extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-25 14:10:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove E/R policy mention from the Release Notes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2652 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-09 13:56:05 +00:00
parent 9ea67a6975
commit a7691e8182
1 changed files with 17 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Shorewall/releasenotes.txt
View File

@ -236,19 +236,7 @@ New Features in Shorewall 2.5.*
1) Error and warning messages are made easier to spot by using 1) Error and warning messages are made easier to spot by using
capitalization (e.g., ERROR: and WARNING:). capitalization (e.g., ERROR: and WARNING:).
2) Beginning with this version, the POLICY column in 2) A new option 'critical' has been added to
/etc/shorewall/policy can potentially contain two policies separated
by ":". The first policy is the policy for new connections (the only
policy that you can currently configure). The second policy is for
ESTABLISHED packets (those that are part of an established
connection) and must be either ACCEPT (the default) or QUEUE. So if
the policy column contains DROP:QUEUE then new connection requests
are dropped by default but packets that are part of an established
connection are sent to the QUEUE target. RELATED state packets are
always ACCEPTED so that ICMPs (which are almost always RELATED)
won't go through QUEUE.
3) A new option 'critical' has been added to
/etc/shorewall/routestopped. This option can be used to enable /etc/shorewall/routestopped. This option can be used to enable
communication with a host or set of hosts during the entire communication with a host or set of hosts during the entire
"shorewall [re]start/stop" process. Listing a host with this option "shorewall [re]start/stop" process. Listing a host with this option
@ -271,7 +259,7 @@ New Features in Shorewall 2.5.*
(www.crossbeam.com). You will want to list the Crossbeam interface (www.crossbeam.com). You will want to list the Crossbeam interface
in this option in this option
4) A new 'macro' feature has been added. 3) A new 'macro' feature has been added.
Macros are very similar to actions and can be used in similar Macros are very similar to actions and can be used in similar
ways. The differences between actions and macros are as follows: ways. The differences between actions and macros are as follows:
@ -342,13 +330,13 @@ New Features in Shorewall 2.5.*
actions. Macros that are invoked from actions cannot themselves actions. Macros that are invoked from actions cannot themselves
invoke other actions. invoke other actions.
5) If you have 'make' installed on your firewall, then when you use 4) If you have 'make' installed on your firewall, then when you use
the '-f' option to 'shorewall start' (as happens when you reboot), the '-f' option to 'shorewall start' (as happens when you reboot),
if your /etc/shorewall/ directory contains files that were modified if your /etc/shorewall/ directory contains files that were modified
after Shorewall was last restarted then Shorewall is started using after Shorewall was last restarted then Shorewall is started using
the config files rather than using the saved configuration. the config files rather than using the saved configuration.
6) The 'arp_ignore' option has been added to /etc/shorewall/interfaces 5) The 'arp_ignore' option has been added to /etc/shorewall/interfaces
entries. This option sets entries. This option sets
/proc/sys/net/ipv4/conf/<interface>/arp_ignore. By default, the /proc/sys/net/ipv4/conf/<interface>/arp_ignore. By default, the
option sets the value to 1. You can also write arp_ignore=<value> option sets the value to 1. You can also write arp_ignore=<value>
@ -372,7 +360,7 @@ New Features in Shorewall 2.5.*
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
PROXY ARP. PROXY ARP.
7) In /etc/shorewall/rules, "all+" in the SOURCE or DEST column works 6) In /etc/shorewall/rules, "all+" in the SOURCE or DEST column works
like "all" but also includes intrazone traffic. So the rule: like "all" but also includes intrazone traffic. So the rule:
ACCEPT loc all+ tcp 22 ACCEPT loc all+ tcp 22
@ -383,7 +371,7 @@ New Features in Shorewall 2.5.*
does not. does not.
8) A new FASTACCEPT option has been added to shorewall.conf. 7) A new FASTACCEPT option has been added to shorewall.conf.
Normally, Shorewall accepting ESTABLISHED/RELATED packets until Normally, Shorewall accepting ESTABLISHED/RELATED packets until
these packets reach the chain in which the original connection was these packets reach the chain in which the original connection was
@ -396,10 +384,10 @@ New Features in Shorewall 2.5.*
FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or
RELATED sections of /etc/shorewall/rules. RELATED sections of /etc/shorewall/rules.
