diff --git a/tools/build/build44 b/tools/build/build44 deleted file mode 100755 index 1e01120e2..000000000 --- a/tools/build/build44 +++ /dev/null @@ -1,816 +0,0 @@ -#!/bin/sh -# -# Shorewall Release Processing -- (C) 2003,2004,2005 -- Tom Eastep (teastep@shorewall.net) -# -- (C) 2005,2006 -- Cristian Rodriguez (webmaster@shorewall.net) -# Version : $Id: buildshorewall 9189 2008-12-29 19:55:18Z teastep $ -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# I install this script in /usr/local/bin/makeshorewall. -# -# Usage: -# -# makeshorewall [ -trhxclpsS ] [ ] -# -# -t Build tarball -# -r Build RPM -# -c Build Common -# -l Build Lite -# -L Build 6 Lite -# -6 Build 6 -# -h Build HTML documentation -# -x Build XML documentation -# -# If no options are given, all options are assumed. -# -# If is given, patch files reflecting the differences -# between that version and the current version ( ) are generated. -# The directory ./shorewall- must exist and contain the -# version against which the patch is generated. -################################################################################ -# C O N F I G U R A T I O N -################################################################################ -# -# XSL Stylesheet to use for XML->HTML conversion -# -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -# -# Directory where the build log will be placed. The log has the name -# shorewall_build_.log -# -LOGDIR=$PWD -# -# Your RPM build directory -# -RPMDIR=~/rpm/ -# -# Directory where you want the release to be built -- must be fully-qualified -# -DIR=$PWD -# -# location and options for GnuPG -# -GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" -# -# SVN Repository -# -SVN=https://shorewall.svn.sourceforge.net/svnroot/shorewall -# -# GIT Repository -# -GIT=~/shorewall/trunk/ -################################################################################ -# V A R I A B L E S -################################################################################ -VERSION= -BASEVERSION= -OLDVERSION= -SHOREWALLDIR= -SHOREWALLLITEDIR= -SOURCEDIR= -SVNBRANCH= -LITESVNBRANCH= -XMLPROJ= -RPMNAME= -LITERPMNAME= -TARBALL= -LITETARBALL= -LOGFILE= -HTMLDIR= -BUILDTARBALL= -BUILDRPM= -BUILDXML= -BUILDHTML= -SAMPLESTAG= -MANPAGETAG= -MANPAGE6TAG= -LITEMANPAGETAG= -LITE6MANPAGETAG= -PERLDIR= -PERLBRANCH= -PERLRPMNAME= -PERLTARBALL= -BUILDCOMMON= -BUILDPERL= -BUILDLITE= -PATCHRELEASE= -PATCHNUM= -BASEURL=http://www.shorewall.net - -SVN6BRANCH= -SAMPLES6TAG= -LITE6SVNBRANCH= -SHOREWALL6DIR= -LITE6DIR= -BUILD6= -BUILD6LITE= -RPM6NAME= -LITE6RPMNAME= -TARBALL6= -LITE6TARBALL= - -################################################################################ -# F U N C T I O N S -################################################################################ -progress_message() -{ - echo >> $LOGFILE - echo "$@" | tee -a $LOGFILE - echo >> $LOGFILE -} - -report() -{ - echo "$@" | tee -a $LOGFILE -} - -do_or_die() -{ - eval $@ || { progress_message "Step \"$*\" FAILED" ; exit 2; } -} - -fatal_error() { - progress_message "$*" - exit 2 -} - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# It's easy to mis-type the GPG passphrase; this function allows us additional chances to get it right -# -do_rpmbuild() { - while ! rpmbuild --target noarch-linux $@ >> $LOGFILE 2>&1; do - echo "rpmbuild $@ failed" >&2 - echo -n "Retry? Y/n " >&2 - read response - case $response in - Y*|y*) - ;; - *) - [ -n "$response" ] && return 1 - ;; - esac - done - - return 0 -} - -do_buildanrpm() { - progress_message "Building ${1}..." - - cd /tmp - rm -rf ${2}-${BASEVERSION} - do_or_die "cp -a $DIR/${3} ${2}-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/${2}-${BASEVERSION}.tgz ${2}-${BASEVERSION}" - cd $DIR - do_or_die "cp ${3}/${2}.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $RPMDIR/SPECS/${2}.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/${1} . -} - -usage() -{ - echo "usage: $(basename $0) [ -trhxcl6L] [ ]" - exit 2 -} - -do_export() -{ - progress_message "Exporting $1 from Git..." && do_or_die "git --git-dir=$GIT/.git archive --format=tar HEAD $1 | tar -xf - >> $LOGFILE 2>&1" - [ $1 = $2 ] || do_or_die "mv -f $1 $2 >> $LOGFILE 2>&1" -} - -do_manpages() -{ - do_export ${1} manpages - cd manpages - - for f in *.xml; do - case $f in - *template.xml) - ;; - *) - progress_message "Generating Man Page from $f..." - do_or_die "xmlto --skip-validation --xsltopts "--stringparam" --xsltopts "man.base.url.for.relative.links" --xsltopts $BASEURL/manpages${3}/ man $f >> $LOGFILE 2>&1" - case $f in - *.conf.*|shorewall.xml|shorewall6.xml|shorewall-lite.xml|shorewall6-lite.xml) - ;; - *) - g=${f#shorewall${2}-} - h=$(ls ${g%.xml}.[58]) - f=shorewall${2}-$h - mv $h $f - ;; - esac - - eval perl -p -w -i -e "'s|/manpages${3}/manpages${3}?|/manpages${3}|'" $f - ;; - esac - done - - rm -f *.xml - rm -f *.bak -} - -################################################################################ -# E X E C U T I O N S T A R T S H E R E -################################################################################ - -set -e -set -u - - -done= - -[ $# -eq 0 ] && usage - -case $1 in - -*) - ;; - *) - BUILDTARBALL=Yes - BUILDRPM=Yes - BUILDHTML=Yes - BUILDXML=Yes - BUILDRPM=Yes - BUILDCOMMON=Yes - BUILDLITE=Yes - BUILD6=Yes - BUILD6LITE=Yes - - done=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - shift - option=${option#-} - - [ -z "$option" ] && done=Yes && break - - while [ -n "$option" ]; do - case $option in - t*) - BUILDTARBALL=Yes - option=${option#t} - ;; - r*) - BUILDTARBALL=Yes - BUILDRPM=Yes - option=${option#r} - ;; - h*) - BUILDHTML=Yes - option=${option#h} - ;; - x*) - BUILDXML=Yes - option=${option#x} - ;; - c*) - BUILDCOMMON=Yes - option=${option#c} - ;; - 6*) - BUILD6=Yes - option=${option#6} - ;; - l*) - BUILDLITE=Yes - option=${option#l} - ;; - L*) - BUILD6LITE=Yes - option=${option#L} - ;; - *) - usage - ;; - esac - done - ;; - *) - done=Yes - ;; - esac -done - -echo "Arguments are $*" - -case $# in - 1) - ;; - 2) - OLDVERSION=$2 - ;; - *) - usage - ;; -esac - -VERSION=$1 -BASEVERSION=$1 - -LOGFILE=$LOGDIR/shorewall_build_${VERSION}.log -touch $LOGFILE -progress_message "Build of Shorewall $VERSION on $(date)" - -case $VERSION in - 4.4.*.*) - XMLPROJ="docs-4.4" - - PATCHRELEASE=Yes - PATCHNUM=${VERSION##*.} - BASEVERSION=${VERSION%.*} - SVNBRANCH="Shorewall" - SVN6BRANCH="Shorewall6" - LITESVNBRANCH="Shorewall-lite" - LITE6SVNBRANCH="Shorewall6-lite" - DOCTAG="docs" - SAMPLESTAG="Samples" - SAMPLES6TAG="Samples6" - MANPAGETAG=manpages - MANPAGE6TAG=manpages6 - LITEMANPAGETAG=manpages-lite - LITE6MANPAGETAG=manpages6-lite - ;; - 4.4.*) - XMLPROJ="docs-4.4" - - SVNBRANCH="Shorewall" - SVN6BRANCH="Shorewall6" - LITESVNBRANCH="Shorewall-lite" - LITE6SVNBRANCH="Shorewall6-lite" - DOCTAG="docs" - SAMPLESTAG="Samples" - SAMPLES6TAG="Samples6" - MANPAGETAG=manpages - MANPAGE6TAG=manpages6 - LITEMANPAGETAG=manpages-lite - LITE6MANPAGETAG=manpages6-lite - ;; - *) - echo "Unsupported Version: $VERSION" - exit 2 - ;; -esac - -[ -d $DIR ] || { echo "Directory $DIR does not exist or is unaccessible" ; exit 2 ; } - -progress_message "Distribution directory is $DIR" - -cd $DIR - -[ -n "$BUILDCOMMON" ] && SHOREWALLDIR=shorewall-${VERSION} || SHOREWALLDIR=shorewall -SHOREWALL6DIR=shorewall6-${VERSION} -SHOREWALLLITEDIR=shorewall-lite-${VERSION} -LITE6DIR=shorewall6-lite-${VERSION} -TARBALL=shorewall-${VERSION}.tgz -TARBALL6=shorewall6-${VERSION}.tgz -LITETARBALL=shorewall-lite-${VERSION}.tgz -LITE6TARBALL=shorewall6-lite-${VERSION}.tgz - -case $VERSION in - *Beta*|*RC*) - BASEVERSION=${VERSION%-*} - RPMNAME=shorewall-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - RPM6NAME=shorewall6-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - LITERPMNAME=shorewall-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - LITE6RPMNAME=shorewall6-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - ;; - *.*.*.*) - # - # Patch Release - # - RPMNAME=shorewall-${BASEVERSION}-${PATCHNUM}.noarch.rpm - RPM6NAME=shorewall6-${BASEVERSION}-${PATCHNUM}.noarch.rpm - LITERPMNAME=shorewall-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - LITE6RPMNAME=shorewall6-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - ;; - *) - # - # Normal Release - # - RPMNAME=shorewall-${VERSION}-0base.noarch.rpm - RPM6NAME=shorewall6-${VERSION}-0base.noarch.rpm - LITERPMNAME=shorewall-lite-${VERSION}-0base.noarch.rpm - LITE6RPMNAME=shorewall6-lite-${VERSION}-0base.noarch.rpm - ;; -esac - -HTMLDIR=shorewall-docs-html-$VERSION - -if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then - report "Shorewall directory is $DIR/$SHOREWALLDIR" - report "Shorewall6 directory is $DIR/$SHOREWALL6DIR" - report "Shorewall Lite directory is $DIR/$SHOREWALLLITEDIR" - report "Shorewall6 Lite directory is $DIR/$LITE6DIR" - report "SVN tag is $SVNBRANCH" - report "Samples tag is $SAMPLESTAG" - report "Samples6 tag is $SAMPLES6TAG" - report "SVN6 tag is $SVN6BRANCH" - report "Lite SVN tag is $LITESVNBRANCH" - report "Lite6 SVN tag is $LITE6SVNBRANCH" - - if [ -n "$BUILDTARBALL" ]; then - report "TARBALL is $TARBALL" - report "TARBALL6 is $TARBALL6" - report "LITETARBALL is $LITETARBALL" - report "LITE6TARBALL is $LITE6TARBALL" - fi - - if [ -n "$BUILDRPM" ]; then - report "RPM is $RPMNAME" - [ -n "$RPM6NAME" ] && report "RPM6 is $RPM6NAME" - report "LITERPM is $LITERPMNAME" - [ -n "LITE6RPMNAME" ] && report "LITE6RPM is $LITE6RPMNAME" - fi -fi - -[ -n "$BUILDHTML" ] && report "HTML Directory is $HTMLDIR" - -[ -n "$RPM6NAME" ] || BUILD6= -[ -n "$LITE6RPMNAME" ] || BUILD6LITE= - -if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then - - rm -rf $SHOREWALLDIR - - [ -n "$BUILD6" ] && rm -rf $SHOREWALL6DIR - [ -n "$BUILDLITE" ] && rm -rf $SHOREWALLLITEDIR - [ -n "$BUILD6LITE" ] && rm -rf $LITE6DIR - - do_export $SVNBRANCH $SHOREWALLDIR - - do_or_die cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHOREWALLDIR/known_problems.txt . - - [ -n "$BUILD6" ] && do_export $SVN6BRANCH $SHOREWALL6DIR - - [ -n "$BUILDLITE" ] && do_export $LITESVNBRANCH $SHOREWALLLITEDIR - - [ -n "$BUILD6LITE" ] && do_export $LITE6SVNBRANCH $LITE6DIR - - if [ -n "$BUILDLITE" ]; then - do_or_die "cp $SHOREWALLDIR/modules $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALLDIR/lib.base $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - if [ -f $SHOREWALLDIR/lib.cli ]; then - do_or_die "cp $SHOREWALLDIR/lib.cli $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - if [ -f $SHOREWALLDIR/wait4ifup ]; then - do_or_die "cp $SHOREWALLDIR/wait4ifup $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - fi - - if [ -n "$BUILD6LITE" ]; then - do_or_die "cp $SHOREWALL6DIR/modules $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALL6DIR/lib.base $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALL6DIR/lib.cli $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALL6DIR/wait4ifup $LITE6DIR >> $LOGFILE 2>&1" - fi - - [ -n "$BUILD6" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHOREWALL6DIR >> $LOGFILE 2>&1" - [ -n "$BUILDLITE" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - [ -n "$BUILD6LITE" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $LITE6DIR >> $LOGFILE 2>&1" - - if [ -n "$BUILDCOMMON" ]; then - fgrep VERSION=$VERSION $SHOREWALLDIR/install.sh > /dev/null 2>&1 || fatal_error "install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "uninstall.sh has wrong version" - if [ -d $SHOREWALLDIR/Perl ]; then - [ $(eval perl -e "'use lib \"$SHOREWALLDIR/Perl\"; use Shorewall::Config qw(:internal); Shorewall::Config::initialize(4); print \"\$globals{VERSION}\n\"'") = $VERSION ] || \ - fatal_error "Perl Config.pm has wrong version" - else - [ $(eval perl -e "'use lib \"$SHOREWALLDIR\"; use Shorewall::Config qw(:internal); Shorewall::Config::initialize(4); print \"\$globals{VERSION}\n\"'") = $VERSION ] || \ - fatal_error "Perl Config.pm has wrong version" - fi - fi - - if [ -n "$BUILD6" ]; then - fgrep VERSION=$VERSION $SHOREWALL6DIR/install.sh > /dev/null 2>&1 || fatal_error "6 install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALL6DIR/uninstall.sh > /dev/null 2>&1 || fatal_error "6 uninstall.sh has wrong version" - fi - - if [ -n "$BUILDLITE" ]; then - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/install.sh > /dev/null 2>&1 || fatal_error "Lite install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite uninstall.sh has wrong version" - fi - - if [ -n "$BUILD6LITE" ]; then - fgrep VERSION=$VERSION $LITE6DIR/install.sh > /dev/null 2>&1 || fatal_error "Lite 6 install.sh has wrong version" - fgrep VERSION=$VERSION $LITE6DIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite 6 uninstall.sh has wrong version" - fi - - if [ -n "$BUILDCOMMON" ]; then - cd $SHOREWALLDIR - do_export $SAMPLESTAG Samples - do_manpages $MANPAGETAG '' '' - cd $DIR - fi - - if [ -n "$BUILD6" ]; then - cd $SHOREWALL6DIR - do_export $SAMPLES6TAG Samples6 - do_manpages $MANPAGE6TAG 6 6 - cd $DIR - fi - - if [ -n "$BUILDLITE" ]; then - cd $SHOREWALLLITEDIR - do_manpages $LITEMANPAGETAG -lite '' - cd $DIR - fi - - if [ -n "$BUILD6LITE" ]; then - cd $LITE6DIR - do_manpages $LITE6MANPAGETAG 6-lite 6 - cd $DIR - fi - - [ -n "$BUILDCOMMON" ] && do_or_die "rm -rf $SHOREWALLDIR/debian" - [ -n "$BUILD6" ] && do_or_die "rm -rf $SHOREWALL6DIR/debian" - [ -n "$BUILDLITE" ] && do_or_die "rm -rf $SHOREWALLLITEDIR/debian" - [ -n "$BUILD6LITE" ] && do_or_die "rm -rf $LITE6DIR/debian" - - if [ -n "$BUILDTARBALL" ]; then - if [ -n "$BUILDCOMMON" ]; then - progress_message "Creating $DIR/$TARBALL..." - rm -f $SHOREWALLDIR/*.diff - do_or_die "tar -zcvf $TARBALL $SHOREWALLDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-${VERSION}.tar.bz2 $SHOREWALLDIR >> $LOGFILE 2>&1" - fi - - if [ -n "$BUILD6" ]; then - progress_message "Creating $DIR/$TARBALL6..." - rm -f $SHOREWALL6DIR/*.diff - do_or_die "tar -zcvf $TARBALL6 $SHOREWALL6DIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall6-${VERSION}.tar.bz2 $SHOREWALL6DIR >> $LOGFILE 2>&1" - fi - - if [ -n "$BUILDLITE" ]; then - progress_message "Creating $DIR/$LITETARBALL..." - rm -f $SHOREWALLLITEDIR/*.diff - do_or_die "tar -zcvf $LITETARBALL $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-lite-${VERSION}.tar.bz2 $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - - if [ -n "$BUILD6LITE" ]; then - progress_message "Creating $DIR/$LITE6TARBALL..." - rm -f $LITE6DIR/*.diff - do_or_die "tar -zcvf $LITE6TARBALL $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall6-lite-${VERSION}.tar.bz2 $LITE6DIR >> $LOGFILE 2>&1" - fi - fi - - if [ -n "$BUILDRPM" ]; then - [ -n "$BUILDCOMMON" ] && do_buildanrpm $RPMNAME shorewall $SHOREWALLDIR - [ -n "$BUILD6" ] && do_buildanrpm $RPM6NAME shorewall6 $SHOREWALL6DIR - [ -n "$BUILDLITE" ] && do_buildanrpm $LITERPMNAME shorewall-lite $SHOREWALLLITEDIR - [ -n "$BUILD6LITE" ] && do_buildanrpm $LITE6RPMNAME shorewall6-lite $LITE6DIR - fi -fi - -if [ -n "${BUILDXML}${BUILDHTML}" ]; then - rm -rf $XMLPROJ - rm -rf shorewall-docs-xml-$VERSION - - do_export $DOCTAG $XMLPROJ - do_or_die mv $XMLPROJ shorewall-docs-xml-$VERSION - - rm -f shorewall-docs-xml-$VERSION/images/*.vsd - rm -f shorewall-docs-xml-$VERSION/images/~* - rm -f shorewall-docs-xml-$VERSION/images/*.JPG - rm -f shorewall-docs-xml-$VERSION/images/publish - rm -f shorewall-docs-xml-$VERSION/images/Thumbs.db - - cd shorewall-docs-xml-$VERSION - - do_export $MANPAGETAG manpages - mv manpages manpages.save - - do_export $MANPAGE6TAG manpages - do_or_die mv manpages manpages6.save/ - - do_export $LITEMANPAGETAG manpages - do_or_die mv manpages/* manpages.save/ - - do_export $LITE6MANPAGETAG manpages - do_or_die mv manpages/* manpages6.save/ - - do_or_die rm -rf manpages - do_or_die rm -rf manpages6 - - do_or_die mv manpages.save manpages - do_or_die mv manpages6.save manpages6 - - cd $DIR - - if [ -n "$BUILDXML" ]; then - progress_message "Creating $DIR/shorewall-docs-xml-$VERSION tarballs" - tar -zcvf shorewall-docs-xml-$VERSION.tgz shorewall-docs-xml-$VERSION >> $LOGFILE 2>&1 - tar -jcvf shorewall-docs-xml-$VERSION.tar.bz2 shorewall-docs-xml-$VERSION >> $LOGFILE 2>&1 || true - fi - - if [ -n "$BUILDHTML" ]; then - progress_message "Building $HTMLDIR ..." - - rm -rf $HTMLDIR - - do_or_die mkdir $HTMLDIR - do_or_die mkdir $HTMLDIR/images - # - # The original HTML documents were created using MS FrontPage and used - # the .htm suffix. The remainder use the .html suffix. - # - HTMFILES=" - 6to4.htm - blacklisting_support.htm - configuration_file_basics.htm - CorpNetwork.htm - dhcp.htm - Documentation.htm - errata.htm - fallback.htm - FAQ.htm - GnuCopyright.htm - Install.htm - IPIP.htm - IPSEC.htm - kernel.htm - myfiles.htm - NAT.htm - ports.htm - PPTP.htm - ProxyARP.htm - quotes.htm - samba.htm - shorewall_extension_scripts.htm - shorewall_features.htm - shorewall_mirrors.htm - shorewall_prerequisites.htm - shorewall_quickstart_guide.htm - shorewall_setup_guide_fr.htm - shorewall_setup_guide.htm - Shorewall_sfindex_frame.htm - standalone.htm - starting_and_stopping_shorewall.htm - support.htm - three-interface.htm - traffic_shaping.htm - troubleshoot.htm - two-interface.htm - upgrade_issues.htm - VPN.htm - whitelisting_under_shorewall.htm" - - NOTOC=" - Documentation_Index.xml - ECN.xml - fallback.xml - GettingStarted.xml - IPP2P.xml - ping.xml - ProxyARP.xml - Shorewall_Doesnt.xml - shorewall_features.xml - shorewall_prerequisites.xml - SimpleBridge.xml" - - for file in shorewall-docs-xml-$VERSION/*.xml; do - a=$(basename $file) - b=${a%.*} - list_search $b.htm $HTMFILES && b=$b.htm || b=$b.html - f="shorewall-docs-html-$VERSION/$b" - list_search $1 $NOTOC && GENTOC="--stringparam generate.toc ''" || GENTOC= - - case $file in - *_ru.xml) - LANGUAGE="--stringparam l10n.gentext.default.language ru" - ;; - *_fr.xml) - LANGUAGE="--stringparam l10n.gentext.default.language fr" - ;; - *) - LANGUAGE= - ;; - esac - - report "Converting $DIR/$file from XML to HTML ($DIR/$f) ..." - - do_or_die xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self $GENTOC -param toc.section.depth 3 $STYLESHEET $file - done - - for f in shorewall-docs-xml-$VERSION/manpages/*.xml shorewall-docs-xml-$VERSION/manpages6/*.xml; do - case $f in - *template.xml) - ;; - *) - progress_message "Generating HTML from $f..." - do_or_die xsltproc --output ${f%.xml}.html --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $f - ;; - esac - done - - progress_message "Copying manpages to $DIR/$HTMLDIR/images ..." - - do_or_die mkdir $HTMLDIR/manpages - do_or_die cp -a shorewall-docs-xml-$VERSION/manpages/*.html $HTMLDIR/manpages/ - do_or_die rm -f shorewall-docs-xml-$VERSION/manpages/*.html - - do_or_die mkdir $HTMLDIR/manpages6 - do_or_die cp -a shorewall-docs-xml-$VERSION/manpages6/*.html $HTMLDIR/manpages6/ - do_or_die rm -f shorewall-docs-xml-$VERSION/manpages6/*.html - - progress_message "Copying images to $DIR/$HTMLDIR/images ..." - - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.png $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.gif $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.jpg $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/*.css $HTMLDIR - - do_or_die ln -s Documentation_Index.html shorewall-docs-html-$VERSION/index.html - - progress_message "Creating $DIR/shorewall-docs-html-$VERSION tarballs ..." - - do_or_die "tar -zcvf shorewall-docs-html-$VERSION.tgz shorewall-docs-html-$VERSION >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-docs-html-$VERSION.tar.bz2 shorewall-docs-html-$VERSION >> $LOGFILE 2>&1" - fi -fi - -progress_message "Creating md5sums and sha1sums" - -rm -f $VERSION.md5sums $VERSION.sha1sums - -# -# The following rather awkward algorithm gets around the problem of builds that don't -# include the RPM -# -case $VERSION in - *Beta*|*RC*) - if [ -n "$BUILDCOMMON" ]; then - do_or_die "md5sum shorewall-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - - if [ -n "$BUILDLITE" ]; then - do_or_die "md5sum shorewall-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - ;; - *.*.*.*) - [ -f $RPMNAME ] && do_or_die "md5sum $RPMNAME >> $VERSION.md5sums" - [ -f $RPM6NAME ] && do_or_die "md5sum $RPM6NAME >> $VERSION.md5sums" - [ -f $LITERPMNAME ] && do_or_die "md5sum $LITERPMNAME >> $VERSION.md5sums" - [ -f $LITE6RPMNAME ] && do_or_die "md5sum $LITE6RPMNAME >> $VERSION.md5sums" - ;; -esac - -for file in *; do - case $file in - *$VERSION[-.]*tgz|*$VERSION[-.]*rpm|*$VERSION[-.]