mirror of
https://gitlab.com/shorewall/code.git
synced 2025-08-09 07:31:00 +02:00
Shorewall-1.4.7
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@756 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
@ -99,44 +99,131 @@ QuickStart Guide</a> for
|
||||
details.
|
||||
<h2></h2>
|
||||
<h2><b>News</b></h2>
|
||||
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
|
||||
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
|
||||
<blockquote>
|
||||
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
|
||||
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
|
||||
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
|
||||
</blockquote>
|
||||
<b>Problems Corrected since version 1.4.6</b><br>
|
||||
src="images/new10.gif" alt="(New)" title=""></b><br>
|
||||
<b><br>
|
||||
Problems Corrected since version 1.4.6 (Those in bold font
|
||||
were corrected since 1.4.7 RC2).</b><br>
|
||||
<ol>
|
||||
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
||||
variable was being tested before it was set.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables command.</li>
|
||||
<li>The
|
||||
"shorewall stop" command is now disabled when
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled exists. This prevents people from
|
||||
shooting themselves in the foot prior to having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during
|
||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
||||
being added to a PPP interface; the addresses were successfully added
|
||||
in spite of the messages.<br>
|
||||
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
|
||||
were being added to a PPP interface; the addresses were successfully
|
||||
added in spite of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages<br>
|
||||
The firewall script has been modified to eliminate the error messages</li>
|
||||
<li>Interface-specific dynamic blacklisting chains are
|
||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
(previously named "Dynamic Chain").</li>
|
||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||
<li value="7">The 'shorewall reject'
|
||||
and
|
||||
'shorewall drop' commands now delete any existing rules for the subject
|
||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
||||
could be many rules for the same IP address in the dynamic chain so
|
||||
that multiple 'allow' commands were required to re-enable traffic
|
||||
to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in
|
||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
||||
a startup error:<br>
|
||||
<br>
|
||||
eth0 eth1
|
||||
206.124.146.20-206.124.146.24<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall previously choked over
|
||||
IPV6
|
||||
addresses configured on interfaces in contexts where Shorewall needed
|
||||
to detect something about the interface (such as when "detect" appears
|
||||
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load
|
||||
module files that are formed from the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a
|
||||
proxy
|
||||
ARP host and such a route already exists, two routes resulted
|
||||
previously. This has been corrected so that the existing route is
|
||||
replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been
|
||||
updated to reflect recent allocations.</li>
|
||||
<li>The documentation of the
|
||||
USER SET column in the rules file has been corrected.</li>
|
||||
<li>If there is no policy
|
||||
defined for
|
||||
the zones specified in a rule, the firewall script previously
|
||||
encountered a shell syntax error:<br>
|
||||
|
||||
<br>
|
||||
[: NONE: unexpected operator<br>
|
||||
|
||||
<br>
|
||||
Now, the absence of a policy generates an error message and the
|
||||
firewall is stopped:<br>
|
||||
|
||||
<br>
|
||||
No policy defined from zone
|
||||
<source> to zone <dest><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if neither
|
||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
||||
would fail to start and would not remove the lock file. Failure to
|
||||
remove the lock file resulted in the following during subsequent
|
||||
attempts to start:<br>
|
||||
|
||||
<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing /etc/shorewall/shorewall.conf...<br>
|
||||
Giving up on lock file /var/lib/shorewall/lock<br>
|
||||
Shorewall Not Started<br>
|
||||
<br>
|
||||
Shorewall now reports a fatal error if neither of these two files exist
|
||||
and correctly removes the lock fille.</li>
|
||||
<li>The order of processing
|
||||
the
|
||||
various options has been changed such that blacklist entries now take
|
||||
precedence over the 'dhcp' interface setting.</li>
|
||||
<li>The log message generated
|
||||
from the
|
||||
'logunclean' interface option has been changed to reflect a disposition
|
||||
of LOG rather than DROP.</li>
|
||||
<li><span style="font-weight: bold;">When a user name and/or a
|
||||
group
|
||||
name was specified in the USER SET column and the destination zone was
|
||||
qualified with a IP address, the user and/or group name was not being
|
||||
used to qualify the rule.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:<br>
|
||||
<br>
|
||||
</span></li>
|
||||
<li><span style="font-weight: bold;">The /etc/shorewall/masq
|
||||
file has had the spurious "/" character at the front removed.</span></li>
|
||||
</ol>
|
||||
<b>Migration Issues:</b><br>
|
||||
<ol>
|
||||
<li>Once you have installed this version of Shorewall, you must
|
||||
restart Shorewall before you may use the 'drop', 'reject', 'allow' or
|
||||
'save' commands.</li>
|
||||
<li>To maintain strict compatibility with previous versions,
|
||||
current uses of "shorewall drop" and "shorewall reject" should be
|
||||
replaced with "shorewall dropall" and "shorewall rejectall" </li>
|
||||
<li>Shorewall IP Traffic Accounting has changed since snapshot
|
||||
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
|
||||
details.</li>
|
||||
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
||||
changed -- see the <a href="UserSets.html">User Set page</a> for
|
||||
details.</li>
|
||||
<li>The
|
||||
per-interface Dynamic Blacklisting facility introduced in the first
|
||||
post-1.4.6 Snapshot has been removed. The facility had too many
|
||||
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<b>New Features:</b><br>
|
||||
<b></b><b>New Features:</b><br>
|
||||
<ol>
|
||||
<li>Shorewall now creates a dynamic blacklisting chain for each
|
||||
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
|
||||
@ -191,10 +278,9 @@ stop".