9) Shorewall now generates an error if the 'norfc1918' option is 8) Shorewall now generates an error if the 'norfc1918' option is
specified for an interface with an RFC 1918 address. specified for an interface with an RFC 1918 address.
10) You may now specify "!" followed by a list of addresses in the 9) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules, SOURCE and DEST columns of entries in /etc/shorewall/rules,
/etc/shorewall/tcrules and in action files and Shorewall will /etc/shorewall/tcrules and in action files and Shorewall will
generate the rule that you expect. generate the rule that you expect.
@ -421,19 +409,19 @@ New Features in Shorewall 2.5.*
That rule would allow loc->net HTTP access from the local That rule would allow loc->net HTTP access from the local
network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22. network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22.
11) You may now specify "!" followed by a list of addresses in the 10) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
Shorewall will generate the rule that you expect. Shorewall will generate the rule that you expect.
12) Tunnel types "openvpnserver" and "openvpnclient" have been added 11) Tunnel types "openvpnserver" and "openvpnclient" have been added
to reflect the introduction of client and server OpenVPN to reflect the introduction of client and server OpenVPN
configurations in OpenVPN 2.0. configurations in OpenVPN 2.0.
13) The COMMAND variable is now set to 'restore' in restore 12) The COMMAND variable is now set to 'restore' in restore
scripts. The value of this variable is sometimes of interest to scripts. The value of this variable is sometimes of interest to
programmers providing custom /etc/shorewall/tcstart scripts. programmers providing custom /etc/shorewall/tcstart scripts.
14) Previously, if you defined any intra-zone rule(s) then any traffic 13) Previously, if you defined any intra-zone rule(s) then any traffic
not matching the rule(s) was subject to normal policies (which not matching the rule(s) was subject to normal policies (which
usually turned out to involve the all->all REJECT policy). Now, the usually turned out to involve the all->all REJECT policy). Now, the
intra-zone ACCEPT policy will still be in effect in the presense of intra-zone ACCEPT policy will still be in effect in the presense of
@ -453,7 +441,7 @@ New Features in Shorewall 2.5.*
#SOURCE DEST POLICY LOG LEVEL #SOURCE DEST POLICY LOG LEVEL
loc loc ACCEPT info loc loc ACCEPT info
15) Prior to Shorewall 2.5.3, the rules file only controlled packets in 14) Prior to Shorewall 2.5.3, the rules file only controlled packets in
the Netfilter states NEW and INVALID. Beginning with this release, the Netfilter states NEW and INVALID. Beginning with this release,
the rules file can also deal with packets in the ESTABLISHED and the rules file can also deal with packets in the ESTABLISHED and
RELATED states. RELATED states.
@ -492,12 +480,12 @@ New Features in Shorewall 2.5.*
/etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
sections must be empty. sections must be empty.
16) The value 'ipp2p' is once again allowed in the PROTO column of 15) The value 'ipp2p' is once again allowed in the PROTO column of
the rules file. It is recommended that rules specifying 'ipp2p' the rules file. It is recommended that rules specifying 'ipp2p'
only be included in the ESTABLISHED section of the file. only be included in the ESTABLISHED section of the file.
17) Shorewall actions lack a generalized way to pass parameters to an 16) Shorewall actions lack a generalized way to pass parameters to an
extension script associated with an action. To work around this extension script associated with an action. To work around this
lack, some users have used the log tag as a parameter. This works lack, some users have used the log tag as a parameter. This works
but requires that a log level other than 'none' be specified when but requires that a log level other than 'none' be specified when
@ -520,11 +508,11 @@ New Features in Shorewall 2.5.*
Now, $1 = these, $2 = are and $3 = parameters Now, $1 = these, $2 = are and $3 = parameters
18) The "shorewall check" command now checks the /etc/shorewall/masq, 17) The "shorewall check" command now checks the /etc/shorewall/masq,
/etc/shorewall/blacklist, /etc/shorewall/proxyarp, /etc/shorewall/blacklist, /etc/shorewall/proxyarp,
/etc/shorewall/nat and /etc/shorewall/providers files. /etc/shorewall/nat and /etc/shorewall/providers files.
19) Arne Bernin's "tc4shorewall" package has been integrated into 18) Arne Bernin's "tc4shorewall" package has been integrated into
Shorewall. Arne will be providing documentation and support for Shorewall. Arne will be providing documentation and support for
this part of Shorewall. this part of Shorewall.