*bz2) - do_or_die "md5sum $file >> $VERSION.md5sums" - do_or_die "sha1sum $file >> $VERSION.sha1sums" - ;; - esac -done - -if [ -n "$OLDVERSION" ]; then - - progress_message "Creating patch-$VERSION ..." - - [ -d shorewall-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall-$OLDVERSION shorewall-$VERSION > patch-$VERSION || true - [ -d shorewall6-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall6-$OLDVERSION shorewall6-$VERSION > patch-6-$VERSION || true - [ -d shorewall-lite-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall-lite-$OLDVERSION shorewall-lite-$VERSION > patch-lite-$VERSION || true - [ -d shorewall6-lite-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall6-lite-$OLDVERSION shorewall6-lite-$VERSION > patch-6-lite-$VERSION || true - -fi - -progress_message "Shorewall $VERSION Build complete - $(date)" diff --git a/tools/build/buildshorewall b/tools/build/buildshorewall deleted file mode 100755 index a5f050ee3..000000000 --- a/tools/build/buildshorewall +++ /dev/null @@ -1,1134 +0,0 @@ -#!/bin/sh -# -# Shorewall Release Processing -- (C) 2003,2004,2005 -- Tom Eastep (teastep@shorewall.net) -# -- (C) 2005,2006 -- Cristian Rodriguez (webmaster@shorewall.net) -# Version : $Id$ -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# I install this script in /usr/local/bin/makeshorewall. -# -# Usage: -# -# makeshorewall [ -trhxclpsS ] [ ] -# -# -t Build tarball -# -r Build RPM -# -c Build Common -# -l Build Lite -# -L Build 6 Lite -# -6 Build 6 -# -p Build Perl -# -s Build Shell -# -h Build HTML documentation -# -x Build XML documentation -# -S Sign with GPG -# -# If no options are given, all options are assumed. -# -# If is given, patch files reflecting the differences -# between that version and the current version ( ) are generated -# generated. The directory ./shorewall- must exist and -# contain the version against which the patch is generated. -################################################################################ -# C O N F I G U R A T I O N -################################################################################ -# -# XSL Stylesheet to use for XML->HTML conversion -# -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -# -# Directory where the build log will be placed. The log has the name -# shorewall_build_.log -# -LOGDIR=$PWD -# -# Your RPM build directory -# -RPMDIR=~/rpm/ -# -# Directory where you want the release to be built -- must be fully-qualified -# -DIR=$PWD -# -# location and options for GnuPG -# -GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" -# -# SVN Repository -# -SVN=https://shorewall.svn.sourceforge.net/svnroot/shorewall -################################################################################ -# V A R I A B L E S -################################################################################ -VERSION= -BASEVERSION= -OLDVERSION= -SHOREWALLDIR= -SHOREWALLLITEDIR= -SHELLDIR= -SOURCEDIR= -SVNBRANCH= -LITESVNBRANCH= -SHELLBRANCH= -XMLPROJ= -RPMNAME= -LITERPMNAME= -TARBALL= -LITETARBALL= -LOGFILE= -HTMLDIR= -BUILDTARBALL= -BUILDRPM= -BUILDXML= -BUILDHTML= -SAMPLESTAG= -SIGN= -MANPAGETAG= -MANPAGE6TAG= -LITEMANPAGETAG= -LITE6MANPAGETAG= -PERLDIR= -SHELLDIR= -PERLBRANCH= -PERLRPMNAME= -PERLTARBALL= -SHELLBRANCH= -SHELLRPMNAME= -SHELLTARBALL= -BUILDCOMMON= -BUILDPERL= -BUILDSHELL= -BUILDLITE= -PATCHRELEASE= -PATCHNUM= -BASEURL=http://www.shorewall.net - -SVN6BRANCH= -SAMPLES6TAG= -LITE6SVNBRANCH= -SHOREWALL6DIR= -LITE6DIR= -BUILD6= -BUILD6LITE= -RPM6NAME= -LITE6RPMNAME= -TARBALL6= -LITE6TARBALL= -################################################################################ -# F U N C T I O N S -################################################################################ -progress_message() -{ - echo >> $LOGFILE - echo "$@" | tee -a $LOGFILE - echo >> $LOGFILE -} - -report() -{ - echo "$@" | tee -a $LOGFILE -} - -do_or_die() -{ - eval $@ || { progress_message "Step \"$*\" FAILED" ; exit 2; } -} - -fatal_error() { - progress_message "$*" - exit 2 -} - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# It's easy to mis-type the GPG passphrase; this function allows us additional chances to get it right -# -do_rpmbuild() { - while ! rpmbuild $@ >> $LOGFILE 2>&1; do - echo "rpmbuild $@ failed" >&2 - echo -n "Retry? Y/n " >&2 - read response - case $response in - Y*|y*) - ;; - *) - [ -n "$response" ] && return 1 - ;; - esac - done - - return 0 -} - -usage() -{ - echo "usage: $(basename $0) [ -trhxlcpsS] [ ]" - exit 2 -} -################################################################################ -# E X E C U T I O N S T A R T S H E R E -################################################################################ - -set -e -set -u - - -done= - -[ $# -eq 0 ] && usage - -case $1 in - -*) - ;; - *) - BUILDTARBALL=Yes - BUILDRPM=Yes - BUILDHTML=Yes - BUILDXML=Yes - BUILDRPM=Yes - BUILDCOMMON=Yes - BUILDPERL=Yes - BUILDSHELL=Yes - BUILDLITE=Yes - - case $1 in - 4.0.*) - ;; - *) - BUILD6=Yes - BUILD6LITE=Yes - ;; - esac - - done=Yes - SIGN=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - shift - option=${option#-} - - [ -z "$option" ] && done=Yes && break - - while [ -n "$option" ]; do - case $option in - t*) - BUILDTARBALL=Yes - option=${option#t} - ;; - r*) - BUILDTARBALL=Yes - BUILDRPM=Yes - option=${option#r} - ;; - h*) - BUILDHTML=Yes - option=${option#h} - ;; - x*) - BUILDXML=Yes - option=${option#x} - ;; - c*) - BUILDCOMMON=Yes - option=${option#c} - ;; - 6*) - BUILD6=Yes - option=${option#6} - ;; - p*) - BUILDPERL=Yes - option=${option#p} - ;; - s*) - BUILDSHELL=Yes - option=${option#s} - ;; - l*) - BUILDLITE=Yes - option=${option#l} - ;; - L*) - BUILD6LITE=Yes - option=${option#L} - ;; - S*) - SIGN=Yes - option=${option#S} - ;; - *) - usage - ;; - esac - done - ;; - *) - done=Yes - ;; - esac -done - -echo "Arguments are $*" - -case $# in - 1) - ;; - 2) - OLDVERSION=$2 - ;; - *) - usage - ;; -esac - -VERSION=$1 -BASEVERSION=$1 - -LOGFILE=$LOGDIR/shorewall_build_${VERSION}.log -touch $LOGFILE -progress_message "Build of Shorewall $VERSION on $(date)" - -case $VERSION in - 4.2.*.*) - PATCHRELEASE=Yes - PATCHNUM=${VERSION##*.} - BASEVERSION=${VERSION%.*} - SVNBRANCH="tags/${BASEVERSION}/Shorewall-common-${PATCHNUM}" - SVN6BRANCH="tags/${BASEVERSION}/Shorewall6-${PATCHNUM}" - LITESVNBRANCH="/tags/${BASEVERSION}/Shorewall-lite-${PATCHNUM}" - LITE6SVNBRANCH="/tags/${BASEVERSION}/Shorewall6-lite-${PATCHNUM}" - PERLBRANCH="tags/${BASEVERSION}/Shorewall-perl-${PATCHNUM}" - SHELLBRANCH="tags/${BASEVERSION}/Shorewall-shell-${PATCHNUM}" - DOCTAG="branches/4.2/docs" - XMLPROJ="docs-4.2" - SAMPLESTAG="tags/${BASEVERSION}/Samples" - SAMPLES6TAG="tags/${BASEVERSION}/Samples6" - MANPAGETAG="tags/${BASEVERSION}/manpages" - MANPAGE6TAG="tags/${BASEVERSION}/manpages6" - LITEMANPAGETAG="tags/${BASEVERSION}/manpages-lite" - LITE6MANPAGETAG="tags/${BASEVERSION}/manpages6-lite" - ;; - 4.2.*) - SVNBRANCH="branches/4.2/Shorewall-common" - SVN6BRANCH="branches/4.2//Shorewall6" - LITESVNBRANCH="branches/4.2/Shorewall-lite" - LITE6SVNBRANCH="branches/4.2/Shorewall6-lite" - PERLBRANCH="branches/4.2/Shorewall-perl" - SHELLBRANCH="branches/4.2/Shorewall-shell" - DOCTAG="branches/4.2/docs" - XMLPROJ="docs-4.2" - SAMPLESTAG="branches/4.2/Samples" - SAMPLES6TAG="branches/4.2/Samples6" - MANPAGETAG=branches/4.2/manpages - MANPAGE6TAG=branches/4.2/manpages6 - LITEMANPAGETAG=branches/4.2/manpages-lite - LITE6MANPAGETAG=branches/4.2/manpages6-lite - ;; - 4.0.*.*) - PATCHRELEASE=Yes - PATCHNUM=${VERSION##*.} - BASEVERSION=${VERSION%.*} - SVNBRANCH="tags/${BASEVERSION}/Shorewall-common-${PATCHNUM}" - LITESVNBRANCH="/tags/${BASEVERSION}/Shorewall-lite-${PATCHNUM}" - PERLBRANCH="tags/${BASEVERSION}/Shorewall-perl-${PATCHNUM}" - SHELLBRANCH="tags/${BASEVERSION}/Shorewall-shell-${PATCHNUM}" - DOCTAG="trunk/docs" - XMLPROJ="docs-4.0" - SAMPLESTAG="tags/${BASEVERSION}/Samples" - MANPAGETAG="tags/${BASEVERSION}/manpages" - LITEMANPAGETAG="tags/${BASEVERSION}/manpages-lite" - BASEURL=http://www.shorewall.net/4.0 - ;; - 4.0.*) - SVNBRANCH="branches/4.0/Shorewall-common" - LITESVNBRANCH="branches/4.0/Shorewall-lite" - PERLBRANCH="branches/4.0/Shorewall-perl" - SHELLBRANCH="branches/4.0/Shorewall-shell" - DOCTAG="trunk/docs" - XMLPROJ="docs-4.0" - SAMPLESTAG="branches/4.0/Samples" - MANPAGETAG=branches/4.0/manpages - LITEMANPAGETAG=branches/4.0/manpages-lite - BASEURL=http://www.shorewall.net/4.0 - ;; - *) - echo "Unsupported Version: $VERSION" - exit 2 - ;; -esac - -[ -d $DIR ] || { echo "Directory $DIR does not exist or is unaccessible" ; exit 2 ; } - -progress_message "Distribution directory is $DIR" - -cd $DIR - -[ -n "$BUILDCOMMON" ] && SHOREWALLDIR=shorewall-common-${VERSION} || SHOREWALLDIR=shorewall-common -SHOREWALL6DIR=shorewall6-${VERSION} -SHOREWALLLITEDIR=shorewall-lite-${VERSION} -LITE6DIR=shorewall6-lite-${VERSION} -TARBALL=shorewall-common-${VERSION}.tgz -TARBALL6=shorewall6-${VERSION}.tgz -LITETARBALL=shorewall-lite-${VERSION}.tgz -LITE6TARBALL=shorewall6-lite-${VERSION}.tgz -SHELLTARBALL=shorewall-shell-${VERSION}.tgz -SHELLDIR=shorewall-shell-${VERSION} -PERLTARBALL=shorewall-perl-${VERSION}.tgz -PERLDIR=shorewall-perl-${VERSION} - -case $VERSION in - *Beta*|*RC*|*Pre*) - # - # Beta or Release Candidate - # - BASEVERSION=${VERSION%-*} - RPMNAME=shorewall-common-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - RPM6NAME=shorewall6-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - LITERPMNAME=shorewall-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - LITE6RPMNAME=shorewall6-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - PERLRPMNAME=shorewall-perl-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - SHELLRPMNAME=shorewall-shell-${BASEVERSION}-0${VERSION#*-}.noarch.rpm - ;; - *.*.*.*) - # - # Patch Release - # - RPMNAME=shorewall-common-${BASEVERSION}-${PATCHNUM}.noarch.rpm - RPM6NAME=shorewall6-${BASEVERSION}-${PATCHNUM}.noarch.rpm - LITERPMNAME=shorewall-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - LITE6RPMNAME=shorewall6-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - PERLRPMNAME=shorewall-perl-${BASEVERSION}-${PATCHNUM}.noarch.rpm - SHELLRPMNAME=shorewall-shell-${BASEVERSION}-${PATCHNUM}.noarch.rpm - ;; - *) - # - # Normal Release - # - RPMNAME=shorewall-common-${VERSION}-0base.noarch.rpm - RPM6NAME=shorewall6-${VERSION}-0base.noarch.rpm - LITERPMNAME=shorewall-lite-${VERSION}-0base.noarch.rpm - LITE6RPMNAME=shorewall6-lite-${VERSION}-0base.noarch.rpm - PERLRPMNAME=shorewall-perl-${VERSION}-0base.noarch.rpm - SHELLRPMNAME=shorewall-shell-${VERSION}-0base.noarch.rpm - ;; -esac - -HTMLDIR=shorewall-docs-html-$VERSION - -if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then - report "Shorewall directory is $DIR/$SHOREWALLDIR" - report "Shorewall6 directory is $DIR/$SHOREWALL6DIR" - report "Shorewall Lite directory is $DIR/$SHOREWALLLITEDIR" - report "Shorewall6 Lite directory is $DIR/$LITE6DIR" - report "Shorewall Shell directory is $DIR/$SHELLDIR" - report "Shorewall Perl directory is $DIR/$PERLDIR" - report "SVN tag is $SVNBRANCH" - report "Samples tag is $SAMPLESTAG" - report "Samples6 tag is $SAMPLES6TAG" - report "SVN6 tag is $SVN6BRANCH" - report "Lite SVN tag is $LITESVNBRANCH" - report "Lite6 SVN tag is $LITE6SVNBRANCH" - report "Shell SVN tag is $SHELLBRANCH" - report "Perl SVN tag is $PERLBRANCH" - if [ -n "$BUILDTARBALL" ]; then - report "TARBALL is $TARBALL" - report "TARBALL6 is $TARBALL6" - report "LITETARBALL is $LITETARBALL" - report "LITE6TARBALL is $LITE6TARBALL" - report "SHELLTARBALL is $SHELLTARBALL" - report "PERLTARBALL is $PERLTARBALL" - fi - - if [ -n "$BUILDRPM" ]; then - report "RPM is $RPMNAME" - [ -n "$RPM6NAME" ] && report "RPM6 is $RPM6NAME" - report "LITERPM is $LITERPMNAME" - [ -n "LITE6RPMNAME" ] && report "LITE6RPM is $LITE6RPMNAME" - report "SHELLRPM is $SHELLRPMNAME" - report "PERLRPM is $PERLRPMNAME" - fi -fi - -[ -n "$BUILDHTML" ] && report "HTML Directory is $HTMLDIR" - -[ -n "$RPM6NAME" ] || BUILD6= -[ -n "$LITE6RPMNAME" ] || BUILD6LITE= - -if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then - - rm -rf $SHOREWALLDIR - - [ -n "$BUILD6" ] && rm -rf $SHOREWALL6DIR - [ -n "$BUILDLITE" ] && rm -rf $SHOREWALLLITEDIR - [ -n "$BUILD6LITE" ] && rm -rf $LITE6DIR - [ -n "$BUILDPERL" ] && rm -rf $PERLDIR - [ -n "$BUILDSHELL" ] && rm -rf $SHELLDIR - - progress_message "Exporting $SVNBRANCH from SVN..." && do_or_die "svn export --non-interactive --force ${SVN}/$SVNBRANCH $SHOREWALLDIR >> $LOGFILE 2>&1" - - [ -n "$BUILD6" ] && progress_message "Exporting $SVN6BRANCH from SVN..." && do_or_die "svn export --non-interactive --force ${SVN}/$SVN6BRANCH $SHOREWALL6DIR >> $LOGFILE 2>&1" - - [ -n "$BUILDLITE" ] && progress_message "Exporting $LITESVNBRANCH from SVN..." && do_or_die "svn export --non-interactive --force ${SVN}/$LITESVNBRANCH $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - - [ -n "$BUILD6LITE" ] && progress_message "Exporting $LITE6SVNBRANCH from SVN..." && do_or_die "svn export --non-interactive --force ${SVN}/$LITE6SVNBRANCH $LITE6DIR >> $LOGFILE 2>&1" - - [ -n "$BUILDPERL" ] && progress_message "Exporting $PERLBRANCH from SVN..." && do_or_die "svn export --non-interactive --force ${SVN}/$PERLBRANCH $PERLDIR >> $LOGFILE 2>&1" - - [ -n "$BUILDSHELL" ] && progress_message "Exporting $SHELLBRANCH from SVN..." && do_or_die "svn export --non-interactive --force ${SVN}/$SHELLBRANCH $SHELLDIR >> $LOGFILE 2>&1" - - - if [ -n "$BUILDLITE" ]; then - do_or_die "cp $SHOREWALLDIR/modules $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALLDIR/lib.base $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - if [ -f $SHOREWALLDIR/lib.cli ]; then - do_or_die "cp $SHOREWALLDIR/lib.cli $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - if [ -f $SHOREWALLDIR/wait4ifup ]; then - do_or_die "cp $SHOREWALLDIR/wait4ifup $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - fi - - if [ -n "$BUILD6LITE" ]; then - do_or_die "cp $SHOREWALL6DIR/modules $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALL6DIR/lib.base $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALL6DIR/lib.cli $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALL6DIR/wait4ifup $LITE6DIR >> $LOGFILE 2>&1" - fi - - [ -n "$BUILD6" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHOREWALL6DIR >> $LOGFILE 2>&1" - [ -n "$BUILDLITE" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - [ -n "$BUILD6LITE" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $LITE6DIR >> $LOGFILE 2>&1" - [ -n "$BUILDPERL" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $PERLDIR >> $LOGFILE 2>&1" - [ -n "$BUILDSHELL" ] && do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHELLDIR >> $LOGFILE 2>&1" - - if [ -n "$BUILDCOMMON" ]; then - fgrep VERSION=$VERSION $SHOREWALLDIR/install.sh > /dev/null 2>&1 || fatal_error "install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "uninstall.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLDIR/fallback.sh > /dev/null 2>&1 || fatal_error "fallback.sh has wrong version" - fi - - if [ -n "$BUILD6" ]; then - fgrep VERSION=$VERSION $SHOREWALL6DIR/install.sh > /dev/null 2>&1 || fatal_error "6 install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALL6DIR/uninstall.sh > /dev/null 2>&1 || fatal_error "6 uninstall.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALL6DIR/fallback.sh > /dev/null 2>&1 || fatal_error "6 fallback.sh has wrong version" - fi - - if [ -n "$BUILDLITE" ]; then - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/install.sh > /dev/null 2>&1 || fatal_error "Lite install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite uninstall.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/fallback.sh > /dev/null 2>&1 || fatal_error "Lite fallback.sh has wrong version" - fi - - if [ -n "$BUILD6LITE" ]; then - fgrep VERSION=$VERSION $LITE6DIR/install.sh > /dev/null 2>&1 || fatal_error "Lite 6 install.sh has wrong version" - fgrep VERSION=$VERSION $LITE6DIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite 6 uninstall.sh has wrong version" - fgrep VERSION=$VERSION $LITE6DIR/fallback.sh > /dev/null 2>&1 || fatal_error "Lite 6 fallback.sh has wrong version" - fi - - if [ -n "$BUILDSHELL" ]; then - fgrep VERSION=$VERSION $SHELLDIR/install.sh > /dev/null 2>&1 || fatal_error "Shell install.sh has wrong version" - fi - - if [ -n "$BUILDPERL" ]; then - fgrep VERSION=$VERSION $PERLDIR/install.sh > /dev/null 2>&1 || fatal_error "Perl install.sh has wrong version" - [ $(eval perl -e "'use lib \"$PERLDIR\"; use Shorewall::Config qw(:internal); print \"\$globals{VERSION}\n\"'") = $VERSION ] || \ - fatal_error "Perl Config.pm has wrong version" - fi - - if [ -n "$BUILDCOMMON" ]; then - cd $SHOREWALLDIR - do_or_die "svn export --non-interactive --force ${SVN}/$SAMPLESTAG Samples >> $LOGFILE 2>&1" - progress_message "Exporting $MANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGETAG manpages >> $LOGFILE 2>&1" - cd manpages - for f in *.xml; do - if [ $f != shorewall-template.xml ]; then - progress_message "Generating Man Page from $f..." - do_or_die "xmlto --skip-validation --xsltopts "--stringparam" --xsltopts "man.base.url.for.relative.links" --xsltopts $BASEURL/manpages/ man $f >> $LOGFILE 2>&1" - case $f in - *.conf.*|shorewall.xml) - ;; - *) - g=${f#shorewall-} - h=$(ls ${g%.xml}.[58]) - f=shorewall-$h - mv $h $f - ;; - esac - - perl -p -w -i -e 's|/(4\.0/)?manpages/\.\.||' $f - fi - done - rm *.xml - cd $DIR - fi - - if [ -n "$BUILD6" ]; then - cd $SHOREWALL6DIR - do_or_die "svn export --non-interactive --force ${SVN}/$SAMPLES6TAG Samples6 >> $LOGFILE 2>&1" - progress_message "Exporting $MANPAGE6TAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGE6TAG manpages >> $LOGFILE 2>&1" - cd manpages - for f in *.xml; do - if [ $f != shorewall6-template.xml ]; then - progress_message "Generating Man Page from $f..." - do_or_die "xmlto --skip-validation --xsltopts "--stringparam" --xsltopts "man.base.url.for.relative.links" --xsltopts $BASEURL/manpages6/ man $f >> $LOGFILE 2>&1" - case $f in - *.conf.*|shorewall6.xml) - ;; - *) - g=${f#shorewall6-} - h=$(ls ${g%.xml}.[58]) - f=shorewall6-$h - mv $h $f - ;; - esac - - perl -p -w -i -e 's|/manpages6/\.\.||' $f - fi - done - rm *.xml - cd $DIR - fi - - if [ -n "$BUILDLITE" ]; then - cd $SHOREWALLLITEDIR - progress_message "Exporting $LITEMANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$LITEMANPAGETAG manpages >> $LOGFILE 2>&1" - cd manpages - for f in *.xml; do - if [ $f != shorewall-template.xml ]; then - progress_message "Generating Man Page from $f..." - do_or_die "xmlto --skip-validation --xsltopts "--stringparam" --xsltopts "man.base.url.for.relative.links" --xsltopts $BASEURL/manpages/ man $f >> $LOGFILE 2>&1" - case $f in - *.conf.*|shorewall-lite.xml) - ;; - *) - g=${f#shorewall-lite-} - h=$(ls ${g%.xml}.[58]) - f=shorewall-lite-$h - mv $h $f - ;; - esac - - perl -p -w -i -e 's|/(4\.0/)?manpages/\.\.||' $f - fi - done - rm *.xml - cd $DIR - fi - - if [ -n "$BUILD6LITE" ]; then - cd $LITE6DIR - progress_message "Exporting $LITE6MANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$LITE6MANPAGETAG manpages >> $LOGFILE 2>&1" - cd manpages - for f in *.xml; do - if [ $f != shorewall6-template.xml ]; then - progress_message "Generating Man Page from $f..." - do_or_die "xmlto --skip-validation --xsltopts "--stringparam" --xsltopts "man.base.url.for.relative.links" --xsltopts $BASEURL/manpages6/ man $f >> $LOGFILE 2>&1" - case $f in - *.conf.*|shorewall6-lite.xml) - ;; - *) - g=${f#shorewall6-lite-} - h=$(ls ${g%.xml}.[58]) - f=shorewall6-lite-$h - mv $h $f - ;; - esac - - perl -p -w -i -e 's|/manpages6/\.\.