mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
More Traffic Shaping Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2843 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a03de5f61a
commit
a7511e1469
@ -151,11 +151,10 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Set <emphasis role="bold">TC_ENABLED</emphasis> to No in
|
||||
/etc/shorewall/shorewall.conf. While that seems a bit illogical, it is
|
||||
done for compatibility with previous releases where TC_ENABLED=Yes
|
||||
causes Shorewall to look for an external tcstart file (See <link
|
||||
linkend="tcstart">a later section</link> for details).</para>
|
||||
<para>Set <emphasis role="bold">TC_ENABLED</emphasis> to "Internal" in
|
||||
/etc/shorewall/shorewall.conf. Setting TC_ENABLED=Yes causes Shorewall
|
||||
to look for an external tcstart file (See <link linkend="tcstart">a
|
||||
later section</link> for details).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -519,14 +518,12 @@ NOPRIOHOSTDST=60.0.0.0/24
|
||||
NOPRIOPORTSRC="6662 6663"
|
||||
|
||||
# low priority destination ports
|
||||
NOPRIOPORTDST="6662 6663"
|
||||
</programlisting>
|
||||
NOPRIOPORTDST="6662 6663" </programlisting>
|
||||
|
||||
<para>This would result in the following additional settings to the
|
||||
tcrules file:</para>
|
||||
|
||||
<programlisting>
|
||||
3 192.168.1.128/25 0.0.0.0/0 all
|
||||
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all
|
||||
3 192.168.3.28 0.0.0.0/0 all
|
||||
3 0.0.0.0/0 60.0.0.0/24 all
|
||||
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
|
||||
|
@ -61,6 +61,149 @@
|
||||
command to see the groups associated with each of your zones.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 3.0.0</title>
|
||||
|
||||
<para></para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The "monitor" command has been eliminated.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones
|
||||
file have been removed and have been replaced by the former columns of
|
||||
the /etc/shorewall/ipsec file. The latter file has been
|
||||
removed.</para>
|
||||
|
||||
<para>Additionally the FW option in shorewall.conf has been deprecated
|
||||
and is no longer set to 'fw' by default. New users are expected to
|
||||
define the firewall zone in /etc/shorewall/zones.</para>
|
||||
|
||||
<para>Adhering to the principle of least astonishment, the old
|
||||
<filename>/etc/shorewall/ipsec</filename> file will continue to be
|
||||
supported. A new IPSECFILE variable in /etc/shorewall/shorewall.conf
|
||||
determines the name of the file that Shorewall looks in for IPSEC
|
||||
information. If that variable is not set or is set to the empty value
|
||||
then IPSECFILE=ipsec is assumed. So if you simply upgrade and don't do
|
||||
something idiotic like replace your current shorewall.conf file with
|
||||
the new one, your old configuration will continue to work. A dummy
|
||||
'ipsec' file is included in the release so that your package manager
|
||||
(e.g., rpm) won't remove your existing file.</para>
|
||||
|
||||
<para>The shorewall.conf file included in this release sets
|
||||
IPSECFILE=zones so that new users are expected to use the <ulink
|
||||
url="Documentation.htm#Zones">new zone file format</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The DROPINVALID option has been removed from shorewall.conf. The
|
||||
behavior will be as if DROPINVALID=No had been specified. If you wish
|
||||
to drop invalid state packets, use the dropInvalid built-in
|
||||
action.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The 'nobogons' interface and hosts option as well as the
|
||||
BOGON_LOG_LEVEL option have been eliminated.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Most of the standard actions have been replaced by parameterized
|
||||
macros (see below). So for example, the action.AllowSMTP and
|
||||
action.DropSMTP have been removed an a parameterized macro macro.SMTP
|
||||
has been added to replace them.</para>
|
||||
|
||||
<para>In order that current users don't have to immediately update
|
||||
their rules and user-defined actions, Shorewall can substitute an
|
||||
invocation of the a new macro for an existing invocation of one of the
|
||||
old actions. So if your rules file calls AllowSMTP, Shorewall will
|
||||
replace that call with SMTP/ACCEPT. Because this substitution is
|
||||
expensive, it is conditional based on the setting of MAPOLDACTIONS in
|
||||
shorewall.conf. If this option is set to YES or if it is not set (such
|
||||
as if you are using your old shorewall.conf file) then Shorewall will
|
||||
perform the substitution. Once you have converted to use the new
|
||||
macros, you can set MAPOLDACTIONS=No and invocations of those actions
|
||||
will go much quicker during 'shorewall [re]start'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The STATEDIR variable in /etc/shorewall/shorewall.conf has been
|
||||
removed. STATEDIR is now fixed at /var/lib/shorewall. If you have
|
||||
previously set STATEDIR to another directory, please copy the files
|
||||
from that directory to /var/lib/shorewall/ before [re]starting
|
||||
Shorewall after the upgrade to this version.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The "shorewall status" command now just gives the status of
|
||||
Shorewall (started or not-started). The previous status command has
|
||||
been renamed "dump". The command also shows the state relative to the
|
||||
state diagram at <ulink
|
||||
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink>.
|
||||
In addition to the state, the time and date at which that state was
|
||||
entered is shown.</para>
|
||||
|
||||
<para>Note that at least one "shorewall [re]start" must be issued
|
||||
after upgrading to this release before "shorewall status" will show
|
||||
anything but "Unknown" for the state.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The "shorewall forget" command now removes the dynamic blacklist
|
||||
save file (/var/lib/shorewall/save).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> In previous versions of Shorewall, the rules generated by
|
||||
entries in <filename>/etc/shorewall/tunnels</filename> preceded those
|
||||
rules generated by entries in
|
||||
<filename>/etc/shorewall/rules</filename>. Beginning with this
|
||||
release, the rules generated by entries in the tunnels file will
|
||||
appear *AFTER* the rules generated by the rules file. This may cause
|
||||
you problems if you have REJECT, DENY or CONTINUE rules in your rules
|
||||
file that would cause the tunnel transport packets to not reach the
|
||||
rules that ACCEPT them. See <ulink
|
||||
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
for information on the rules generated by entries in the tunnels
|
||||
file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have
|
||||
been removed as have the 'newnotsyn' options in
|
||||
<filename>/etc/shorewall/interfaces</filename> and
|
||||
<filename>/etc/shorewall/hosts</filename>.</para>
|
||||
|
||||
<para>TCP new-not-syn packets may be blocked using the 'dropNonSyn' or
|
||||
'rejNonSyn' built-in actions.</para>
|
||||
|
||||
<para>Example: Reject all new-not-syn packets from the net and log
|
||||
them at the 'info' level.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
SECTION NEW
|
||||
rejNonSyn:info net all tcp</programlisting>
|
||||
|
||||
<para>Note that the rule is added at the front of the NEW section of
|
||||
the rules file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If
|
||||
the option is not set then the internal shaper (tc4shorewall by Arne
|
||||
Bernin) is used. Otherwise, the script named in the variable is
|
||||
used.</para>
|
||||
|
||||
<para>Users who currently use an
|
||||
<filename>/etc/shorewall/tcstart</filename> file and wish to continue
|
||||
to do so should set TC_SCRIPT=/etc/shorewall/tcstart in
|
||||
shorewall.conf.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 2.4.0</title>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user