More Traffic Shaping Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2843 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-09 20:45:05 +00:00
parent a03de5f61a
commit a7511e1469
2 changed files with 149 additions and 9 deletions

View File

@ -151,11 +151,10 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Set <emphasis role="bold">TC_ENABLED</emphasis> to No in <para>Set <emphasis role="bold">TC_ENABLED</emphasis> to "Internal" in
/etc/shorewall/shorewall.conf. While that seems a bit illogical, it is /etc/shorewall/shorewall.conf. Setting TC_ENABLED=Yes causes Shorewall
done for compatibility with previous releases where TC_ENABLED=Yes to look for an external tcstart file (See <link linkend="tcstart">a
causes Shorewall to look for an external tcstart file (See <link later section</link> for details).</para>
linkend="tcstart">a later section</link> for details).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -519,14 +518,12 @@ NOPRIOHOSTDST=60.0.0.0/24
NOPRIOPORTSRC="6662 6663" NOPRIOPORTSRC="6662 6663"
# low priority destination ports # low priority destination ports
NOPRIOPORTDST="6662 6663" NOPRIOPORTDST="6662 6663" </programlisting>
</programlisting>
<para>This would result in the following additional settings to the <para>This would result in the following additional settings to the
tcrules file:</para> tcrules file:</para>
<programlisting> <programlisting>3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.3.28 0.0.0.0/0 all 3 192.168.3.28 0.0.0.0/0 all
3 0.0.0.0/0 60.0.0.0/24 all 3 0.0.0.0/0 60.0.0.0/24 all
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663

View File

@ -61,6 +61,149 @@
command to see the groups associated with each of your zones.</para> command to see the groups associated with each of your zones.</para>
</section> </section>
<section>
<title>Version &gt;= 3.0.0</title>
<para></para>
<orderedlist>
<listitem>
<para>The "monitor" command has been eliminated.</para>
</listitem>
<listitem>
<para>The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones
file have been removed and have been replaced by the former columns of
the /etc/shorewall/ipsec file. The latter file has been
removed.</para>
<para>Additionally the FW option in shorewall.conf has been deprecated
and is no longer set to 'fw' by default. New users are expected to
define the firewall zone in /etc/shorewall/zones.</para>
<para>Adhering to the principle of least astonishment, the old
<filename>/etc/shorewall/ipsec</filename> file will continue to be
supported. A new IPSECFILE variable in /etc/shorewall/shorewall.conf
determines the name of the file that Shorewall looks in for IPSEC
information. If that variable is not set or is set to the empty value
then IPSECFILE=ipsec is assumed. So if you simply upgrade and don't do
something idiotic like replace your current shorewall.conf file with
the new one, your old configuration will continue to work. A dummy
'ipsec' file is included in the release so that your package manager
(e.g., rpm) won't remove your existing file.</para>
<para>The shorewall.conf file included in this release sets
IPSECFILE=zones so that new users are expected to use the <ulink
url="Documentation.htm#Zones">new zone file format</ulink>.</para>
</listitem>
<listitem>
<para>The DROPINVALID option has been removed from shorewall.conf. The
behavior will be as if DROPINVALID=No had been specified. If you wish
to drop invalid state packets, use the dropInvalid built-in
action.</para>
</listitem>
<listitem>
<para>The 'nobogons' interface and hosts option as well as the
BOGON_LOG_LEVEL option have been eliminated.</para>
</listitem>
<listitem>
<para>Most of the standard actions have been replaced by parameterized
macros (see below). So for example, the action.AllowSMTP and
action.DropSMTP have been removed an a parameterized macro macro.SMTP
has been added to replace them.</para>
<para>In order that current users don't have to immediately update
their rules and user-defined actions, Shorewall can substitute an
invocation of the a new macro for an existing invocation of one of the
old actions. So if your rules file calls AllowSMTP, Shorewall will
replace that call with SMTP/ACCEPT. Because this substitution is
expensive, it is conditional based on the setting of MAPOLDACTIONS in
shorewall.conf. If this option is set to YES or if it is not set (such
as if you are using your old shorewall.conf file) then Shorewall will
perform the substitution. Once you have converted to use the new
macros, you can set MAPOLDACTIONS=No and invocations of those actions
will go much quicker during 'shorewall [re]start'.</para>
</listitem>
<listitem>
<para>The STATEDIR variable in /etc/shorewall/shorewall.conf has been
removed. STATEDIR is now fixed at /var/lib/shorewall. If you have
previously set STATEDIR to another directory, please copy the files
from that directory to /var/lib/shorewall/ before [re]starting
Shorewall after the upgrade to this version.</para>
</listitem>
<listitem>
<para>The "shorewall status" command now just gives the status of
Shorewall (started or not-started). The previous status command has
been renamed "dump". The command also shows the state relative to the
state diagram at <ulink
url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink>.
In addition to the state, the time and date at which that state was
entered is shown.</para>
<para>Note that at least one "shorewall [re]start" must be issued
after upgrading to this release before "shorewall status" will show
anything but "Unknown" for the state.</para>
</listitem>
<listitem>
<para>The "shorewall forget" command now removes the dynamic blacklist
save file (/var/lib/shorewall/save).</para>
</listitem>
<listitem>
<para> In previous versions of Shorewall, the rules generated by
entries in <filename>/etc/shorewall/tunnels</filename> preceded those
rules generated by entries in
<filename>/etc/shorewall/rules</filename>. Beginning with this
release, the rules generated by entries in the tunnels file will
appear *AFTER* the rules generated by the rules file. This may cause
you problems if you have REJECT, DENY or CONTINUE rules in your rules
file that would cause the tunnel transport packets to not reach the
rules that ACCEPT them. See <ulink
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
for information on the rules generated by entries in the tunnels
file.</para>
</listitem>
<listitem>
<para>The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have
been removed as have the 'newnotsyn' options in
<filename>/etc/shorewall/interfaces</filename> and
<filename>/etc/shorewall/hosts</filename>.</para>
<para>TCP new-not-syn packets may be blocked using the 'dropNonSyn' or
'rejNonSyn' built-in actions.</para>
<para>Example: Reject all new-not-syn packets from the net and log
them at the 'info' level.</para>
<programlisting>#ACTION SOURCE DEST PROTO
SECTION NEW
rejNonSyn:info net all tcp</programlisting>
<para>Note that the rule is added at the front of the NEW section of
the rules file.</para>
</listitem>
<listitem>
<para>A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If
the option is not set then the internal shaper (tc4shorewall by Arne
Bernin) is used. Otherwise, the script named in the variable is
used.</para>
<para>Users who currently use an
<filename>/etc/shorewall/tcstart</filename> file and wish to continue
to do so should set TC_SCRIPT=/etc/shorewall/tcstart in
shorewall.conf.</para>
</listitem>
</orderedlist>
</section>
<section> <section>
<title>Version &gt;= 2.4.0</title> <title>Version &gt;= 2.4.0</title>