||' $f - fi - done - rm *.xml - cd $DIR - fi - - [ -n "$BUILDCOMMON" ] && do_or_die "rm -rf $SHOREWALLDIR/debian" - [ -n "$BUILD6" ] && do_or_die "rm -rf $SHOREWALL6DIR/debian" - [ -n "$BUILDLITE" ] && do_or_die "rm -rf $SHOREWALLLITEDIR/debian" - [ -n "$BUILD6LITE" ] && do_or_die "rm -rf $LITE6DIR/debian" - [ -n "$BUILDPERL" ] && do_or_die "rm -rf $PERLDIR/debian" - [ -n "$BUILDSHELL" ] && do_or_die "rm -rf $SHELLDIR/debian" - - if [ -n "$BUILDTARBALL" ]; then - if [ -n "$BUILDCOMMON" ]; then - progress_message "Creating $DIR/$TARBALL..." - rm -f $SHOREWALLDIR/*.diff - do_or_die "tar -zcvf $TARBALL $SHOREWALLDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-common-${VERSION}.tar.bz2 $SHOREWALLDIR >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-common-${VERSION}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - - if [ -n "$BUILD6" ]; then - progress_message "Creating $DIR/$TARBALL6..." - rm -f $SHOREWALL6DIR/*.diff - do_or_die "tar -zcvf $TARBALL6 $SHOREWALL6DIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall6-${VERSION}.tar.bz2 $SHOREWALL6DIR >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall6-${VERSION}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - - if [ -n "$BUILDLITE" ]; then - progress_message "Creating $DIR/$LITETARBALL..." - rm -f $SHOREWALLLITEDIR/*.diff - do_or_die "tar -zcvf $LITETARBALL $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-lite-${VERSION}.tar.bz2 $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-lite-${VERSION}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - - if [ -n "$BUILD6LITE" ]; then - progress_message "Creating $DIR/$LITE6TARBALL..." - rm -f $LITE6DIR/*.diff - do_or_die "tar -zcvf $LITE6TARBALL $LITE6DIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall6-lite-${VERSION}.tar.bz2 $LITE6DIR >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall6-lite-${VERSION}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - - if [ -n "$BUILDPERL" ]; then - progress_message "Creating $DIR/$PERLTARBALL..." - rm -f $PERLDIR/*.diff - do_or_die "tar -zcvf $PERLTARBALL $PERLDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-perl-${VERSION}.tar.bz2 $PERLDIR >> $LOGFILE 2>&1" - - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-perl-${VERSION}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - - if [ -n "$BUILDSHELL" ]; then - progress_message "Creating $DIR/$SHELLTARBALL..." - rm -f $SHELLDIR/*.diff - do_or_die "tar -zcvf $SHELLTARBALL $SHELLDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-shell-${VERSION}.tar.bz2 $SHELLDIR >> $LOGFILE 2>&1" - - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-shell-${VERSION}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - fi - - if [ -n "$BUILDRPM" ]; then - test -n "$SIGN" && SIGN="--sign" - - if [ -n "$BUILDCOMMON" ]; then - progress_message "Building $RPMNAME..." - - cd /tmp - rm -rf shorewall-common-${BASEVERSION} - do_or_die "cp -a $DIR/$SHOREWALLDIR shorewall-common-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/shorewall-common-${BASEVERSION}.tgz shorewall-common-${BASEVERSION}" - cd $DIR - do_or_die "cp $SHOREWALLDIR/shorewall-common.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall-common.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/$RPMNAME . - fi - - if [ -n "$BUILD6" ]; then - progress_message "Building $RPM6NAME..." - - cd /tmp - rm -rf shorewall6-${BASEVERSION} - do_or_die "cp -a $DIR/$SHOREWALL6DIR shorewall6-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/shorewall6-${BASEVERSION}.tgz shorewall6-${BASEVERSION}" - cd $DIR - do_or_die "cp $SHOREWALL6DIR/shorewall6.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall6.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/$RPM6NAME . - fi - - if [ -n "$BUILDLITE" ]; then - progress_message "Building $LITERPMNAME..." - - cd /tmp - rm -rf shorewall-lite-${BASEVERSION} - do_or_die "cp -a $DIR/$SHOREWALLLITEDIR shorewall-lite-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/shorewall-lite-${BASEVERSION}.tgz shorewall-lite-${BASEVERSION}" - cd $DIR - do_or_die "cp $SHOREWALLLITEDIR/shorewall-lite.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall-lite.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/$LITERPMNAME . - fi - - if [ -n "$BUILD6LITE" ]; then - progress_message "Building $LITE6RPMNAME..." - - cd /tmp - rm -rf shorewall6-lite-${BASEVERSION} - do_or_die "cp -a $DIR/$LITE6DIR shorewall6-lite-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/shorewall6-lite-${BASEVERSION}.tgz shorewall6-lite-${BASEVERSION}" - cd $DIR - do_or_die "cp $LITE6DIR/shorewall6-lite.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall6-lite.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/$LITE6RPMNAME . - fi - - if [ -n "$BUILDPERL" ]; then - progress_message "Building $PERLRPMNAME..." - - cd /tmp - rm -rf shorewall-perl-${BASEVERSION} - do_or_die "cp -a $DIR/$PERLDIR shorewall-perl-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/shorewall-perl-${BASEVERSION}.tgz shorewall-perl-${BASEVERSION}" - cd $DIR - do_or_die "cp $PERLDIR/shorewall-perl.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall-perl.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/$PERLRPMNAME . - fi - - if [ -n "$BUILDSHELL" ]; then - progress_message "Building $SHELLRPMNAME..." - - cd /tmp - rm -rf shorewall-shell-${BASEVERSION} - do_or_die "cp -a $DIR/$SHELLDIR shorewall-shell-${BASEVERSION}" - do_or_die "tar -zcf $RPMDIR/SOURCES/shorewall-shell-${BASEVERSION}.tgz shorewall-shell-${BASEVERSION}" - cd $DIR - do_or_die "cp $SHELLDIR/shorewall-shell.spec $RPMDIR/SPECS/" - do_or_die "do_rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall-shell.spec" - do_or_die cp -a $RPMDIR/RPMS/noarch/$SHELLRPMNAME . - fi - fi -fi - -if [ -n "${BUILDXML}${BUILDHTML}" ]; then - progress_message "Exporting $XMLPROJ from SVN..." - - rm -rf $XMLPROJ - rm -rf shorewall-docs-xml-$VERSION - - do_or_die "svn export --non-interactive --force ${SVN}/$DOCTAG $XMLPROJ >> $LOGFILE 2>&1" - do_or_die mv $XMLPROJ shorewall-docs-xml-$VERSION - - rm -f shorewall-docs-xml-$VERSION/images/*.vsd - rm -f shorewall-docs-xml-$VERSION/images/~* - rm -f shorewall-docs-xml-$VERSION/images/*.JPG - rm -f shorewall-docs-xml-$VERSION/images/publish - rm -f shorewall-docs-xml-$VERSION/images/Thumbs.db - - cd shorewall-docs-xml-$VERSION - - rm -rf manpages.save - rm -rf manpages6.save - - progress_message "Exporting $MANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGETAG manpages >> $LOGFILE 2>&1" - mv manpages manpages.save - - if [ -n "$MANPAGE6TAG" ]; then - progress_message "Exporting $MANPAGE6TAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGE6TAG manpages >> $LOGFILE 2>&1" - do_or_die mv manpages manpages6.save/ - fi - - progress_message "Exporting $LITEMANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$LITEMANPAGETAG manpages >> $LOGFILE 2>&1" - do_or_die mv manpages/* manpages.save/ - - if [ -n "$LITE6MANPAGETAG" ]; then - progress_message "Exporting $LITE6MANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$LITE6MANPAGETAG manpages >> $LOGFILE 2>&1" - do_or_die mv manpages/* manpages6.save/ - fi - - do_or_die rm -rf manpages - do_or_die rm -rf manpages6 - - do_or_die mv manpages.save manpages - do_or_die mv manpages6.save manpages6 - - cd $DIR - - if [ -n "$BUILDXML" ]; then - progress_message "Creating $DIR/shorewall-docs-xml-$VERSION tarballs" - tar -zcvf shorewall-docs-xml-$VERSION.tgz shorewall-docs-xml-$VERSION >> $LOGFILE 2>&1 - tar -jcvf shorewall-docs-xml-$VERSION.tar.bz2 shorewall-docs-xml-$VERSION >> $LOGFILE 2>&1 || true - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - xmlball=shorewall-docs-xml-$VERSION.${shoresuffix} - report "GPG signing $DIR/$xmlball tarball" - rm -f ${xmlball}.asc - do_or_die "$GPG $xmlball" - done - fi - fi - - if [ -n "$BUILDHTML" ]; then - progress_message "Building $HTMLDIR ..." - - rm -rf $HTMLDIR - - do_or_die mkdir $HTMLDIR - do_or_die mkdir $HTMLDIR/images - # - # The original HTML documents were created using MS FrontPage and used - # the .htm suffix. The remainder use the .html suffix. - # - HTMFILES=" - 6to4.htm - blacklisting_support.htm - configuration_file_basics.htm - CorpNetwork.htm - dhcp.htm - Documentation.htm - errata.htm - fallback.htm - FAQ.htm - GnuCopyright.htm - Install.htm - IPIP.htm - IPSEC.htm - kernel.htm - myfiles.htm - NAT.htm - ports.htm - PPTP.htm - ProxyARP.htm - quotes.htm - samba.htm - shorewall_extension_scripts.htm - shorewall_features.htm - shorewall_mirrors.htm - shorewall_prerequisites.htm - shorewall_quickstart_guide.htm - shorewall_setup_guide_fr.htm - shorewall_setup_guide.htm - Shorewall_sfindex_frame.htm - standalone.htm - starting_and_stopping_shorewall.htm - support.htm - three-interface.htm - traffic_shaping.htm - troubleshoot.htm - two-interface.htm - upgrade_issues.htm - VPN.htm - whitelisting_under_shorewall.htm" - - NOTOC=" - Documentation_Index.xml - ECN.xml - fallback.xml - GettingStarted.xml - IPP2P.xml - ping.xml - ProxyARP.xml - Shorewall_Doesnt.xml - shorewall_features.xml - shorewall_prerequisites.xml - SimpleBridge.xml" - - for file in shorewall-docs-xml-$VERSION/*.xml; do - a=$(basename $file) - b=${a%.*} - list_search $b.htm $HTMFILES && b=$b.htm || b=$b.html - f="shorewall-docs-html-$VERSION/$b" - list_search $1 $NOTOC && GENTOC="--stringparam generate.toc ''" || GENTOC= - - case $file in - *_ru.xml) - LANGUAGE="--stringparam l10n.gentext.default.language ru" - ;; - *_fr.xml) - LANGUAGE="--stringparam l10n.gentext.default.language fr" - ;; - *) - LANGUAGE= - ;; - esac - - report "Converting $DIR/$file from XML to HTML ($DIR/$f) ..." - - do_or_die xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self $GENTOC -param toc.section.depth 3 $STYLESHEET $file - done - - for f in shorewall-docs-xml-$VERSION/manpages/*.xml shorewall-docs-xml-$VERSION/manpages6/*.xml; do - case $f in - *template.xml) - ;; - *) - progress_message "Generating HTML from $f..." - do_or_die xsltproc --output ${f%.xml}.html --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $f - ;; - esac - done - - progress_message "Copying manpages to $DIR/$HTMLDIR/images ..." - - do_or_die mkdir $HTMLDIR/manpages - do_or_die cp -a shorewall-docs-xml-$VERSION/manpages/*.html $HTMLDIR/manpages/ - do_or_die rm -f shorewall-docs-xml-$VERSION/manpages/*.html - - do_or_die mkdir $HTMLDIR/manpages6 - do_or_die cp -a shorewall-docs-xml-$VERSION/manpages6/*.html $HTMLDIR/manpages6/ - do_or_die rm -f shorewall-docs-xml-$VERSION/manpages6/*.html - - progress_message "Copying images to $DIR/$HTMLDIR/images ..." - - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.png $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.gif $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.jpg $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/*.css $HTMLDIR - - do_or_die ln -s Documentation_Index.html shorewall-docs-html-$VERSION/index.html - - progress_message "Creating $DIR/shorewall-docs-html-$VERSION tarballs ..." - - do_or_die "tar -zcvf shorewall-docs-html-$VERSION.tgz shorewall-docs-html-$VERSION >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-docs-html-$VERSION.tar.bz2 shorewall-docs-html-$VERSION >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - htmlball=shorewall-docs-html-$VERSION.${shoresuffix} - report "GPG signing $DIR/$htmlball tarball" - rm -f ${htmlball}.asc - do_or_die "$GPG $htmlball" - done - fi - fi -fi - -progress_message "Creating md5sums and sha1sums" - -rm -f $VERSION.md5sums $VERSION.sha1sums - -# -# The following rather awkward algorithm gets around the problem of builds that don't -# include the RPM -# -case $VERSION in - *Beta*|*RC*) - if [ -n "$BUILDCOMMON" ]; then - do_or_die "md5sum shorewall-common-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-common-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - - if [ -n "$BUILDLITE" ]; then - do_or_die "md5sum shorewall-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-lite-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - - if [ -n "$BUILDPERL" ]; then - do_or_die "md5sum shorewall-perl-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-perl-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - - if [ -n "$BUILDSHELL" ]; then - do_or_die "md5sum shorewall-shell-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-shell-${BASEVERSION}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - ;; - *.*.*.*) - [ -f $RPMNAME ] && do_or_die "md5sum $RPMNAME >> $VERSION.md5sums" - [ -f $RPM6NAME ] && do_or_die "md5sum $RPM6NAME >> $VERSION.md5sums" - [ -f $LITERPMNAME ] && do_or_die "md5sum $LITERPMNAME >> $VERSION.md5sums" - [ -f $LITE6RPMNAME ] && do_or_die "md5sum $LITE6RPMNAME >> $VERSION.md5sums" - [ -f $PERLRPMNAME ] && do_or_die "md5sum $PERLRPMNAME >> $VERSION.md5sums" - [ -f $SHELLRPMNAME ] && do_or_die "md5sum $SHELLRPMNAME >> $VERSION.md5sums" - ;; -esac - -for file in *; do - case $file in - *$VERSION[-.]*tgz|*$VERSION[-.]*rpm|*$VERSION[-.]*bz2) - do_or_die "md5sum $file >> $VERSION.md5sums" - do_or_die "sha1sum $file >> $VERSION.sha1sums" - ;; - esac -done - -if [ -n "$PATCHRELEASE" ]; then - svn update ~/shorewall/tags/${BASEVERSION} - if [ -f ~/shorewall/tags/${BASEVERSION}/known_problems.txt ]; then - cp ~/shorewall/tags/${BASEVERSION}/known_problems.txt . - else - [ -f known_problems.txt ] || echo "There are no known problems in Shorewall version $VERSION" > known_problems.txt - fi -else - echo "There are no known problems in Shorewall version $VERSION" > known_problems.txt -fi - -if [ -n "$OLDVERSION" ]; then - - progress_message "Creating patch-$VERSION ..." - - [ -d shorewall-common-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall-common-$OLDVERSION shorewall-common-$VERSION > patch-common-$VERSION || true - [ -d shorewall6-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall6-$OLDVERSION shorewall6-$VERSION > patch-6-$VERSION || true - [ -d shorewall-lite-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall-lite-$OLDVERSION shorewall-lite-$VERSION > patch-lite-$VERSION || true - [ -d shorewall6-lite-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall6-lite-$OLDVERSION shorewall6-lite-$VERSION > patch-6-lite-$VERSION || true - [ -d shorewall-perl-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall-perl-$OLDVERSION shorewall-perl-$VERSION > patch-perl-$VERSION || true - [ -d shorewall-shell-$VERSION ] && diff -Naur -X $(dirname $0)/exclude.txt shorewall-shell-$OLDVERSION shorewall-shell-$VERSION > patch-shell-$VERSION || true - -fi - -progress_message "Shorewall $VERSION Build complete - $(date)" diff --git a/tools/build/exclude.txt b/tools/build/exclude.txt deleted file mode 100644 index 3813cc22e..000000000 --- a/tools/build/exclude.txt +++ /dev/null @@ -1,4 +0,0 @@ -*.5 -*.8 -*.gz -diff* diff --git a/tools/build/makeshorewall b/tools/build/makeshorewall deleted file mode 100755 index a76d64916..000000000 --- a/tools/build/makeshorewall +++ /dev/null @@ -1,715 +0,0 @@ -#!/bin/sh -# -# Shorewall Release Processing -- (C) 2003,2004,2005 -- Tom Eastep (teastep@shorewall.net) -# -- (C) 2005,2006 -- Cristian Rodriguez (webmaster@shorewall.net) -# Version : $Id$ -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# I install this script in /usr/local/bin/makeshorewall. -# -# Usage: -# -# makeshorewall [ -trhxl ] [ ] -# -# -t Build tarball -# -r Build RPM -# -h Build HTML documentation -# -x Build XML documentation -# -s Sign with GPG -# -p Build shorewall-perl -# -# If no options are given, all options are assumed. -# -# If is given, a patch file reflecting the differences -# between that version and the current version ( ) is -# generated. The directory ./shorewall- must exist and -# contain the version against which the patch is generated. -################################################################################ -# C O N F I G U R A T I O N -################################################################################ -# -# XSL Stylesheet to use for XML->HTML conversion -# -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -# -# Directory where the build log will be placed. The log has the name -# shorewall_build_.log -# -LOGDIR=$PWD -# -# Your RPM build directory -# -RPMDIR=~/rpm/ -# -# Directory where you want the release to be built -# -DIR=$PWD -# -# location and options for GnuPG -# -GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" -# -# SVN Repository -# -SVN=https://shorewall.svn.sourceforge.net/svnroot/shorewall -# -# Program that generates man pages from Docbook XML -# -DOCBOOK2MAN="docbook-to-man -C /usr/share/docbook2X/xslt/catalog.xml --utf8trans-map /usr/share/docbook2X/charmaps/roff.charmap" -################################################################################ -# V A R I A B L E S -################################################################################ -VERSION= -OLDVERSION= -SHOREWALLDIR= -SHOREWALLLITEDIR= -SOURCEDIR= -SVNBRANCH= -LITESVNBRANCH= -XMLPROJ= -RPMNAME= -LITERPMNAME= -TARBALL= -LITETARBALL= -LOGFILE= -HTMLDIR= -BUILDTARBALL= -BUILDRPM= -BUILDXML= -BUILDHTML= -SAMPLESTAG= -HASLITE= -SIGN= -MANPAGETAG= -LITEMANPAGETAG= -BUILDPERL= -PERLDIR= -PERLBRANCH= -PERLRPMNAME= -PERLTARBALL= -################################################################################ -# F U N C T I O N S -################################################################################ -progress_message() -{ - echo >> $LOGFILE - echo "$@" | tee -a $LOGFILE - echo >> $LOGFILE -} - -report() -{ - echo "$@" | tee -a $LOGFILE -} - -do_or_die() -{ - eval $@ || { progress_message "Step \"$*\" FAILED" ; exit 2; } -} - -fatal_error() { - progress_message "$*" - exit 2 -} - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -usage() -{ - echo "usage: $(basename $0) [ -trhxl] [ ]" - exit 2 -} -################################################################################ -# E X E C U T I O N S T A R T S H E R E -################################################################################ - -set -e -set -u - - -done= - -[ $# -eq 0 ] && usage - -case $1 in - -*) - ;; - *) - BUILDTARBALL=Yes - BUILDRPM=Yes - BUILDHTML=Yes - BUILDXML=Yes - BUILDRPM=Yes - done=Yes - SIGN=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && break - - while [ -n "$option" ]; do - case $option in - t*) - BUILDTARBALL=Yes - option=${option#t} - ;; - r*) - BUILDTARBALL=Yes - BUILDRPM=Yes - option=${option#r} - ;; - h*) - BUILDHTML=Yes - option=${option#h} - ;; - x*) - BUILDXML=Yes - option=${option#x} - ;; - s*) - SIGN=Yes - option=${option#s} - ;; - p*) - BUILDPERL=Yes - option=${option#p} - ;; - *) - usage - ;; - esac - done - shift - ;; - *) - done=Yes - ;; - esac -done - -case $# in - 1) - ;; - 2) - OLDVERSION=$2 - ;; - *) - usage - ;; -esac - -VERSION=$1 -LOGFILE=$LOGDIR/shorewall_build_${VERSION}.log -touch $LOGFILE -progress_message "Build of Shorewall $VERSION on $(date)" - -case $VERSION in - 3.2.*) - SVNBRANCH="branches/3.2/Shorewall" - LITESVNBRANCH="branches/3.2/Shorewall-lite" - DOCTAG="branches/3.4/docs" - XMLPROJ="docs-3.2" - SAMPLESTAG="branches/3.2/Samples" - HASLITE=Yes - ;; - 3.4.*) - SVNBRANCH="branches/3.4/Shorewall" - LITESVNBRANCH="branches/3.4/Shorewall-lite" - DOCTAG="branches/3.4/docs" - XMLPROJ="docs-3.4" - SAMPLESTAG="branches/3.4/Samples" - HASLITE=Yes - MANPAGETAG=branches/3.4/manpages - LITEMANPAGETAG=branches/3.4/manpages-lite - ;; - *) - echo "Unsupported Version: $VERSION" - exit 2 - ;; -esac - -[ -d $DIR ] || { echo "Directory $DIR does not exist or is unaccessible" ; exit 2 ; } - -progress_message "Distribution directory is $DIR" - -cd $DIR - -case $VERSION in - *Beta*|*RC*) - # - # Beta or Release Candidate - # - SHOREWALLDIR=shorewall-${VERSION%-*} - SHOREWALLLITEDIR=shorewall-lite-${VERSION%-*} - TARBALL=shorewall-${VERSION%-*}.tgz - LITETARBALL=shorewall-lite-${VERSION%-*}.tgz - RPMNAME=shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm - LITERPMNAME=shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm - PERLRPMNAME=shorewall-perl-${VERSION%-*}-0${VERSION#*-}.noarch.rpm - PERLTARBALL=shorewall-perl-${VERSION%-*}.tgz - PERLDIR=shorewall-perl-${VERSION%-*} - ;; - *) - # - # Normal Release - # - SHOREWALLDIR=shorewall-$VERSION - SHOREWALLLITEDIR=shorewall-lite-$VERSION - TARBALL=shorewall-$VERSION.tgz - LITETARBALL=shorewall-lite-$VERSION.tgz - RPMNAME=shorewall-${VERSION}-1.noarch.rpm - LITERPMNAME=shorewall-lite-${VERSION}-1.noarch.rpm - PERLRPMNAME=shorewall-perl-${VERSION}-1.noarch.rpm - PERLDIR=shorewall-perl-$VERSION - PERLTARBALL=shorewall-perl-$VERSION.tgz - ;; -esac - -HTMLDIR=shorewall-docs-html-$VERSION - -if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then - report "Shorewall directory is $DIR/$SHOREWALLDIR" - report "Shorewall Lite directory is $DIR/$SHOREWALLLITEDIR" - report "SVN tag is $SVNBRANCH" - report "Lite SVN tag is $LITESVNBRANCH" - [ -n "$BUILDTARBALL" ] && report "TARBALL is $TARBALL" && report "LITETARBALL is $LITETARBALL" - [ -n "$BUILDRPM" ] && report "RPM is $RPMNAME" && report "LITERPM is $LITERPMNAME" -fi - -[ -n "$BUILDHTML" ] && report "HTML Directory is $HTMLDIR" - -if [ -n "$BUILDPERL" ]; then - report "shorewall-perl directory is $DIR/$PERLDIR" - report "Perl SVN tag is $PERLBRANCH" - report "Perl RPM is $PERLRPMNAME" - - rm -rf $PERLDIR - - progress_message "Exporting $PERLBRANCH from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$PERLBRANCH $PERLDIR >> $LOGFILE 2>&1" - - progress_message "Creating $DIR/$PERLTARBALL..." - do_or_die "tar -zcvf $PERLTARBALL $PERLDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-perl-${VERSION%-*}.tar.bz2 $PERLDIR >> $LOGFILE 2>&1" - - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-perl-${VERSION%-*}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - - progress_message "Building $PERLRPMNAME..." - - test -n "$SIGN" && SIGN="--sign" - rm -rf $RPMDIR/BUILD/shorewall-perl-${VERSION%-*}* - do_or_die "cp shorewall-perl-${VERSION%-*}.tgz $RPMDIR/SOURCES/" - do_or_die "cp $PERLDIR/shorewall-perl.spec $RPMDIR/SPECS/" - do_or_die "rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall-perl.spec >> $LOGFILE 2>&1" - do_or_die cp -a $RPMDIR/RPMS/noarch/$PERLRPMNAME . - - > $VERSION.md5sums - > $VERSION.sha1sums - - for file in *; do - case $file in - *-perl-$VERSION[-.]