diff --git a/Shorewall-docs2/traffic_shaping.xml b/Shorewall-docs2/traffic_shaping.xml index 98cae9f88..d4e0d2bf0 100644 --- a/Shorewall-docs2/traffic_shaping.xml +++ b/Shorewall-docs2/traffic_shaping.xml @@ -151,11 +151,10 @@ - Set TC_ENABLED to No in - /etc/shorewall/shorewall.conf. While that seems a bit illogical, it is - done for compatibility with previous releases where TC_ENABLED=Yes - causes Shorewall to look for an external tcstart file (See a later section for details). + Set TC_ENABLED to "Internal" in + /etc/shorewall/shorewall.conf. Setting TC_ENABLED=Yes causes Shorewall + to look for an external tcstart file (See a + later section for details). @@ -519,14 +518,12 @@ NOPRIOHOSTDST=60.0.0.0/24 NOPRIOPORTSRC="6662 6663" # low priority destination ports -NOPRIOPORTDST="6662 6663" - +NOPRIOPORTDST="6662 6663" This would result in the following additional settings to the tcrules file: - -3 192.168.1.128/25 0.0.0.0/0 all + 3 192.168.1.128/25 0.0.0.0/0 all 3 192.168.3.28 0.0.0.0/0 all 3 0.0.0.0/0 60.0.0.0/24 all 3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml index 88c693ce4..49b32c170 100644 --- a/Shorewall-docs2/upgrade_issues.xml +++ b/Shorewall-docs2/upgrade_issues.xml @@ -61,6 +61,149 @@ command to see the groups associated with each of your zones. +
+ Version >= 3.0.0 + + + + + + The "monitor" command has been eliminated. + + + + The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones + file have been removed and have been replaced by the former columns of + the /etc/shorewall/ipsec file. The latter file has been + removed. + + Additionally the FW option in shorewall.conf has been deprecated + and is no longer set to 'fw' by default. New users are expected to + define the firewall zone in /etc/shorewall/zones. + + Adhering to the principle of least astonishment, the old + /etc/shorewall/ipsec file will continue to be + supported. A new IPSECFILE variable in /etc/shorewall/shorewall.conf + determines the name of the file that Shorewall looks in for IPSEC + information. If that variable is not set or is set to the empty value + then IPSECFILE=ipsec is assumed. So if you simply upgrade and don't do + something idiotic like replace your current shorewall.conf file with + the new one, your old configuration will continue to work. A dummy + 'ipsec' file is included in the release so that your package manager + (e.g., rpm) won't remove your existing file. + + The shorewall.conf file included in this release sets + IPSECFILE=zones so that new users are expected to use the new zone file format. + + + + The DROPINVALID option has been removed from shorewall.conf. The + behavior will be as if DROPINVALID=No had been specified. If you wish + to drop invalid state packets, use the dropInvalid built-in + action. + + + + The 'nobogons' interface and hosts option as well as the + BOGON_LOG_LEVEL option have been eliminated. + + + + Most of the standard actions have been replaced by parameterized + macros (see below). So for example, the action.AllowSMTP and + action.DropSMTP have been removed an a parameterized macro macro.SMTP + has been added to replace them. + + In order that current users don't have to immediately update + their rules and user-defined actions, Shorewall can substitute an + invocation of the a new macro for an existing invocation of one of the + old actions. So if your rules file calls AllowSMTP, Shorewall will + replace that call with SMTP/ACCEPT. Because this substitution is + expensive, it is conditional based on the setting of MAPOLDACTIONS in + shorewall.conf. If this option is set to YES or if it is not set (such + as if you are using your old shorewall.conf file) then Shorewall will + perform the substitution. Once you have converted to use the new + macros, you can set MAPOLDACTIONS=No and invocations of those actions + will go much quicker during 'shorewall [re]start'. + + + + The STATEDIR variable in /etc/shorewall/shorewall.conf has been + removed. STATEDIR is now fixed at /var/lib/shorewall. If you have + previously set STATEDIR to another directory, please copy the files + from that directory to /var/lib/shorewall/ before [re]starting + Shorewall after the upgrade to this version. + + + + The "shorewall status" command now just gives the status of + Shorewall (started or not-started). The previous status command has + been renamed "dump". The command also shows the state relative to the + state diagram at http://shorewall.net/starting_and_stopping_shorewall.htm. + In addition to the state, the time and date at which that state was + entered is shown. + + Note that at least one "shorewall [re]start" must be issued + after upgrading to this release before "shorewall status" will show + anything but "Unknown" for the state. + + + + The "shorewall forget" command now removes the dynamic blacklist + save file (/var/lib/shorewall/save). + + + + In previous versions of Shorewall, the rules generated by + entries in /etc/shorewall/tunnels preceded those + rules generated by entries in + /etc/shorewall/rules. Beginning with this + release, the rules generated by entries in the tunnels file will + appear *AFTER* the rules generated by the rules file. This may cause + you problems if you have REJECT, DENY or CONTINUE rules in your rules + file that would cause the tunnel transport packets to not reach the + rules that ACCEPT them. See http://www.shorewall.net/VPNBasics.html + for information on the rules generated by entries in the tunnels + file. + + + + The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have + been removed as have the 'newnotsyn' options in + /etc/shorewall/interfaces and + /etc/shorewall/hosts. + + TCP new-not-syn packets may be blocked using the 'dropNonSyn' or + 'rejNonSyn' built-in actions. + + Example: Reject all new-not-syn packets from the net and log + them at the 'info' level. + + #ACTION SOURCE DEST PROTO +SECTION NEW +rejNonSyn:info net all tcp + + Note that the rule is added at the front of the NEW section of + the rules file. + + + + A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If + the option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. + + Users who currently use an + /etc/shorewall/tcstart file and wish to continue + to do so should set TC_SCRIPT=/etc/shorewall/tcstart in + shorewall.conf. + + +
+
Version >= 2.4.0