.</a>
|
||||
If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
|
||||
see the Seattle Firewall site</a>
|
||||
@ -43,7 +43,7 @@
|
||||
<li>The firewall monitoring display is greatly improved if you have awk
|
||||
(gawk) installed.</li>
|
||||
</ul>
|
||||
<p align="left"><font size="2">Last updated 8/4/2002 - <a href="support.htm">Tom
|
||||
<p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
|
||||
@ -19,20 +19,22 @@
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<h3 align="left">Before Reporting a Problem</h3>
|
||||
<blockquote>
|
||||
|
||||
<h3 align="left"> <span style="font-weight: 400"><i>
|
||||
"It is easier to post a problem than to use your own brain" -- </i>
|
||||
"<font size="3">It is easier to post a problem than to use your own brain"
|
||||
</font>-- </i>
|
||||
<font size="2">Weitse Venema (creator of Postfix)</font></span></h3>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"> <i>"Any sane computer with tell you how it works -- you just
|
||||
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
|
||||
|
||||
<h3 align="left">Before Reporting a Problem</h3>
|
||||
<p>There are a number of sources for problem solution information.</p>
|
||||
<ul>
|
||||
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
|
||||
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains a
|
||||
number of tips to help you solve common problems.</li>
|
||||
<li>The <a href="errata.htm"> Errata</a> has links to download updated
|
||||
components.</li>
|
||||
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
|
||||
<li>The Mailing List Archives are a useful source of problem solving
|
||||
information.</li>
|
||||
</ul>
|
||||
@ -116,7 +118,7 @@ to respond promptly to mailing list posts. <a href="mailto:teastep@s
|
||||
<p>To Subscribe to the mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 8/17/2002 - Tom
|
||||
<p align="left"><font size="2">Last Updated 8/24`/2002 - Tom
|
||||
Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
|
||||
@ -55,6 +55,9 @@ utilities.</p>
|
||||
normally not required as Shorewall's method of clearing qdisc and filter
|
||||
definitions is pretty general.</li>
|
||||
</ul>
|
||||
<h3 align="left">Kernel Configuration</h3>
|
||||
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590" height="764"></p>
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
|
||||
@ -200,7 +203,7 @@ use to others.</p>
|
||||
configuration</a> to get an idea of why I want these particular rules.<font face="Courier" size="2"><br>
|
||||
</font></p>
|
||||
</blockquote>
|
||||
<p><font size="2">Last Updated 6/18/2002 - <a href="support.htm">Tom
|
||||
<p><font size="2">Last Updated 8/24/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.7
|
||||
VERSION=1.3.7b
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.7
|
||||
VERSION=1.3.7b
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.3.7
|
||||
%define version 1.3.7b
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -76,6 +76,10 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7b
|
||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7a
|
||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7
|
||||
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.7
|
||||
VERSION=1.3.7b
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user