*tgz|*-perl-$VERSION[-.]*rpm|*perl-$VERSION[-.]*bz2) - do_or_die "md5sum $file >> $VERSION.md5sums" - do_or_die "sha1sum $file >> $VERSION.sha1sums" - ;; - esac -done -fi - -if [ -n "${BUILDTARBALL}${BUILDRPM}" ]; then - progress_message "Exporting $SVNBRANCH from SVN..." - - rm -rf $SHOREWALLDIR - rm -rf $SHOREWALLLITEDIR - - do_or_die "svn export --non-interactive --force ${SVN}/$SVNBRANCH $SHOREWALLDIR >> $LOGFILE 2>&1" - - if [ -n "$HASLITE" ]; then - progress_message "Exporting $LITESVNBRANCH from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$LITESVNBRANCH $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - do_or_die "cp $SHOREWALLDIR/modules $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - if [ -f $SHOREWALLDIR/lib.base ]; then - do_or_die "cp $SHOREWALLDIR/lib.base $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - if [ -f $SHOREWALLDIR/lib.cli ]; then - do_or_die "cp $SHOREWALLDIR/lib.cli $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - if [ -f $SHOREWALLDIR/wait4ifup ]; then - do_or_die "cp $SHOREWALLDIR/wait4ifup $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - else - do_or_die "cp $SHOREWALLDIR/functions $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - do_or_die "cp $SHOREWALLDIR/changelog.txt $SHOREWALLDIR/releasenotes.txt $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - fi - - fgrep VERSION=$VERSION $SHOREWALLDIR/install.sh > /dev/null 2>&1 || fatal_error "install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "uninstall.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLDIR/fallback.sh > /dev/null 2>&1 || fatal_error "fallback.sh has wrong version" - if [ -n "$HASLITE" ]; then - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/install.sh > /dev/null 2>&1 || fatal_error "Lite install.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/uninstall.sh > /dev/null 2>&1 || fatal_error "Lite uninstall.sh has wrong version" - fgrep VERSION=$VERSION $SHOREWALLLITEDIR/fallback.sh > /dev/null 2>&1 || fatal_error "Lite fallback.sh has wrong version" - fi - - if [ -n "$SAMPLESTAG" ]; then - cd $SHOREWALLDIR - do_or_die "svn export --non-interactive --force ${SVN}/$SAMPLESTAG Samples >> $LOGFILE 2>&1" - cd $DIR - fi - - if [ -n "$MANPAGETAG" ]; then - cd $SHOREWALLDIR - progress_message "Exporting $MANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGETAG manpages >> $LOGFILE 2>&1" - cd manpages - for f in *.xml; do - if [ $f != shorewall-template.xml ]; then - progress_message "Generating Man Page from $f..." - $DOCBOOK2MAN $f - fi - done - rm *.xml - perl -p -i'' -e 's/ \[.*?html\]//g' *.5 *.8 - cd $DIR - - cd $SHOREWALLLITEDIR - - progress_message "Exporting $LITEMANPAGETAG from SVN..." - do_or_die "svn export --non-interactive --force ${SVN}/$LITEMANPAGETAG manpages >> $LOGFILE 2>&1" - cd manpages - for f in *.xml; do - if [ $f != shorewall-template.xml ]; then - progress_message "Generating Man Page from $f..." - $DOCBOOK2MAN $f - fi - done - rm *.xml - perl -p -i'' -e 's/ \[.*?html\]//g' *.5 *.8 - cd $DIR - fi - - do_or_die "rm -rf $SHOREWALLDIR/debian" - - if [ -n "$BUILDTARBALL" ]; then - - progress_message "Creating $DIR/$TARBALL..." - - do_or_die "tar -zcvf $TARBALL $SHOREWALLDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-${VERSION%-*}.tar.bz2 $SHOREWALLDIR >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-${VERSION%-*}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - if [ -n "$HASLITE" ]; then - progress_message "Creating $DIR/$LITETARBALL..." - do_or_die "tar -zcvf $LITETARBALL $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-lite-${VERSION%-*}.tar.bz2 $SHOREWALLLITEDIR >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - shoreball=shorewall-lite-${VERSION%-*}.${shoresuffix} - report "GPG signing $DIR/$shoreball" - rm -f ${shoreball}.asc - do_or_die "$GPG $shoreball" - done - fi - fi - fi - - if [ -n "$BUILDRPM" ]; then - progress_message "Building $RPMNAME..." - - test -n "$SIGN" && SIGN="--sign" - rm -rf $RPMDIR/BUILD/shorewall-${VERSION%-*} - do_or_die "cp shorewall-${VERSION%-*}.tgz $RPMDIR/SOURCES/" - do_or_die "cp $SHOREWALLDIR/shorewall.spec $RPMDIR/SPECS/" - do_or_die "rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall.spec >> $LOGFILE 2>&1" - do_or_die cp -a $RPMDIR/RPMS/noarch/$RPMNAME . - - if [ -n "$HASLITE" ]; then - progress_message "Building $LITERPMNAME..." - - rm -rf $RPMDIR/BUILD/shorewall-${VERSION%-*} - do_or_die "cp shorewall-lite-${VERSION%-*}.tgz $RPMDIR/SOURCES/" - do_or_die "cp $SHOREWALLLITEDIR/shorewall-lite.spec $RPMDIR/SPECS/" - do_or_die "rpmbuild -ba $SIGN $RPMDIR/SPECS/shorewall-lite.spec >> $LOGFILE 2>&1" - do_or_die cp -a $RPMDIR/RPMS/noarch/$LITERPMNAME . - fi - fi -fi - -if [ -n "${BUILDXML}${BUILDHTML}" ]; then - progress_message "Exporting $XMLPROJ from SVN..." - - rm -rf $XMLPROJ - rm -rf shorewall-docs-xml-$VERSION - - do_or_die "svn export --non-interactive --force ${SVN}/$DOCTAG $XMLPROJ >> $LOGFILE 2>&1" - do_or_die mv $XMLPROJ shorewall-docs-xml-$VERSION - - rm -f shorewall-docs-xml-$VERSION/images/*.vsd - rm -f shorewall-docs-xml-$VERSION/images/~* - rm -f shorewall-docs-xml-$VERSION/images/*.JPG - rm -f shorewall-docs-xml-$VERSION/images/publish - rm -f shorewall-docs-xml-$VERSION/images/Thumbs.db - - if [ -n "$BUILDXML" ]; then - progress_message "Creating $DIR/shorewall-docs-xml-$VERSION tarballs" - do_or_die "tar -zcvf shorewall-docs-xml-$VERSION.tgz shorewall-docs-xml-$VERSION >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-docs-xml-$VERSION.tar.bz2 shorewall-docs-xml-$VERSION >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - xmlball=shorewall-docs-xml-$VERSION.${shoresuffix} - report "GPG signing $DIR/$xmlball tarball" - rm -f ${xmlball}.asc - do_or_die "$GPG $xmlball" - done - fi - fi - - if [ -n "$BUILDHTML" ]; then - progress_message "Building $HTMLDIR ..." - - rm -rf $HTMLDIR - - do_or_die mkdir $HTMLDIR - do_or_die mkdir $HTMLDIR/images - # - # The original HTML documents were created using MS FrontPage and used - # the .htm suffix. The remainder use the .html suffix. - # - HTMFILES=" - 6to4.htm - blacklisting_support.htm - configuration_file_basics.htm - CorpNetwork.htm - dhcp.htm - Documentation.htm - errata.htm - fallback.htm - FAQ.htm - GnuCopyright.htm - Install.htm - IPIP.htm - IPSEC.htm - kernel.htm - myfiles.htm - NAT.htm - ports.htm - PPTP.htm - ProxyARP.htm - quotes.htm - samba.htm - shorewall_extension_scripts.htm - shorewall_features.htm - shorewall_mirrors.htm - shorewall_prerequisites.htm - shorewall_quickstart_guide.htm - shorewall_setup_guide_fr.htm - shorewall_setup_guide.htm - Shorewall_sfindex_frame.htm - standalone.htm - starting_and_stopping_shorewall.htm - support.htm - three-interface.htm - traffic_shaping.htm - troubleshoot.htm - two-interface.htm - upgrade_issues.htm - VPN.htm - whitelisting_under_shorewall.htm" - - NOTOC=" - Documentation_Index.xml - ECN.xml - fallback.xml - GettingStarted.xml - IPP2P.xml - ping.xml - ProxyARP.xml - Shorewall_Doesnt.xml - shorewall_features.xml - shorewall_prerequisites.xml - SimpleBridge.xml" - - for file in shorewall-docs-xml-$VERSION/*.xml; do - a=$(basename $file) - b=${a%.*} - list_search $b.htm $HTMFILES && b=$b.htm || b=$b.html - f="shorewall-docs-html-$VERSION/$b" - list_search $1 $NOTOC && GENTOC="--stringparam generate.toc ''" || GENTOC= - - case $file in - *_ru.xml) - LANGUAGE="--stringparam l10n.gentext.default.language ru" - ;; - *_fr.xml) - LANGUAGE="--stringparam l10n.gentext.default.language fr" - ;; - *) - LANGUAGE= - ;; - esac - - report "Converting $DIR/$file from XML to HTML ($DIR/$f) ..." - - do_or_die xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self $GENTOC -param toc.section.depth 3 $STYLESHEET $file - done - - progress_message "Copying images to $DIR/$HTMLDIR/images ..." - - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.png $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.gif $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/images/*.jpg $HTMLDIR/images - do_or_die cp -a shorewall-docs-xml-$VERSION/*.css $HTMLDIR - - do_or_die ln -s Documentation_Index.html shorewall-docs-html-$VERSION/index.html - - progress_message "Creating $DIR/shorewall-docs-html-$VERSION tarballs ..." - - do_or_die "tar -zcvf shorewall-docs-html-$VERSION.tgz shorewall-docs-html-$VERSION >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-docs-html-$VERSION.tar.bz2 shorewall-docs-html-$VERSION >> $LOGFILE 2>&1" - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - htmlball=shorewall-docs-html-$VERSION.${shoresuffix} - report "GPG signing $DIR/$htmlball tarball" - rm -f ${htmlball}.asc - do_or_die "$GPG $htmlball" - done - fi - fi -fi - -[ -n "$BUILDTARBALL" ] && case $VERSION in - *Beta*|*RC*) - # - # The original tarball created above didn't include the -Beta or -RC portion of the - # name in either the tarball name or the directory name. Create it here - # - progress_message "Creating $DIR/shorewall-$VERSION..." - - rm -rf shorewall-$VERSION - - do_or_die mv $SHOREWALLDIR shorewall-$VERSION - - progress_message "Creating $DIR/shorewall-${VERSION}.tgz ..." - - do_or_die "tar -zcvf shorewall-${VERSION}.tgz shorewall-$VERSION >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-$VERSION.tar.bz2 shorewall-$VERSION >> $LOGFILE 2>&1" - - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - betaball=shorewall-$VERSION.${shoresuffix} - report "GPG signing $DIR/$betaball tarball" - rm -f ${betaball}.asc - do_or_die "$GPG $betaball" - done - fi - - - if [ -n "$HASLITE" ]; then - progress_message "Creating $DIR/shorewall-lite-$VERSION..." - - rm -rf shorewall-lite-$VERSION - - do_or_die mv $SHOREWALLLITEDIR shorewall-lite-$VERSION - - - progress_message "Creating $DIR/shorewall-lite-${VERSION}.tgz ..." - - do_or_die "tar -zcvf shorewall-lite-${VERSION}.tgz shorewall-lite-$VERSION >> $LOGFILE 2>&1" - do_or_die "tar -jcvf shorewall-lite-$VERSION.tar.bz2 shorewall-lite-$VERSION >> $LOGFILE 2>&1" - - if [ -n "$SIGN" ]; then - for shoresuffix in tgz tar.bz2; do - betaball=shorewall-lite-$VERSION.${shoresuffix} - report "GPG signing $DIR/$betaball tarball" - rm -f ${betaball}.asc - do_or_die "$GPG $betaball" - done - fi - fi - ;; -esac - -progress_message "Creating md5sums and sha1sums" - -rm -f $VERSION.md5sums $VERSION.sha1sums - -# -# The following rather awkward algorithm gets around the problem of builds that don't -# include the RPM -# -case $VERSION in - *Beta*|*RC*) - do_or_die "md5sum shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - if [ -n "$HASLITE" ]; then - do_or_die "md5sum shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.md5sums" - do_or_die "sha1sum shorewall-lite-${VERSION%-*}-0${VERSION#*-}.noarch.rpm >> $VERSION.sha1sums" - fi - ;; -esac - -for file in *; do - case $file in - *$VERSION[-.]*tgz|*$VERSION[-.]*rpm|*$VERSION[-.]*bz2) - do_or_die "md5sum $file >> $VERSION.md5sums" - do_or_die "sha1sum $file >> $VERSION.sha1sums" - ;; - esac -done - -if [ -n "$OLDVERSION" ]; then - progress_message "Creating patch-$VERSION ..." - - diff -Naur -X $(dirname $0)/exclude.txt shorewall-$OLDVERSION shorewall-$VERSION > patch-$VERSION || true - if [ -n "$HASLITE" ]; then - diff -Naur -X $(dirname $0)/exclude.txt shorewall-lite-$OLDVERSION shorewall-lite-$VERSION >> patch-$VERSION || true - fi -fi - -progress_message "Shorewall $VERSION Build complete - $(date)" diff --git a/tools/build/makeshorewall-debian b/tools/build/makeshorewall-debian deleted file mode 100755 index c6d9e92e3..000000000 --- a/tools/build/makeshorewall-debian +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -# Basic script to build a Debian package - should be executed from the -# main Shorewall source directory (containing the debian/ subdirectory). - -set -e -set -u -set -x - -PROGNAME=`basename $0` -MODULE=Shorewall -PACKAGE=shorewall -DATE=`date +%Y%m%d` -VERSION="2.5-cvs$DATE.1" -# This uses developer CVS - until SF.net fix the 5-hour delay between -# developer and anonymous CVS, this is the preferred mechanism. -ROOT=":ext:cvs.sourceforge.net:/cvsroot/shorewall" -#ROOT=":pserver:anonymous@cvs.sourceforge.net:/cvsroot/shorewall" -TAG=HEAD -DIR="/tmp/$PACKAGE-$VERSION" -# Adjust this to the location of a local repository. -REPOSITORY=/share/src/shorewall/apt - -# Email address for Debian changelog entry - the email address is also -# used by dpkg-buildpackage to look up the GPG key. -export DEBEMAIL='Shorewall Autobuilder ' - -# clean up first -rm -rf $DIR -mkdir -p $DIR -cd $DIR - -# Export the source -cvs -d "$ROOT" -q export -r HEAD $MODULE -cd $MODULE - -# Create a dummy changelog entry -debchange --newversion $VERSION "Autobuild by $PROGNAME" - -# Build the package -dpkg-buildpackage -rfakeroot - -# move to repository -cd .. -mkdir -p $REPOSITORY/incoming -mv *.dsc *.tar.gz *.changes *.deb $REPOSITORY/incoming/ diff --git a/tools/build/setversion b/tools/build/setversion deleted file mode 100755 index 49cab3c9f..000000000 --- a/tools/build/setversion +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/sh -# -# Update the version in a set of Shorewall product directories -# -# (C) 2007 -- Tom Eastep (teastep@shorewall.net) -# -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# setversion -# -[ $# -eq 1 ] || { echo "usage: setversion " >&2; exit 1; } - -VERSION=$1 -SUFFIX= - -case $VERSION in - 4.[02].*.*) - RPMVERSION=${VERSION%.*} - RELEASE=${VERSION##*.} - SUFFIX="-$RELEASE" - ;; - 4.*.*.*) - RPMVERSION=${VERSION%.*} - RELEASE=${VERSION##*.} - ;; - *-*) - RPMVERSION=${VERSION%-*} - RELEASE=0${VERSION##*-} - ;; - *) - RPMVERSION=${VERSION} - RELEASE=0base - ;; -esac - -for product in "" -common 6 -lite 6-lite -shell -perl; do - dir=Shorewall${product}${SUFFIX} - - for file in $dir/install.sh $dir/uninstall.sh $dir/fallback.sh; do - [ -f $file ] && eval perl -p -i -e "'s/^VERSION=.*/VERSION=${VERSION}/'" $file - done - - file=$dir/shorewall${product}.spec - [ -f $file ] && eval perl -n -i -e "'s/^%define version .*/%define version ${RPMVERSION}/; \ - s/^%define release .*/%define release ${RELEASE}/; \ - print \$_; \ - if ( /%changelog/ ) {\ - print \"\* $(date +'%a %b %d %Y') Tom Eastep tom\\@shorewall.net\\n\"; \ - print \"- Updated to ${RPMVERSION}-${RELEASE}\\n\"; \ - }'" $file -done - -file=Shorewall-perl${SUFFIX}/Shorewall/Config.pm -[ -f $file ] && eval perl -p -i -e "'s/^(\s+)VERSION => .*/\$1VERSION => \"${VERSION}\",/'" $file - -file=Shorewall${SUFFIX}/Shorewall/Config.pm -[ -f $file ] && eval perl -p -i -e "'s/^(\s+)VERSION => .*/\$1VERSION => \"${VERSION}\",/'" $file - -file=Shorewall${SUFFIX}/Perl/Shorewall/Config.pm -[ -f $file ] && eval perl -p -i -e "'s/^(\s+)VERSION => .*/\$1VERSION => \"${VERSION}\",/'" $file - diff --git a/tools/build/stage b/tools/build/stage deleted file mode 100755 index bf3d72ea3..000000000 --- a/tools/build/stage +++ /dev/null @@ -1,266 +0,0 @@ -#!/bin/sh -# -# Stage a release on the master server -# -# (C) 2007 -- Tom Eastep (teastep@shorewall.net) -# -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# stage [-pclL6sxh] -# - -usage() { - echo "Usage: stage [-pclL6sxh] " -} - -rpm= -rpm6= -literpm= -lite6rpm= -perlrpm= -shellrpm= - -DEST= -USER="webadmin@mail.shorewall.net" -SHOREWALL=shorewall -COMMAND=scp - -UPLOADCOMMON= -UPLOADPERL= -UPLOADSHELL= -UPLOADLITE= -UPLOADXML= -UPLOADHTML= -UPLOAD6= -UPLOAD6LITE= -PARTIAL=Yes -BASE= - -done= - -case $1 in - -*) - ;; - *) - UPLOADCOMMON=Yes - UPLOADPERL=Yes - UPLOADSHELL=Yes - UPLOADLITE=Yes - UPLOADXML=Yes - UPLOADHTML=Yes - - case $1 in - 4.0.*) - ;; - *) - UPLOAD6=Yes - UPLOAD6LITE=Yes - ;; - esac - - PARTIAL= - done=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && break - - while [ -n "$option" ]; do - case $option in - p*) - UPLOADPERL=Yes - option=${option#p} - ;; - c*) - UPLOADCOMMON=Yes - option=${option#c} - ;; - s*) - UPLOADSHELL=Yes - option=${option#s} - ;; - l*) - UPLOADLITE=Yes - option=${option#l} - ;; - x*) - UPLOADXML=Yes - option=${option#x} - ;; - h*) - UPLOADHTML=Yes - option=${option#h} - ;; - 6*) - UPLOAD6=Yes - option=${option#6} - ;; - L*) - UPLOAD6LITE=Yes - option=${option#L} - ;; - *) - usage - ;; - esac - done - shift - ;; - *) - done=Yes - ;; - esac - done - - -case $1 in - 4.*Beta*|4.*RC*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1%-*}-0${1#*-}.noarch.rpm - rpm6=shorewall6-${1%-*}-0${1#*-}.noarch.rpm - literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm - lite6rpm=shorewall6-lite-${1%-*}-0${1#*-}.noarch.rpm - perlrpm=shorewall-perl-${1%-*}-0${1#*-}.noarch.rpm - shellrpm=shorewall-shell-${1%-*}-0${1#*-}.noarch.rpm - BASE=Yes - ;; - *.*.*.*) - BASEVERSION=${1%.*} - PATCHNUM=${1##*.} - DEST="/srv/ftp/pub/shorewall/development/staging/${BASEVERSION%.*}/shorewall-${BASEVERSION}" - SHOREWALL=shorewall-common - rpm=shorewall-common-${BASEVERSION}-${PATCHNUM}.noarch.rpm - literpm=shorewall-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - perlrpm=shorewall-perl-${BASEVERSION}-${PATCHNUM}.noarch.rpm - shellrpm=shorewall-shell-${BASEVERSION}-${PATCHNUM}.noarch.rpm - ;; - 4.0.*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1}-0base.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - perlrpm=shorewall-perl-${1}-0base.noarch.rpm - shellrpm=shorewall-shell-${1}-0base.noarch.rpm - BASE=Yes - ;; - 4.[12].*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1}-0base.noarch.rpm - rpm6=shorewall6-${BASEVERSION}-${PATCHNUM}.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - lite6rpm=shorewall6-lite-${1}-0base.noarch.rpm - perlrpm=shorewall-perl-${1}-0base.noarch.rpm - shellrpm=shorewall-shell-${1}-0base.noarch.rpm - BASE=Yes - ;; - 4.3.*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1}-0base.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - perlrpm=shorewall-perl-${1}-0base.noarch.rpm - shellrpm=shorewall-shell-${1}-0base.noarch.rpm - rpm6=shorewall6-${1}-0base.noarch.rpm - lite6rpm=shorewall6-lite-${1}-0base.noarch.rpm - BASE=Yes - ;; - 3.*[13579].*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1}-1.noarch.rpm - literpm=shorewall-lite-${1}-1.noarch.rpm - ;; - *.*[13579].*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1}-1.noarch.rpm - ;; - 3.*Beta*|*RC*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1%-*}-0${1#*-}.noarch.rpm - literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm - ;; - *.*Beta*|*RC*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1%-*}-0${1#*-}.noarch.rpm - literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm - perlrpm=shorewall-perl-${1%-*}-0${1#*-}.noarch.rpm - shellrpm=shorewall-shell-${1%-*}-0${1#*-}.noarch.rpm - ;; - 3.[2468].*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1}-1.noarch.rpm - literpm=shorewall-lite-${1}-1.noarch.rpm - ;; - *.[2468].*) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1}-1.noarch.rpm - literpm=shorewall-lite-${1}-1.noarch.rpm - perlrpm=shorewall-perl-${1}-1.noarch.rpm - shellrpm=shorewall-shell-${1}-1.noarch.rpm - ;; - *) - DEST="/srv/ftp/pub/shorewall/development/staging/${1%.*}/shorewall-$1" - rpm=shorewall-${1}-1.noarch.rpm - ;; -esac - -[ $# -eq 1 ] || { echo "Usage: $(basename $0) "; exit 2; } - -[ -d errata ] || mkdir errata - -[ -f known_problems.txt ] || echo "There are no known problems in Shorewall version $1" > known_problems.txt - -[ -n "$PARTIAL" -a -z "$UPLOADCOMMON" ] && SHOREWALLDIR=shorewall-common || SHOREWALLDIR=$SHOREWALL-${1} - -cp $SHOREWALLDIR/releasenotes.txt releasenotes.txt - -if [ "$HOSTNAME" = lists ]; then - mkdir -p $DEST - [ -n "$BASE" ] && mkdir $DEST/base - COMMAND=cp -else - ssh $USER mkdir -p $DEST - [ -n "$BASE" ] && ssh $USER mkdir -p $DEST/base - DEST=${USER}:${DEST} -fi - -files="errata known_problems.txt releasenotes.txt patch-*-$1 ${1}.