|
||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
||||
SSH
|
||||
connection to 192.168.1.5!!!</li>
|
||||
<li>Given
|
||||
the wide range of VPN software, I can never hope to add specific
|
||||
support for all of it. I have therefore decided to add "generic" tunnel
|
||||
support.<br>
|
||||
<li>Given the wide range of VPN software, I can never hope to
|
||||
add specific support for all of it. I have therefore decided to add
|
||||
"generic" tunnel support.<br>
|
||||
<br>
|
||||
Generic tunnels work pretty much like any of the other tunnel types.
|
||||
You usually add a zone to represent the systems at the other end of the
|
||||
@ -218,9 +304,8 @@ the remote tunnel gateway<br>
|
||||
<ip address> is the IP
|
||||
address of the remote tunnel gateway.<br>
|
||||
<gateway zone>
|
||||
Optional. A comma-separated list of zone
|
||||
names. If specified, the remote gateway is to be considered part of
|
||||
these zones.</li>
|
||||
Optional. A comma-separated list of zone names. If specified, the
|
||||
remote gateway is to be considered part of these zones.</li>
|
||||
<li>An 'arp_filter' option has been added to the
|
||||
/etc/shorewall/interfaces file. This option causes
|
||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||
@ -230,9 +315,94 @@ facilitates testing of your firewall where multiple firewall interfaces
|
||||
are connected to the same HUB/Switch (all interfaces connected to the
|
||||
single HUB/Switch should have this option specified). Note that using
|
||||
such a configuration in a production environment is strongly
|
||||
recommended against.<br>
|
||||
recommended against.</li>
|
||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||
<li>An /etc/shorewall/accounting file has been added to allow
|
||||
for traffic accounting. See the <a href="Accounting.html">accounting
|
||||
documentation</a> for a description of this facility.</li>
|
||||
<li>Bridge interfaces (br[0-9]) may now be used in
|
||||
/etc/shorewall/maclist.</li>
|
||||
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
||||
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
|
||||
rules, rate limiting occurs in the nat table DNAT rule; the
|
||||
corresponding ACCEPT rule in the filter table is not rate limited. If
|
||||
you want to limit the filter table rule, you will need o create two
|
||||
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
|
||||
separately.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Warning: </span>When rate
|
||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||
fields, the limit will apply to each pair of zones individually rather
|
||||
than as a single limit for all pairs of covered by the rule.<br>
|
||||
<br>
|
||||
To specify a rate limit, <br>
|
||||
<br>
|
||||
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
<br>
|
||||
<
|
||||
<rate>/<interval>[:<burst>] ><br>
|
||||
<br>
|
||||
|
||||
where<br>
|
||||
<br>
|
||||
<rate> is the sustained rate per
|
||||
<interval><br>
|
||||
<interval> is "sec" or "min"<br>
|
||||
<burst> is the largest burst
|
||||
accepted within an <interval>. If not given, the default of 5 is
|
||||
assumed.<br>
|
||||
<br>
|
||||
There may be no white space between the ACTION and "<" nor there may
|
||||
be any white space within the burst specification. If you want to
|
||||
specify logging of a rate-limited rule, the ":" and log level comes
|
||||
after the ">" (e.g., ACCEPT<2/sec:4>:info ).<br>
|
||||
<br>
|
||||
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
|
||||
file. You may specify the rate limit there in the format:<br>
|
||||
<br>
|
||||
|
||||
<rate>/<interval>[:<burst>]<br>
|
||||
<br>
|
||||
Let's take an example:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT<2/sec:4>
|
||||
net dmz
|
||||
tcp 80<br>
|
||||
<br>
|
||||
The first time this rule is reached, the packet will be accepted; in
|
||||
fact, since the burst is 4, the first four packets will be accepted.
|
||||
After this, it will be 500ms (1 second divided by the rate<br>
|
||||
of 2) before a packet will be accepted from this rule, regardless of
|
||||
how many packets reach it. Also, every 500ms which passes without
|
||||
matching a packet, one of the bursts will be regained; if no packets
|
||||
hit the rule for 2 second, the burst will be fully recharged; back
|
||||
where we started.<br>
|
||||
</li>
|
||||
<li>Multiple chains may now be displayed in one "shorewall
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||
details.</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
||||
there is now a Shorewall Mirror in Australia:</p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
|
||||
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
|
||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
||||
Guide </b></p>
|
||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
|
||||
- Shorewall 1.4.7 Beta 2</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
|
||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""> <br>
|
||||
@ -333,7 +503,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
|
||||
Reference in New Issue
Block a user