*" -base= - -[ -n "$UPLOAD6" ] && base="shorewall6-${1}.tar.*" && files="$files shorewall6-${1}.* $rpm6" -[ -n "$UPLOADPERL" ] && base="shorewall-perl-${1}.tar.*" && files="$files shorewall-perl-${1}.* $perlrpm" -[ -n "$UPLOADCOMMON" ] && base="$base shorewall-common-${1}.tar.*" && files="$files shorewall-common-${1}.* $rpm" -[ -n "$UPLOADSHELL" ] && base="$base shorewall-shell-${1}.tar.*" && files="$files shorewall-shell-${1}.* $shellrpm" -[ -n "$UPLOADLITE" ] && base="$base shorewall-lite-${1}.tar.*" && files="$files shorewall-lite-${1}.* $literpm" -[ -n "$UPLOAD6LITE" ] && base="$base shorewall6-lite-${1}.tar.*" && files="$files shorewall6-lite-${1}.* $lite6rpm" -[ -n "$UPLOADXML" ] && base="$base shorewall-docs-xml-${1}.tar.*" && files="$files shorewall-docs-xml-${1}.* $literpm" -[ -n "$UPLOADHTML" ] && base="$base shorewall-docs-html-${1}.tar.*" && files="$files shorewall-docs-html-${1}.* $literpm" - -[ -n "$BASE" ] && $COMMAND $base $DEST/base - -$COMMAND -r $files $DEST diff --git a/tools/build/stage44 b/tools/build/stage44 deleted file mode 100755 index b0de09a47..000000000 --- a/tools/build/stage44 +++ /dev/null @@ -1,202 +0,0 @@ -#!/bin/sh -# -# Stage a release to the master server -# -# (C) 2007 -- Tom Eastep (teastep@shorewall.net) -# -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# stage [-pclL6sxh] -# - -usage() { - echo "Usage: stage [-pclL6sxh] " -} - -rpm= -rpm6= -literpm= -lite6rpm= -perlrpm= -shellrpm= - -DEST= -USER="webadmin@mail.shorewall.net" -SHOREWALL=shorewall -COMMAND=scp - -STAGECOMMON= -STAGELITE= -STAGEXML= -STAGEHTML= -STAGE6= -STAGE6LITE= -PARTIAL=Yes -BASE= - -done= - -case $1 in - -*) - ;; - *) - STAGECOMMON=Yes - STAGEPERL=Yes - STAGESHELL=Yes - STAGELITE=Yes - STAGEXML=Yes - STAGEHTML=Yes - STAGE6=Yes - STAGE6LITE=Yes - PARTIAL= - done=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && break - - while [ -n "$option" ]; do - case $option in - c*) - STAGECOMMON=Yes - option=${option#c} - ;; - l*) - STAGELITE=Yes - option=${option#l} - ;; - x*) - STAGEXML=Yes - option=${option#x} - ;; - h*) - STAGEHTML=Yes - option=${option#h} - ;; - 6*) - STAGE6=Yes - option=${option#6} - ;; - L*) - STAGE6LITE=Yes - option=${option#L} - ;; - *) - usage - ;; - esac - done - shift - ;; - *) - done=Yes - ;; - esac -done - - -case $1 in - 4.*Beta*|4.*RC*) - DEST="/srv/ftp/pub/private/development/${1%.*}/shorewall-$1" - SHOREWALL=shorewall - rpm=shorewall-${1%-*}-0${1#*-}.noarch.rpm - rpm6=shorewall6-${1%-*}-0${1#*-}.noarch.rpm - literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm - lite6rpm=shorewall6-lite-${1%-*}-0${1#*-}.noarch.rpm - BASE=Yes - ;; - 4.4.*.*) - BASEVERSION=${1%.*} - PATCHNUM=${1##*.} - DEST="/srv/ftp/pub/shorewall/${BASEVERSION%.*}/shorewall-${BASEVERSION}" - SHOREWALL=shorewall - rpm=shorewall-${BASEVERSION}-${PATCHNUM}.noarch.rpm - rpm6=shorewall6-${BASEVERSION}-${PATCHNUM}.noarch.rpm - literpm=shorewall-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - lite6rpm=shorewall6-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - ;; - 4.4.*) - DEST="/srv/ftp/pub/private/${1%.*}/shorewall-$1" - SHOREWALL=shorewall - rpm=shorewall-${1}-0base.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - rpm6=shorewall6-${1}-0base.noarch.rpm - lite6rpm=shorewall6-lite-${1}-0base.noarch.rpm - BASE=Yes - ;; - *) - echo "Unknown Version $1" >&2 - exit 1 - ;; -esac - -[ $# -eq 1 ] || { echo "Usage: $(basename $0) "; exit 2; } - -if [ -z "$PATCHNUM" -a -d shorewall-common ]; then - echo " ERROR: Paranoid to stage a base release when a patch release has been built in the current directory" >&2 - exit 1 -fi - -[ -d errata ] || mkdir errata - -[ -f known_problems.txt ] || echo "There are no known problems in Shorewall version $1" > known_problems.txt - -cp $SHOREWALL-${1}/releasenotes.txt releasenotes.txt - -if [ "$HOSTNAME" = lists ]; then - mkdir -p $DEST - [ -n "$BASE" ] && mkdir $DEST/base - COMMAND=cp -else - ssh $USER mkdir -p $DEST - [ -n "$BASE" ] && ssh $USER mkdir -p $DEST/base - DEST=${USER}:${DEST} -fi - -files="errata known_problems.txt releasenotes.txt patch*-$1 ${1}.*" -base= - -rm -f *-${1}*.asc - -for f in *-${1}.tar.bz2 *-${1}.tgz; do - /usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key' $f -done - -[ -n "$STAGE6" ] && base="shorewall6-${1}.tar.*" && files="$files shorewall6-${1}.* $rpm6" -[ -n "$STAGECOMMON" ] && base="$base shorewall-${1}.tar.*" && files="$files shorewall-${1}.* $rpm" -[ -n "$STAGELITE" ] && base="$base shorewall-lite-${1}.tar.*" && files="$files shorewall-lite-${1}.* $literpm" -[ -n "$STAGE6LITE" ] && base="$base shorewall6-lite-${1}.tar.*" && files="$files shorewall6-lite-${1}.* $lite6rpm" -[ -n "$STAGEXML" ] && base="$base shorewall-docs-xml-${1}.tar.*" && files="$files shorewall-docs-xml-${1}.*" -[ -n "$STAGEHTML" ] && base="$base shorewall-docs-html-${1}.tar.*" && files="$files shorewall-docs-html-${1}.*" - -rpms=`for f in $files; do case $f in *.rpm) echo $f;; *);; esac done` - -[ -n "$rpms" ] && rpm --resign $rpms - -[ -n "$BASE" ] && $COMMAND $base $DEST/base - -$COMMAND -r $files $DEST diff --git a/tools/build/tagrelease b/tools/build/tagrelease deleted file mode 100755 index 4cc8ef625..000000000 --- a/tools/build/tagrelease +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -# -# Tag a release -# -# (C) 2007 -- Tom Eastep (teastep@shorewall.net) -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# tagrelease -# -[ $# -eq 1 ] || { echo "usage: tagrelease " >&2; exit 1; } - -VERSION=$1 - -case $VERSION in - 4.0.*) - BRANCH=~/shorewall/branches/4.0/ - ;; - 4.1.*) - BRANCH=~/shorewall/trunk/ - ;; - *) - BRANCH=~/shorewall/3.4/ - ;; -esac - -cd ~/shorewall/tags/ - -svn mkdir $VERSION - -cd $VERSION - -for directory in Shorewall-common Shorewall-shell Shorewall-lite Shorewall-perl manpages manpages-lite Samples; do - if [ -d $BRANCH/$directory ]; then - rm -f $BRANCH/$directory/*~ - [ -d $BRANCH/$directory/Shorewall ] && rm -f $BRANCH/$directory/Shorewall/*~ - svn cp $BRANCH/$directory/ . - fi -done - -svn commit -m "Tag version $VERSION" - diff --git a/tools/build/upload b/tools/build/upload deleted file mode 100755 index 85d1446ef..000000000 --- a/tools/build/upload +++ /dev/null @@ -1,231 +0,0 @@ -#!/bin/sh -# -# Upload a release to the master server -# -# (C) 2007 -- Tom Eastep (teastep@shorewall.net) -# -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# upload [-pclL6sxh] -# - -usage() { - echo "Usage: upload [-pclL6sxh] " -} - -rpm= -rpm6= -literpm= -lite6rpm= -perlrpm= -shellrpm= - -DEST= -USER="webadmin@mail.shorewall.net" -SHOREWALL=shorewall -COMMAND=scp - -UPLOADCOMMON= -UPLOADPERL= -UPLOADSHELL= -UPLOADLITE= -UPLOADXML= -UPLOADHTML= -UPLOAD6= -UPLOAD6LITE= -PARTIAL=Yes -BASE= - -done= - -case $1 in - -*) - ;; - *) - UPLOADCOMMON=Yes - UPLOADPERL=Yes - UPLOADSHELL=Yes - UPLOADLITE=Yes - UPLOADXML=Yes - UPLOADHTML=Yes - - case $1 in - 4.0.*) - ;; - *) - UPLOAD6=Yes - UPLOAD6LITE=Yes - ;; - esac - - PARTIAL= - done=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && break - - while [ -n "$option" ]; do - case $option in - p*) - UPLOADPERL=Yes - option=${option#p} - ;; - c*) - UPLOADCOMMON=Yes - option=${option#c} - ;; - s*) - UPLOADSHELL=Yes - option=${option#s} - ;; - l*) - UPLOADLITE=Yes - option=${option#l} - ;; - x*) - UPLOADXML=Yes - option=${option#x} - ;; - h*) - UPLOADHTML=Yes - option=${option#h} - ;; - 6*) - UPLOAD6=Yes - option=${option#6} - ;; - L*) - UPLOAD6LITE=Yes - option=${option#L} - ;; - *) - usage - ;; - esac - done - shift - ;; - *) - done=Yes - ;; - esac -done - - -case $1 in - 4.*Beta*|4.*RC*) - DEST="/srv/ftp/pub/shorewall/development/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1%-*}-0${1#*-}.noarch.rpm - rpm6=shorewall6-${1%-*}-0${1#*-}.noarch.rpm - literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm - lite6rpm=shorewall6-lite-${1%-*}-0${1#*-}.noarch.rpm - perlrpm=shorewall-perl-${1%-*}-0${1#*-}.noarch.rpm - shellrpm=shorewall-shell-${1%-*}-0${1#*-}.noarch.rpm - BASE=Yes - ;; - 4.[02].*.*) - BASEVERSION=${1%.*} - PATCHNUM=${1##*.} - DEST="/srv/ftp/pub/shorewall/${BASEVERSION%.*}/shorewall-${BASEVERSION}" - SHOREWALL=shorewall-common - rpm=shorewall-common-${BASEVERSION}-${PATCHNUM}.noarch.rpm - rpm6=shorewall6-${BASEVERSION}-${PATCHNUM}.noarch.rpm - literpm=shorewall-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - lite6rpm=shorewall6-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - perlrpm=shorewall-perl-${BASEVERSION}-${PATCHNUM}.noarch.rpm - shellrpm=shorewall-shell-${BASEVERSION}-${PATCHNUM}.noarch.rpm - ;; - 4.[02].*) - DEST="/srv/ftp/pub/shorewall/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1}-0base.noarch.rpm - rpm6=shorewall6-${1}-0base.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - lite6rpm=shorewall6-lite-${1}-0base.noarch.rpm - perlrpm=shorewall-perl-${1}-0base.noarch.rpm - shellrpm=shorewall-shell-${1}-0base.noarch.rpm - BASE=Yes - ;; - 4.3.*) - DEST="/srv/ftp/pub/shorewall/development/${1%.*}/shorewall-$1" - SHOREWALL=shorewall-common - rpm=shorewall-common-${1}-0base.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - perlrpm=shorewall-perl-${1}-0base.noarch.rpm - shellrpm=shorewall-shell-${1}-0base.noarch.rpm - rpm6=shorewall6-${1}-0base.noarch.rpm - lite6rpm=shorewall6-lite-${1}-0base.noarch.rpm - BASE=Yes - ;; - *) - echo "Unknown Version $1" >&2 - exit 1 - ;; -esac - -[ $# -eq 1 ] || { echo "Usage: $(basename $0) "; exit 2; } - -if [ -z "$PATCHNUM" -a -d shorewall-common ]; then - echo " ERROR: Paranoid to upload a base release when a patch release has been built in the current directory" >&2 - exit 1 -fi - -[ -d errata ] || mkdir errata - -[ -f known_problems.txt ] || echo "There are no known problems in Shorewall version $1" > known_problems.txt - -[ -n "$PARTIAL" -a -z "$UPLOADCOMMON" ] && SHOREWALLDIR=shorewall-common || SHOREWALLDIR=$SHOREWALL-${1} - -cp $SHOREWALLDIR/releasenotes.txt releasenotes.txt - -if [ "$HOSTNAME" = lists ]; then - mkdir -p $DEST - [ -n "$BASE" ] && mkdir $DEST/base - COMMAND=cp -else - ssh $USER mkdir -p $DEST - [ -n "$BASE" ] && ssh $USER mkdir -p $DEST/base - DEST=${USER}:${DEST} -fi - -files="errata known_problems.txt releasenotes.txt patch-*-$1 ${1}.*" -base= - -[ -n "$UPLOAD6" ] && base="$base shorewall6-${1}.tar.*" && files="$files shorewall6-${1}.* $rpm6" -[ -n "$UPLOADPERL" ] && base="$base shorewall-perl-${1}.tar.*" && files="$files shorewall-perl-${1}.* $perlrpm" -[ -n "$UPLOADCOMMON" ] && base="$base shorewall-common-${1}.tar.*" && files="$files shorewall-common-${1}.* $rpm" -[ -n "$UPLOADSHELL" ] && base="$base shorewall-shell-${1}.tar.*" && files="$files shorewall-shell-${1}.* $shellrpm" -[ -n "$UPLOADLITE" ] && base="$base shorewall-lite-${1}.tar.*" && files="$files shorewall-lite-${1}.* $literpm" -[ -n "$UPLOAD6LITE" ] && base="$base shorewall6-lite-${1}.tar.*" && files="$files shorewall6-lite-${1}.* $lite6rpm" -[ -n "$UPLOADXML" ] && base="$base shorewall-docs-xml-${1}.tar.*" && files="$files shorewall-docs-xml-${1}.* $literpm" -[ -n "$UPLOADHTML" ] && base="$base shorewall-docs-html-${1}.tar.*" && files="$files shorewall-docs-html-${1}.* $literpm" - -[ -n "$BASE" ] && $COMMAND $base $DEST/base - -$COMMAND -r $files $DEST diff --git a/tools/build/upload44 b/tools/build/upload44 deleted file mode 100755 index 58daf213b..000000000 --- a/tools/build/upload44 +++ /dev/null @@ -1,202 +0,0 @@ -#!/bin/sh -# -# Upload a release to the master server -# -# (C) 2007 -- Tom Eastep (teastep@shorewall.net) -# -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# upload [-pclL6sxh] -# - -usage() { - echo "Usage: upload [-pclL6sxh] " -} - -rpm= -rpm6= -literpm= -lite6rpm= -perlrpm= -shellrpm= - -DEST= -USER="webadmin@mail.shorewall.net" -SHOREWALL=shorewall -COMMAND=scp - -UPLOADCOMMON= -UPLOADLITE= -UPLOADXML= -UPLOADHTML= -UPLOAD6= -UPLOAD6LITE= -PARTIAL=Yes -BASE= - -done= - -case $1 in - -*) - ;; - *) - UPLOADCOMMON=Yes - UPLOADPERL=Yes - UPLOADSHELL=Yes - UPLOADLITE=Yes - UPLOADXML=Yes - UPLOADHTML=Yes - UPLOAD6=Yes - UPLOAD6LITE=Yes - PARTIAL= - done=Yes - ;; -esac - -while [ -z "$done" ]; do - [ $# -eq 0 ] && break - - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && break - - while [ -n "$option" ]; do - case $option in - c*) - UPLOADCOMMON=Yes - option=${option#c} - ;; - l*) - UPLOADLITE=Yes - option=${option#l} - ;; - x*) - UPLOADXML=Yes - option=${option#x} - ;; - h*) - UPLOADHTML=Yes - option=${option#h} - ;; - 6*) - UPLOAD6=Yes - option=${option#6} - ;; - L*) - UPLOAD6LITE=Yes - option=${option#L} - ;; - *) - usage - ;; - esac - done - shift - ;; - *) - done=Yes - ;; - esac -done - - -case $1 in - 4.*Beta*|4.*RC*) - DEST="/srv/ftp/pub/shorewall/development/${1%.*}/shorewall-$1" - SHOREWALL=shorewall - rpm=shorewall-${1%-*}-0${1#*-}.noarch.rpm - rpm6=shorewall6-${1%-*}-0${1#*-}.noarch.rpm - literpm=shorewall-lite-${1%-*}-0${1#*-}.noarch.rpm - lite6rpm=shorewall6-lite-${1%-*}-0${1#*-}.noarch.rpm - BASE=Yes - ;; - 4.4.*.*) - BASEVERSION=${1%.*} - PATCHNUM=${1##*.} - DEST="/srv/ftp/pub/shorewall/${BASEVERSION%.*}/shorewall-${BASEVERSION}" - SHOREWALL=shorewall - rpm=shorewall-${BASEVERSION}-${PATCHNUM}.noarch.rpm - rpm6=shorewall6-${BASEVERSION}-${PATCHNUM}.noarch.rpm - literpm=shorewall-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - lite6rpm=shorewall6-lite-${BASEVERSION}-${PATCHNUM}.noarch.rpm - ;; - 4.4.*) - DEST="/srv/ftp/pub/shorewall/development/${1%.*}/shorewall-$1" - SHOREWALL=shorewall - rpm=shorewall-${1}-0base.noarch.rpm - literpm=shorewall-lite-${1}-0base.noarch.rpm - rpm6=shorewall6-${1}-0base.noarch.rpm - lite6rpm=shorewall6-lite-${1}-0base.noarch.rpm - BASE=Yes - ;; - *) - echo "Unknown Version $1" >&2 - exit 1 - ;; -esac - -[ $# -eq 1 ] || { echo "Usage: $(basename $0) "; exit 2; } - -if [ -z "$PATCHNUM" -a -d shorewall-common ]; then - echo " ERROR: Paranoid to upload a base release when a patch release has been built in the current directory" >&2 - exit 1 -fi - -[ -d errata ] || mkdir errata - -[ -f known_problems.txt ] || echo "There are no known problems in Shorewall version $1" > known_problems.txt - -cp $SHOREWALL-${1}/releasenotes.txt releasenotes.txt - -if [ "$HOSTNAME" = lists ]; then - mkdir -p $DEST - [ -n "$BASE" ] && mkdir $DEST/base - COMMAND=cp -else - ssh $USER mkdir -p $DEST - [ -n "$BASE" ] && ssh $USER mkdir -p $DEST/base - DEST=${USER}:${DEST} -fi - -files="errata known_problems.txt releasenotes.txt patch*-$1 ${1}.*" -base= - -rm -f *-${1}*.asc - -for f in *-${1}.tar.bz2 *-${1}.tgz; do - /usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key' $f -done - -[ -n "$UPLOAD6" ] && base="shorewall6-${1}.tar.*" && files="$files shorewall6-${1}.* $rpm6" -[ -n "$UPLOADCOMMON" ] && base="$base shorewall-${1}.tar.*" && files="$files shorewall-${1}.* $rpm" -[ -n "$UPLOADLITE" ] && base="$base shorewall-lite-${1}.tar.*" && files="$files shorewall-lite-${1}.* $literpm" -[ -n "$UPLOAD6LITE" ] && base="$base shorewall6-lite-${1}.tar.*" && files="$files shorewall6-lite-${1}.* $lite6rpm" -[ -n "$UPLOADXML" ] && base="$base shorewall-docs-xml-${1}.tar.*" && files="$files shorewall-docs-xml-${1}.*" -[ -n "$UPLOADHTML" ] && base="$base shorewall-docs-html-${1}.tar.*" && files="$files shorewall-docs-html-${1}.*" - -rpms=`for f in $files; do case $f in *.rpm) echo $f;; *);; esac done` - -[ -n "$rpms" ] && rpm --resign $rpms - -[ -n "$BASE" ] && $COMMAND $base $DEST/base - -$COMMAND -r $files $DEST diff --git a/tools/subversion/config b/tools/subversion/config deleted file mode 100644 index 2b65b1514..000000000 --- a/tools/subversion/config +++ /dev/null @@ -1,184 +0,0 @@ -### This file configures various client-side behaviors. -### -### The commented-out examples below are intended to demonstrate -### how to use this file. - -### Section for authentication and authorization customizations. -# [auth] -### Set store-passwords to 'no' to avoid storing passwords in the -### auth/ area of your config directory. It defaults to 'yes'. -### Note that this option only prevents saving of *new* passwords; -### it doesn't invalidate existing passwords. (To do that, remove -### the cache files by hand as described in the Subversion book.) -# store-passwords = no -### Set store-auth-creds to 'no' to avoid storing any subversion -### credentials in the auth/ area of your config directory. -### It defaults to 'yes'. Note that this option only prevents -### saving of *new* credentials; it doesn't invalidate existing -### caches. (To do that, remove the cache files by hand.) -# store-auth-creds = no - -### Section for configuring external helper applications. -### Set editor to the command used to invoke your text editor. -### This will override the environment variables that Subversion -### examines by default to find this information ($EDITOR, -### et al). -### Set diff-cmd to the absolute path of your 'diff' program. -### This will override the compile-time default, which is to use -### Subversion's internal diff implementation. -### Set diff3-cmd to the absolute path of your 'diff3' program. -### This will override the compile-time default, which is to use -### Subversion's internal diff3 implementation. -### Set diff3-has-program-arg to 'true' or 'yes' if your 'diff3' -### program accepts the '--diff-program' option. - -[helpers] -#editor-cmd = pico # (vi, emacs, notepad, etc.) - -#diff-cmd = /usr/bin/diff -bB -#diff3-cmd = diff3_program (diff3, gdiff3, etc.) -#diff3-has-program-arg = true - -### Section for configuring tunnel agents. -# [tunnels] -### Configure svn protocol tunnel schemes here. By default, only -### the 'ssh' scheme is defined. You can define other schemes to -### be used with 'svn+scheme://hostname/path' URLs. A scheme -### definition is simply a command, optionally prefixed by an -### environment variable name which can override the command if it -### is defined. The command (or environment variable) may contain -### arguments, using standard shell quoting for arguments with -### spaces. The command will be invoked as: -### svnserve -t -### (If the URL includes a username, then the hostname will be -### passed to the tunnel agent as @.) If the -### built-in ssh scheme were not predefined, it could be defined -### as: -# ssh = $SVN_SSH ssh -### If you wanted to define a new 'rsh' scheme, to be used with -### 'svn+rsh:' URLs, you could do so as follows: -# rsh = rsh -### Or, if you wanted to specify a full path and arguments: -# rsh = /path/to/rsh -l myusername -### On Windows, if you are specifying a full path to a command, -### use a forward slash (/) or a paired backslash (\\) as the -### path separator. A single backslash will be treated as an -### escape for the following character. - -### Section for configuring miscelleneous Subversion options. -[miscellany] -### Set global-ignores to a set of whitespace-delimited globs -### which Subversion will ignore in its 'status' output. -global-ignores = *.o *.lo *.la #*# .*.rej *.rej .*~ *~ .#* .DS_Store *.bak .depdb .depdblock .filemap .lock .registry .channels .tmp *.webprj *.kdevelop -### Set log-encoding to the default encoding for log messages -log-encoding = utf-8 -### Set use-commit-times to make checkout/update/switch/revert -### put last-committed timestamps on every file touched. -use-commit-times = yes -### Set enable-auto-props to 'yes' to enable automatic properties -### for 'svn add' and 'svn import', it defaults to 'no'. -### Automatic properties are defined in the section 'auto-props'. -enable-auto-props = yes - -### Section for configuring automatic properties. -### The format of the entries is: -### file-name-pattern = propname[=value][;propname[=value]...] -### The file-name-pattern can contain wildcards (such as '*' and -### '?'). All entries which match will be applied to the file. -### Note that auto-props functionality must be enabled, which -### is typically done by setting the 'enable-auto-props' option. -[auto-props] - -*.sh = svn:eol-style=native;svn:executable;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -*.php = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/x-php;charset=utf-8 -*.txt = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -*.cgi = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -*.pl = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 - -# Images -*.gif = svn:mime-type=image/gif -*.png = svn:mime-type=image/png -*.jpg = svn:mime-type=image/jpeg -*.jpeg = svn:mime-type=image/jpeg -*.ico = svn:mime-type=image/x-icon - -#apache -.htaccess = svn:eol-style=native;svn:mime-type=text/plain;charset=utf-8;svn:keywords=Id -htaccess* = svn:eol-style=native;svn:mime-type=text/plain;charset=utf-8;svn:keywords=Id - -#python - -*.py = svn:eol-style=native;svn:executable;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 - -# Web, XML - -*.htm = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/html;charset=utf-8 -*.html = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/html;charset=utf-8 -*.js = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/javascript;charset=utf-8 -*.css = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/css;charset=utf-8 -*.xml = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/xml;charset=utf-8 - -#SQL -*.sql = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 - -#JAVA - -*.java = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 - - - - -# "Hasefroch" stuff here.. - -*.doc = svn:mime-type=application/msword -*.vdx = svn:mime-type=application/vnd.visio.xml - -# adobe(tm) stuff here. - -*.pdf = svn:mime-type=application/pdf - -# other common files - -INSTALL* = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -README* = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -BUGS* = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -LICENSE* = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -*.conf = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 -*.dist = svn:eol-style=native;svn:keywords=Id;svn:mime-type=text/plain;charset=utf-8 - -#OpenDocuments.. - -*.sds = svn:mime-type=application/vnd.stardivision.chart -*.sdc = svn:mime-type=application/vnd.stardivision.calc -*.sdw = svn:mime-type=application/vnd.stardivision.writer -*.sgl = svn:mime-type=application/vnd.stardivision.writer-global -*.sda = svn:mime-type=application/vnd.stardivision.draw -*.sdd = svn:mime-type=application/vnd.stardivision.impress -*.sdf = svn:mime-type=application/vnd.stardivision.math -*.sxw = svn:mime-type=application/vnd.sun.xml.writer -*.stw = svn:mime-type=application/vnd.sun.xml.writer.template -*.sxg = svn:mime-type=application/vnd.sun.xml.writer.global -*.sxc = svn:mime-type=application/vnd.sun.xml.calc -*.stc = svn:mime-type=application/vnd.sun.xml.calc.template -*.sxi = svn:mime-type=application/vnd.sun.xml.impress -*.sti = svn:mime-type=application/vnd.sun.xml.impress.template -*.sxd = svn:mime-type=application/vnd.sun.xml.draw -*.std = svn:mime-type=application/vnd.sun.xml.draw.template -*.sxm = svn:mime-type=application/vnd.sun.xml.math -*.odt = svn:mime-type=application/vnd.oasis.opendocument.text -*.ott = svn:mime-type=application/vnd.oasis.opendocument.text-template -*.oth = svn:mime-type=application/vnd.oasis.opendocument.text-web -*.odm = svn:mime-type=application/vnd.oasis.opendocument.text-master -*.odg = svn:mime-type=application/vnd.oasis.opendocument.graphics -*.otg = svn:mime-type=application/vnd.oasis.opendocument.graphics-template -*.odp = svn:mime-type=application/vnd.oasis.opendocument.presentation -*.otp = svn:mime-type=application/vnd.oasis.opendocument.presentation-template -*.ods = svn:mime-type=application/vnd.oasis.opendocument.spreadsheet -*.ots = svn:mime-type=application/vnd.oasis.opendocument.spreadsheet-template -*.odc = svn:mime-type=application/vnd.oasis.opendocument.chart -*.odf = svn:mime-type=application/vnd.oasis.opendocument.formula -*.odb = svn:mime-type=application/vnd.oasis.opendocument.database -*.odi = svn:mime-type=application/vnd.oasis.opendocument.image - -# DIA -*.dia = svn:mime-type=application/octet-stream diff --git a/tools/subversion/servers b/tools/subversion/servers deleted file mode 100644 index cecdfc515..000000000 --- a/tools/subversion/servers +++ /dev/null @@ -1,78 +0,0 @@ -### This file specifies server-specific protocol parameters, -### including HTTP proxy information, and HTTP timeout settings. -### -### The currently defined server options are: -### http-proxy-host Proxy host for HTTP connection -### http-proxy-port Port number of proxy host service -### http-proxy-username Username for auth to proxy service -### http-proxy-password Password for auth to proxy service -### http-proxy-exceptions List of sites that do not use proxy -### http-timeout Timeout for HTTP requests in seconds -### http-compression Whether to compress HTTP requests -### neon-debug-mask Debug mask for Neon HTTP library -### ssl-authority-files List of files, each of a trusted CAs -### ssl-trust-default-ca Trust the system 'default' CAs -### ssl-client-cert-file PKCS#12 format client certificate file -### ssl-client-cert-password Client Key password, if needed. -### -### HTTP timeouts, if given, are specified in seconds. A timeout -### of 0, i.e. zero, causes a builtin default to be used. -### -### The commented-out examples below are intended only to -### demonstrate how to use this file; any resemblance to actual -### servers, living or dead, is entirely coincidental. - -### In this section, the URL of the repository you're trying to -### access is matched against the patterns on the right. If a -### match is found, the server info is from the section with the -### corresponding name. - -[groups] -sourceforge = *.sourceforge.net -# othergroup = repository.blarggitywhoomph.com -# thirdgroup = *.example.com - -[sourceforge] -http-compression = no - -### Information for the first group: -# [group1] -# http-proxy-host = proxy1.some-domain-name.com -# http-proxy-port = 80 -# http-proxy-username = blah -# http-proxy-password = doubleblah -# http-timeout = 60 -# neon-debug-mask = 130 - -### Information for the second group: -# [othergroup] -# http-proxy-host = proxy2.some-domain-name.com -# http-proxy-port = 9000 -# No username and password, so use the defaults below. - -### You can set default parameters in the 'global' section. -### These parameters apply if no corresponding parameter is set in -### a specifically matched group as shown above. Thus, if you go -### through the same proxy server to reach every site on the -### Internet, you probably just want to put that server's -### information in the 'global' section and not bother with -### 'groups' or any other sections. -### -### If you go through a proxy for all but a few sites, you can -### list those exceptions under 'http-proxy-exceptions'. This only -### overrides defaults, not explicitly matched server names. -### -### 'ssl-authority-files' is a semicolon-delimited list of files, -### each pointing to a PEM-encoded Certificate Authority (CA) -### SSL certificate. See details above for overriding security -### due to SSL. -[global] -# http-proxy-exceptions = *.exception.com, www.internal-site.org -# http-proxy-host = defaultproxy.whatever.com -# http-proxy-port = 7000 -# http-proxy-username = defaultusername -# http-proxy-password = defaultpassword -http-compression = yes -# No http-timeout, so just use the builtin default. -# No neon-debug-mask, so neon debugging is disabled. -# ssl-authority-files = /path/to/CAcert.pem;/path/to/CAcert2.pem diff --git a/tools/testing/accepttest b/tools/testing/accepttest deleted file mode 100755 index 41f86f4b1..000000000 --- a/tools/testing/accepttest +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -# -# Clear an exception on one or more regression tests -- (C) 2007, Tom Eastep (teastep@shorewall.net) -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# - -for directory in $*; do - if [ -d $directory ]; then - cp -f $directory/firewall $directory/firewall.last && echo "Test $directory ACCEPTED" - else - echo " WARNING: No directory named $directory" >&2 - fi -done - - - diff --git a/tools/testing/regression b/tools/testing/regression deleted file mode 100755 index 04e09c4ed..000000000 --- a/tools/testing/regression +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/sh -# -# Shorewall Compiler Positive Regression test driver -- (C) 2007, Tom Eastep (teastep@shorewall.net) -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# - -case $(/sbin/shorewall version) in - 4.0.*) - OPTIONS=vvv - ;; - *) - OPTIONS=v2 - ;; -esac - -DIRECTORIES="$*" - -[ -n "${DIRECTORIES:=*}" ] - -for directory in $DIRECTORIES; do - if [ -d $directory ]; then - existing=$(ls -l $directory/firewall 2> /dev/null); - if /sbin/shorewall -${OPTIONS} compile -t $directory $directory/firewall > $directory/compileroutput 2> $directory/compilererrors; then - if [ "$existing" = "$(ls -l $directory/firewall)" ]; then - echo "Test $directory FAILED ******** No object produced" - elif [ -f $directory/firewall.last ]; then - if diff -au $directory/firewall.last $directory/firewall > $directory/compare; then - echo "Test $directory PASSED" - else - echo "Test $directory FAILED ********* Failure data is in $directory/compare" - fi - else - cp $directory/firewall $directory/firewall.last - echo "Test $directory INITIAL RUN" - fi - else - echo "Test $directory FAILED ********* Failure data is in $directory/compilererrors" - rm -f $directory/faildata - fi - fi -done - - - diff --git a/tools/web/cronpublish.sh b/tools/web/cronpublish.sh deleted file mode 100755 index b67d25d4a..000000000 --- a/tools/web/cronpublish.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/srv/www/html -PROJECTS="web docs docs-fr" -HOMEDIR=/home/judas_iscariote -SVN_BIN=/usr/bin/svn - -publish() { - case $1 in - *.xml) - b=${1%.*} - - if [ -f $WEBSITE/$b.htm ]; then - b=$b.htm - f="$WEBSITE/$b" - else - b=$b.html - f="$WEBSITE/$b" - fi - - echo "Converting $1 from XML to HTML ($b) ..." - - xmllint --valid --noout $1 && xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 - chmod g+w $f - ;; - *) - cp $1 $WEBSITE/$1 - chmod g+w $WEBSITE/$1 - ;; - esac - -} - -for project in $PROJECTS; do - cd $HOMEDIR/$project - $SVN_BIN update --non-interactive | while read UA file; do - case $UA in - U|P|G) - publish $file - ;; - A) - [ -d $file ] && mkdir $WEBSITE/$file || publish $file - ;; - esac - done -done diff --git a/tools/web/publish b/tools/web/publish deleted file mode 100755 index 2d885d0c3..000000000 --- a/tools/web/publish +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website -HTMFILES=" - 6to4.htm - blacklisting_support.htm - configuration_file_basics.htm - CorpNetwork.htm - dhcp.htm - Documentation.htm - errata.htm - fallback.htm - FAQ.htm - GnuCopyright.htm - Install.htm - IPIP.htm - IPSEC.htm - kernel.htm - myfiles.htm - NAT.htm - ports.htm - PPTP.htm - ProxyARP.htm - quotes.htm - samba.htm - shorewall_extension_scripts.htm - shorewall_features.htm - shorewall_mirrors.htm - shorewall_prerequisites.htm - shorewall_quickstart_guide.htm - shorewall_setup_guide_fr.htm - shorewall_setup_guide.htm - Shorewall_sfindex_frame.htm - standalone.htm - starting_and_stopping_shorewall.htm - support.htm - three-interface.htm - traffic_shaping.htm - troubleshoot.htm - two-interface.htm - upgrade_issues.htm - VPN.htm - whitelisting_under_shorewall.htm" -# -# Suppress the table of contents in these short articles -# -NOTOC=" - Documentation_Index.xml - ECN.xml - fallback.xml - GettingStarted.xml - IPP2P.xml - ping.xml - ProxyARP.xml - Shorewall_Doesnt.xml - shorewall_features.xml - shorewall_prerequisites.xml - SimpleBridge.xml" - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*} - # - # The original HTML documents were created using MS FrontPage and - # used the .htm suffix. The remainder use the .html suffix. - # - if list_search $b.htm $HTMFILES ; then - b=$b.htm - f="$WEBSITE/$b" - else - b=$b.html - f="$WEBSITE/$b" - fi - - list_search $1 $NOTOC && GENTOC="--stringparam generate.toc ''" || GENTOC= - - case $1 in - *_ru.xml) - LANGUAGE="--stringparam l10n.gentext.default.language ru" - ;; - *_fr.xml) - LANGUAGE="--stringparam l10n.gentext.default.language fr" - ;; - *) - LANGUAGE= - ;; - esac - - echo "Converting $1 from XML to HTML ($b) ..." - - if xmllint --valid --noout $1 && xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self $GENTOC $LANGUAGE --param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-3.0 b/tools/web/publish-3.0 deleted file mode 100755 index addbd83c2..000000000 --- a/tools/web/publish-3.0 +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website -HTMFILES=" - 6to4.htm - blacklisting_support.htm - configuration_file_basics.htm - CorpNetwork.htm - dhcp.htm - Documentation.htm - errata.htm - fallback.htm - FAQ.htm - GnuCopyright.htm - Install.htm - IPIP.htm - IPSEC.htm - kernel.htm - myfiles.htm - NAT.htm - ports.htm - PPTP.htm - ProxyARP.htm - quotes.htm - samba.htm - shorewall_extension_scripts.htm - shorewall_features.htm - shorewall_mirrors.htm - shorewall_prerequisites.htm - shorewall_quickstart_guide.htm - shorewall_setup_guide_fr.htm - shorewall_setup_guide.htm - Shorewall_sfindex_frame.htm - standalone.htm - starting_and_stopping_shorewall.htm - support.htm - three-interface.htm - traffic_shaping.htm - troubleshoot.htm - two-interface.htm - upgrade_issues.htm - VPN.htm - whitelisting_under_shorewall.htm" -# -# Suppress the table of contents in these short articles -# -NOTOC=" - Documentation_Index.xml - ECN.xml - fallback.xml - GettingStarted.xml - IPP2P.xml - ping.xml - ProxyARP.xml - Shorewall_Doesnt.xml - shorewall_features.xml - shorewall_prerequisites.xml - SimpleBridge.xml" - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*} - # - # The original HTML documents were created using MS FrontPage and - # used the .htm suffix. The remainder use the .html suffix. - # - if list_search $b.htm $HTMFILES ; then - b=$b.htm - f="$WEBSITE/$b" - else - b=$b.html - f="$WEBSITE/$b" - fi - - list_search $1 $NOTOC && GENTOC="--stringparam generate.toc ''" || GENTOC= - - case $1 in - *_ru.xml) - LANGUAGE="--stringparam l10n.gentext.default.language ru" - ;; - *_fr.xml) - LANGUAGE="--stringparam l10n.gentext.default.language fr" - ;; - *) - LANGUAGE= - ;; - esac - - echo "Converting $1 from XML to HTML ($b) ..." - - if xmllint --valid --noout $1 && xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self $GENTOC --param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/3.0 -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-4.2 b/tools/web/publish-4.2 deleted file mode 100755 index d26ab3054..000000000 --- a/tools/web/publish-4.2 +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website -HTMFILES=" - 6to4.htm - blacklisting_support.htm - configuration_file_basics.htm - CorpNetwork.htm - dhcp.htm - Documentation.htm - errata.htm - fallback.htm - FAQ.htm - GnuCopyright.htm - Install.htm - IPIP.htm - IPSEC.htm - kernel.htm - myfiles.htm - NAT.htm - ports.htm - PPTP.htm - ProxyARP.htm - quotes.htm - samba.htm - shorewall_extension_scripts.htm - shorewall_features.htm - shorewall_mirrors.htm - shorewall_prerequisites.htm - shorewall_quickstart_guide.htm - shorewall_setup_guide_fr.htm - shorewall_setup_guide.htm - Shorewall_sfindex_frame.htm - standalone.htm - starting_and_stopping_shorewall.htm - support.htm - three-interface.htm - traffic_shaping.htm - troubleshoot.htm - two-interface.htm - upgrade_issues.htm - VPN.htm - whitelisting_under_shorewall.htm" -# -# Suppress the table of contents in these short articles -# -NOTOC=" - Documentation_Index.xml - ECN.xml - fallback.xml - GettingStarted.xml - IPP2P.xml - ping.xml - ProxyARP.xml - Shorewall_Doesnt.xml - shorewall_features.xml - shorewall_prerequisites.xml - SimpleBridge.xml" - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*} - # - # The original HTML documents were created using MS FrontPage and - # used the .htm suffix. The remainder use the .html suffix. - # - if list_search $b.htm $HTMFILES ; then - b=$b.htm - f="$WEBSITE/$b" - else - b=$b.html - f="$WEBSITE/$b" - fi - - list_search $1 $NOTOC && GENTOC="--stringparam generate.toc ''" || GENTOC= - - case $1 in - *_ru.xml) - LANGUAGE="--stringparam l10n.gentext.default.language ru" - ;; - *_fr.xml) - LANGUAGE="--stringparam l10n.gentext.default.language fr" - ;; - *) - LANGUAGE= - ;; - esac - - echo "Converting $1 from XML to HTML ($b) ..." - - if xmllint --valid --noout $1 && xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self $GENTOC $LANGUAGE --param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/4.2 -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-image b/tools/web/publish-image deleted file mode 100755 index 69038cf5c..000000000 --- a/tools/web/publish-image +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -# scp $@ teastep@shorewall.sourceforge.net:/home/groups/s/sh/shorewall/htdocs/images - scp -p $@ webadmin@mail.shorewall.net:/srv/www/html/images -# cp -pf $@ /home/teastep/Shorewall-docs - - diff --git a/tools/web/publish-image-3.0 b/tools/web/publish-image-3.0 deleted file mode 100755 index a2e0b2ac1..000000000 --- a/tools/web/publish-image-3.0 +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -# scp $@ teastep@shorewall.sourceforge.net:/home/groups/s/sh/shorewall/htdocs/images - scp -p $@ webadmin@mail:/srv/www/html/3.0/images -# cp -pf $@ /home/teastep/Shorewall-docs - - diff --git a/tools/web/publish-image-4.4 b/tools/web/publish-image-4.4 deleted file mode 100755 index 24eaf9a5f..000000000 --- a/tools/web/publish-image-4.4 +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -# scp $@ teastep@shorewall.sourceforge.net:/home/groups/s/sh/shorewall/htdocs/images - scp -p $@ webadmin@mail.shorewall.net:/srv/www/html/4.4/images -# cp -pf $@ /home/teastep/Shorewall-docs - - diff --git a/tools/web/publish-manpage b/tools/web/publish-manpage deleted file mode 100755 index 661a68143..000000000 --- a/tools/web/publish-manpage +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*}.html - - f="$WEBSITE/$b" - - echo "Converting $1 from XML to HTML ($b) ..." - - if xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/manpages/ -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-manpage-3.0 b/tools/web/publish-manpage-3.0 deleted file mode 100755 index 2835c394f..000000000 --- a/tools/web/publish-manpage-3.0 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*}.html - - f="$WEBSITE/$b" - - echo "Converting $1 from XML to HTML ($b) ..." - - if xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/3.0/manpages/ -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-manpage-4.0 b/tools/web/publish-manpage-4.0 deleted file mode 100755 index 28908d4c4..000000000 --- a/tools/web/publish-manpage-4.0 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*}.html - - f="$WEBSITE/$b" - - echo "Converting $1 from XML to HTML ($b) ..." - - if xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/4.0/manpages/ -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-manpage-4.4 b/tools/web/publish-manpage-4.4 deleted file mode 100755 index 5874b23ea..000000000 --- a/tools/web/publish-manpage-4.4 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*}.html - - f="$WEBSITE/$b" - - echo "Converting $1 from XML to HTML ($b) ..." - - if xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/4.4/manpages/ -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-manpage6 b/tools/web/publish-manpage6 deleted file mode 100755 index 64c1231d1..000000000 --- a/tools/web/publish-manpage6 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*}.html - - f="$WEBSITE/$b" - - echo "Converting $1 from XML to HTML ($b) ..." - - if xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/manpages6/ -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/tools/web/publish-manpage6-4.4 b/tools/web/publish-manpage6-4.4 deleted file mode 100755 index 1a667ac85..000000000 --- a/tools/web/publish-manpage6-4.4 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl -WEBSITE=/home/teastep/Shorewall/Website - -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -if [ $# -eq 0 ]; then - echo "Usage: $(basename $0) ..." - exit 2 -fi - -while [ $# -gt 0 ]; do - - case $1 in - *.xml) - b=${1%.*}.html - - f="$WEBSITE/$b" - - echo "Converting $1 from XML to HTML ($b) ..." - - if xsltproc --output $f --stringparam html.stylesheet html.css --stringparam ulink.target _self -param toc.section.depth 3 $STYLESHEET $1 ; then - filestocopy="$filestocopy $f" - fi - ;; - - *) - filestocopy="$filestocopy $1" - ;; - esac - - shift - -done - -DESTS=" -webadmin@mail.shorewall.net:/srv/www/html/4.4/manpages6/ -" - -if [ -n "$filestocopy" ]; then - for f in $filestocopy; do - filestoreport="$filestoreport $(basename $f)" - done - - chmod 664 $filestocopy - for d in $DESTS; do - echo "$filestoreport -> $d" - scp -qp $filestocopy $d - done -fi - - diff --git a/web/Banner.html b/web/Banner.html deleted file mode 100644 index 547689b4c..000000000 --- a/web/Banner.html +++ /dev/null @@ -1,65 +0,0 @@ - - - - - - Banner - - - - - - - - - - - -
-
-
(Shorewall Logo)
-

- - - - - - -
-
- - - - - - - - - -
 
-


- Mailing -List Archive Search

-
-
-
-
-
- - diff --git a/web/Documentation.html b/web/Documentation.html deleted file mode 100644 index 1187ce511..000000000 --- a/web/Documentation.html +++ /dev/null @@ -1,125 +0,0 @@ - - - - - Shorewall Documentation - - -

Shorewall Documentation

- -Copyright © 2005-2009 Thomas M. -Eastep
-

Permission is granted to copy, distribute and/or modify this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled “GNU Free Documentation -License”.
-

-

2009-08-14
-

-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Shorewall -4.4
-(Stable)
-
Shorewall -4.2
-(Previous Stable)
-
Shorewall -4.0
-(Debian Lenny)
-Note: 1
-
Shorewall -3.x
-(Obsolete)
-
Description
-
IndexIndexIndexIndexAlphabetical index to over 70 -articles with -topics ranging from Accounting to Xen
FAQsFAQsFAQs FAQs Answers to the most commonly -asked -questions
IPv4 ManpagesIPv4 Manpages - ManpagesManpagesOnline version of the Shorewall -and Shorewall-lite man pages
IPv6 -ManpagesIPv6 -Manpages -
-
-
-
Online version of the Shorewall6 -and Shorewall6-lite man pages
-
-
-Note 1: Shorewall 4.2 packages -for Lenny are available from Roberto Sanchez's -repository. Roberto is the Debian Shorewall maintainer.
-
-
- -
    -
- - diff --git a/web/Manpages.html b/web/Manpages.html deleted file mode 100644 index ccc8a3bec..000000000 --- a/web/Manpages.html +++ /dev/null @@ -1,74 +0,0 @@ - - - - - - Shorewall 3.4 Manpages - - -

Shorewall 3.4 Manpages
-

-Tom Eastep
-
-
Copyright © 2006-2007 Thomas M. Eastep
-

Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, with no Front-Cover, and with no Back-Cover -Texts. A copy of the license is included in the section entitled “GNU Free -Documentation License”.
-

-

2007-01-18
-

-
Warning: -These manpages are for Shorewall 3.4.0 only. They describe -features and options not available on earlier releases.
-
-Note: The docbook to manpage -translation tool that we are using has some indentation issues which -require us to choose between correct output of the man command and correctly-indented -HTML. We've chosen in favor of the man -command so some of the manpages accessed through the links below have -indentation problems. We're working to resolve these issues and ask for -your patience.
-

Section 5 - Files and Concepts
-

- -

Section 8 - Administrative Commands
-

- - - diff --git a/web/Manpages6.html b/web/Manpages6.html deleted file mode 100644 index 0ceeb1aa3..000000000 --- a/web/Manpages6.html +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - Shorewall 4.3 IPv6 Manpages - - -

Shorewall6 4.3 Manpages
-

-Tom Eastep
-
-
Copyright © 2008 Thomas M. Eastep
-

Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, with no Front-Cover, and with no Back-Cover -Texts. A copy of the license is included in the section entitled “GNU Free -Documentation License”.
-

-

2008-12-16
-

-
Warning: -These manpages are for Shorewall 3.4.0 only. They describe -features and options not available on earlier releases.
-
-Note: The docbook to manpage -translation tool that we are using has some indentation issues which -require us to choose between correct output of the man command and correctly-indented -HTML. We've chosen in favor of the man -command so some of the manpages accessed through the links below have -indentation problems. We're working to resolve these issues and ask for -your patience.
-

Section 5 - Files and Concepts
-

- -

Section 8 - Administrative Commands
-

- - - diff --git a/web/News.htm b/web/News.htm deleted file mode 100644 index 228d620ac..000000000 --- a/web/News.htm +++ /dev/null @@ -1,286 +0,0 @@ - - - - - - Shorewall News - - -

Shorewall News and Announcements
-

-

-Copyright © 2001-2009 Thomas M. Eastep

-

Permission is granted to copy, distribute and/or modify this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled "GNU Free Documentation -License". -

-

August 14, 2009
-

-
-

2009-08-14 Shorewall 4.4.0

-
----------------------------------------------------------------------------
R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

1) Support for Shorewall-shell has been discontinued. Shorewall-perl
has been combined with Shorewall-common to produce a single
Shorewall package.

2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
discipline has been added. HFSC is superior to the "Hierarchical
Token Bucket" queuing discipline where realtime traffic such as
VOIP is being used.

3) Support for the "flow" traffic classifier has been added. This
classifier can help prevent multi-connection applications such as
BitTorrent from using an unfair amount of bandwidth.

4) The Shorewall documentation and man pages have been purged of
information about earlier Shorewall releases. The documentation
describes only the behavior of Shorewall 4.4 and later versions.

5) The interfaces file OPTIONs have been extended to largely remove the
need for the hosts file.

6) It is now possible to define PREROUTING and OUTPUT marking rules
that cause new connections to use the same provider as an existing
connection of the same kind.

7) Dynamic Zone support is once again available for IPv4; ipset support is
required in your kernel and in iptables.

8) A new AUTOMAKE option has been added to shorewall.conf and
shorewall6.conf. Setting this option will allow Shorewall to skip
the compilation phase during start/restart if no configuration
changes have occurred since the last start/restart.

9) The LIMIT:BURST column in /etc/shorewall/policy
(/etc/shorewall6/policy) and the RATE LIMIT column in
/etc/shorewall/rules (/etc/shorewall6/rules) may now be used to
limit on a per source IP or per destination IP basis.

10) Support for per-IP traffic shaping classes has been added.

11) Support for netfilter's TRACE facility has been added. TRACE allows
you to trace selected packets through Netfilter, including marking
by tcrules.

-

2009-08-02 Shorewall 4.4.0 RC 2
-

-
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC2/releasenotes.txt
-

2009-07-26 Shorewall 4.4.0 RC 1
-

-
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC1/releasenotes.txt
-

2009-07-12 Shorewall 4.4.0 Beta 4
-

-
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta4/releasenotes.txt
- - -

2009-06-29 Shorewall 4.4.0 Beta 3
-

-
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta3/releasenotes.txt
- -

2009-06-21 Shorewall 4.4.0 Beta 2
-

-
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/releasenotes.txt
- -

2009-06-18 Shorewall 4.2.10
-

-
Problems corrected in Shorewall 4.2.10

1) A 'large quantum' warning log message during restart has been
eliminated. The log message occurred when an interface with a large
OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.

2) When a REJECT rule included a log entry, the disposition in the log
message was incorrectly shown as 'reject' rather than 'REJECT'.

3) When 'forward' was specified on one or more interfaces in
/etc/shorewall6/interfaces, the progress message "Compiling
Interface forwarding..." was issued multiple times. Now, only one
instance of the message is generated.

4) A typing error in the IPv6 two-interface sample shorewall6.conf
file has been corrected. This error prevented the compiler from
being able to find macros in /usr/share/shorewall/.

Known Problems Remaining:

1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:

blacklist
maclist
norfc1918
tcpflags

2) Shorewall-shell generates inversion rules which produce
warnings with iptables 1.4.3.

Example:

iptables -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT

with iptables 1.4.3.1 the following information message is produced:

Using intrapositioned negation (`--option ! this`) is deprecated in
favor of extrapositioned (`! --option this`).

We don't intend to fix this. It's time to migrate to Shorewall-perl
anyway.

New Features in Shorewall 4.2.10

1) Shorewall's suppport for dynamic gateways on interfaces managed by
dhclient works on OpenSuSE systems but not on some other
distributions.

In order to generalize support for learning the gateway for dynamic
interfaces, a new 'findgw' extension script (user exit) has been
added.

The exit will be invoked in a function that has a single argument:

$1 = <name of an interface>

If the function can determine the gateway for the passed interface,
it should write the gateway to standard out. Here is a sample
/etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
Lenny:

if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\
tail -n 1 |\
while read j1 j2 gateway; do\
echo $gateway | sed 's/;//';\
done
fi

The same code works on Ubuntu Jaunty if you replace the first '.'
with '-' and replace '.leases' with '.lease' (don't you just love
the consistency between distributions?).

That code also works on CentOS if you replace 'dhcp3' by
'dhclient'.

'findgw' files that have been customized for various distributions
may be found at
http://www.shorewall.net/pub/shorewall/contrib/findgw.
-

-

2009-06-13 Shorewall 4.4.0 Beta 1

-
Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt
-

2009-05-14 Shorewall 4.2.9

-

-
Problems corrected in Shorewall 4.2.9

1) The Shorweall-perl 4.2.8 compiler did not rename the output script
file with the result that:

a) Shorewall would not start for the first time after
installation.
b) Configuration changes were apparently ignored.

2) Placing a broadcast address in the BROADCAST column of
/etc/shorewall/interfaces caused Shorewall-perl to generate an
error:

ERROR: Invalid BROADCAST address : /etc/shorewall/interfaces\
(line 225)

3) When Shorewall could not determine the MAC address of of a gateway
router where multiple providers are configured through the same
interface, invalid iptables-restore input was generated. This
resulted in an error message similar to the following:

iptables-restore v1.3.5: Bad mac address `-j'

4) Shorewall-perl was not processing the tcrules file when
TC_ENABLED=No.

5) When 'all' appeared in the SOURCE column of a DNAT rule, no rule to
redirect output from the firewall itself was generated.

6) The 'shorewall iprange' command failed to produce a minimal list of
networks.

New Features in Shorewall 4.2.9

1) Shorewall6 has now been validated on Ubuntu Hardy running kernel
2.6.24. Shorewall6 is now supported on that kernel version.
-

2009-04-16 Shorewall 4.2.8
-

-

-
Problems Corrected in Shorewall 4.2.8

1) The 'start -f' command would previously skip the compilation step
unconditionally when the 'make' utility was not installed. Now, the
compilation step is run unconditionally in this case.

2) When ADD_IP_ALIASES=Yes in shorewall.conf, entries in
/etc/shorewall/nat produce this failure at compile time when
using Shorewall-perl:

ERROR: Internal Error in emit : /etc/shorewall/nat (line 12)

3) When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
an entry in /etc/shorewall/interface failed to suppress martian
logging on the interface.

4) Shorewall-perl now generates rules with inversion that are
compatible with iptables 1.4.3.

5) When a network address was specified in the SOURCE or DEST column of
/etc/shorewall/tcfilters, Shorewall-perl was generating an incorrect
netmask.

New Features in 4.2.8

1) The /usr/share/shorewall/modules and /usr/share/shorewall6/modules
files have been updated for iptables 1.4.3/kernel 2.6.29.
-

2009-03-19 Shorewall 4.2.7

-

-
Problems corrected in 4.2.7

1) Previously, the 'start' command set the permission flags on
/var/lib/shorewall*/state so that it could be read by
non-root users while the 'stop' command set the permissions such
that the file could not be read by those users.

Beginning with 4.2.7, both commands will secure the file for
root-only access. If you want the file to be world-readable, then
add

chmod 744 <file name>

To your /etc/shorewall/started, /etc/shorewall/stopped and
/etc/shorewall/restored files.

2) The 'shorewall6 dump' command now correctly displays the installed
version of Shorewall-perl. It also displays the IPv6 neighbor table
contents rather than the ARP table contents.

3) Under some circumstances, interface options like nosmurfs and
tcpflags would not be applied to forwarded traffic when using
Shorewall-perl.

4) The following rule was badly mis-handled:

DNAT- loc net:1.2.3.4:2525 tcp 25

The result:

WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459)
Can't call method "inet_htoa" without a package or object reference at
/usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
<$currentfile> line 459.

5) Previously, OPTIONS were not allowed with a bridge port in
/etc/shorewall/interfaces. That oversight has been corrected and
now the following OPTIONS are allowed:

blacklist
maclist
norfc1918
nosmurfs
routeback
tcpflags

6) Tuomo Soini provided a workaround patch for a problem seen in some
kernel's (see FAQ 82) that caused 'shorewall start' to fail when
USE_DEFAULT_RT=Yes .

New Features in Shorewall 4.2.7

1) Prior to Shorewall version 3.0.0, rules generated by
/etc/shorewall/tunnels were traversed before those generated by
/etc/shorewall/rules. When SECTIONs were added to the rules file in
3.0.0, traversal of the tunnel rules was deferred until after those
generated by the NEW section of the rules file.

Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
where they started -- right before the first rule generated by the
NEW section of /etc/shorewall/rules.

2) To allow bypassing of connection tracking for certain traffic,
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.

Columns in the file are:

SOURCE - <zone>[:<interface>][:<address list>]

DEST - [<address list>]

PROTO - <protocol name or number>

DEST PORT(S) - <port number list>

SOURCE PORT(S) - <port number list>

USER/GROUP - [<user>][:<group>]

May only be specified if the SOURCE <zone> is $FW.

Traffic that matches all given criteria will not be subject to
connection tracking. For such traffic, your policies and/or rules
must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.

Example:

/etc/shorewall/tunnels:

#TYPE ZONE GATEWAY
6to4 net

/etc/shorewall/notrack

#SOURCE DEST PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41

Given that 192.88.99.1 is an anycast address, many hosts can
respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.

As part of this change, the 'show' command is enhanced to support a
'show raw' command that is an alias for 'show -t raw'. The raw
table is where NOTRACK rules are created. The dump command is also
enhanced to display the contents of the raw table.

3) Shorewall-perl supports three additional columns in the
/etc/shorewall/routestopped file:

PROTO -- Protocol name or number

DEST PORT(S) -- comma-separated list of service names and/or port
numbers

SOURCE PORT(S) -- comma-separated list of service names and/or port
numbers.

These columns are only meaningful when the "-f" option to
'shorewall stop' is used.

As part of this change, the "-f" option to the 'stop' and 'clear'
commands is now the default when FAST_STOP=Yes in shorewall.conf.
To override this default, use the "-s" option:

shorewall stop -s

Note that if you have entries with one or more of the new columns,
the -s option will result in warning messages.

gateway:~ # shorewall stop -s
Stopping Shorewall...
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
done.
gateway:~ #

4) Shorewall-perl now handles SOURCE PORT lists of more than 15
entries by breaking the containing rule into multiple rules.
-

2009-02-15 Shorewall 4.2.6

-
Problems corrected in 4.2.6

1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample
configurations was incorrect with the result that this error
occurred on 'shorewall6 check' or 'shorewall6 start'.

ERROR: No IP zones defined

2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
and Shorewall-perl to create invalid iptables commands. This has
been corrected but we still strongly recommend against that
setting; TCP_FLAGS_DISPOSITION=DROP is preferred.

3) Shorewall-perl was generating code that checked for state match
before kernel modules were loaded. This caused start/restart to
fail on systems without kernel module loading.

4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect.

5) If a service name is used in a port-mapping rule (a DNAT or
REDIRECT rule that changes the destination port), and if the
kernel and iptables include Extended Connection Match support, then
invalid iptables-restore input is produced by Shorewall-perl.

6) If iptables 1.4.1 or later was installed, Shorewall-perl generated
incorrect iptables-restore input if exclusion was used in the
ORIGINAL DEST field of a DNAT or REDIRECT rule.

7) On kernels earlier than 2.6.20, the 'shorewall show connections'
command fails.

New Feature in Shorewall 4.2.6

1) A BitTorrent32 macro has been added. This macro matches the
extended TCP port range used by BitTorrent 3.2 and later.

2) A new COUNT action has been added to Shorewall-perl. This action
creates an iptables (ip6tables) rule with no target. Connections
matching such a rule are simply counted and the packet is passed on
to the next rule.

Shorewall-shell ignores COUNT in actions and macros, thus allowing
the standard actions (action.Drop and action.Reject) to have a
COUNT rule as their first entry.

3) A new RESTORE_DEFAULT_ROUTE option has been added to
shorewall.conf. It is used to determine whether to restore the
default route saved when there are 'balance' providers defined but
all of them are down.

The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.

RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes) when there are no balance
providers available. In that case, RESTORE_DEFAULT_ROUTE=No
will cause any default route in the relevant table to be deleted.

4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
database when trying to detect the gateway for an interface
("detect" in the GATEAWAY column in /etc/shorewall/interfaces).

As part of this change, it is now permitted to specify 'detect'
when USE_DEFAULT_RT=Yes; in that case, the script will only detect
gateways for point-to-point devices and for devices configured by
dhcpcd.

5) Shorewall-perl now supports port inversion. A port number or list
of port numbers may be preceded by '!" which will cause the rule to
match all ports EXCEPT those listed:

Example: To blacklist 206.124.146.176 for all tcp ports except 80:

ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 tcp !80

6) Shorewall-perl now supports protocol inversion. A protocol name or
number may be preceded by '!' to specify all protocols except the
one following '!'.

Example: To blacklist 206.124.146.176 for all protocols except
UDP:

ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 !udp

Note that ports may not be specified when protocol inversion
is used.

7) When using Shorewall-perl, neither the 'start' nor 'started'
extension script is run during processing of the 'restore'
command. To allow extension of that command, we have added a
'restored' extension script that runs at the successful completion
of 'restore'. This script is only available with Shorewall-perl.

With Shorewall-shell, both scripts are run during 'restore' but in
that case, the run_iptables() function does nothing. So any
run_iptables() calls in the 'start' script are effectively ignored.

8) Shorewall-perl now correctly handles 'here documents' quoting
(<<EOF .... EOF) in run-time extension scripts.
-

2009-01-22 Shorewall 4.2.5
-

-

-
Problems corrected in 4.2.5

1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generate invalid iptables-restore input.

2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.

3) If 'critical' was specified on an entry in
/etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.

4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.

5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.

6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.

7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.

8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6

9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.

10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.

11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed

12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear
script itself at run time rather than running the copy of the
file in the compiled script. This usually isn't noticable unless
you are running Shorewall Lite or Shorewall6 Lite in which case,
the script doesn't get run (since it is on the administrative
system and not the firewall system).

13) If your iptables/kernel included "Extended Connection Tracking
Match support" (see the output of "shorewall show capabilities"),
then a REDIRECT rule that specified a port list or range would
cause Shorewall-perl to create invalid iptables-restore input:

Running /usr/sbin/iptables-restore...
iptables-restore v1.4.2-rc1: conntrack: Bad value for
"--ctorigdstport" option: "1025:65535"
Error occurred at line: 191
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input

Known Problems Remaiining:

1) When exclusion is used in an entry in /etc/shorewall/hosts, then
Shorewall-shell produces an invalid iptables rule if any of the
following OPTIONS are also specified in the entry:

blacklist
maclist
norfc1918
tcpflags

New Feature in Shorewall 4.2.5

1) A new 'fallback' option is added in
/etc/shorewall/providers. The option works similar to 'balance'
except that the default route is added in the default routing table
(253) rather than in the main table (254).

The option can be used by itself or followed by =<number> (e.g,
fallback=2).

When the option is used by itself, a separate (not balanced)
default route is added with a metric equal to the provider's NUMBER.

When the option is used with a number, a balanced route is added
with the weight set to the specified number.

'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
is only available with Shorewall-perl.

'fallback' is useful in situations where:

- You want all traffic to be sent via one primary provider unless
there is a compelling reason to use a different provider

- If the primary provider is down, then you want to balance the
outgoing traffic among a set of other providers or to a
ordered list of providers.

In this case:

- Do not specify 'balance' on any of the providers.
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.

See http://www.shorewall.net/MultiISP.html#Complete for an example
of this option's use.

2) Shorewall-perl now transparently handles the xtables-addon version
of ipp2p. Shorewall detects whether the installed ipp2p is from
patch-o-matic-ng or from xtables-addon and proceeds accordingly.

If the patch-o-matic-ng version is installed:

a) If no DEST PORT is supplied, the default is "--ipp2p".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".

If the xtables-addons version is installed:

a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".

Shorewall-perl now also accepts a comma-separated list of options
(e.g., "edk,gnu,dc,kazaa).

Additionally, Shorewall now looks for modules in /lib/modules/$(uname
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset

This change introduced a new capability ("Old IPP2P Match Syntax")
so if you use a capabilities file, be sure to re-generate the
file(s) after you have installed 4.2.5.

3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).

4) There is also a macro.IRC which open's the Internet Relay Chat port
(6667/tcp).
-

2009-01-06 Winner of the Shorewall Logo Design Competition -Announced

-The Shorewall developers are pleased to announce that after deliberating
-upon the matter, we have chosen Gareth Davies' #3 design.
-

See -http://trac.shorewall.net/wiki/LogoDesignCompetition for details.
-

-

2008-12-31 Shorewall 4.2.4

-

-
1) In 4.2.4, two new packages are included:

a) Shorewall6 - analagous to Shorewall-common but handles IPv6
rather than IPv4.

b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
rather than IPv4.

The packages store their configurations in /etc/shorewall6/ and
/etc/shorewall6-lite/ respectively.

The fact that the packages are separate from their IPv4 counterparts
means that you control IPv4 and IPv6 traffic separately (the same
way that Netfilter does). Starting/Stopping the firewall for one
address family has no effect on the other address family.

For additional information, see
http://www.shorewall.net/IPV6Support.html.

Other features of Shorewall6 are:

a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 'prefix' which is like an IPv4
subnet. A 64-bit prefix allows 4 billion squared individual hosts
(the size of the current IPv4 address space squared).

b) The default zone type is ipv6.

c) The currently-supported interface options in Shorewall6 are:

blacklist
bridge
dhcp
nosmurfs (traps multicast and Subnet-router anycast addresses
used as the packet source address).
optional
routeback
sourceroute
tcpflags
mss
forward (setting it to 0 makes the router behave like a host
on that interface rather than like a router).

d) The currently-supported host options in Shorewall6 are:

blacklist
routeback
tcpflags

e) Traffic Shaping is disabled by default. The tcdevices and
tcclasses files are address-family independent so
to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
should be specified in Shorewall or in Shorewall6 but not in
both. In the configuration where the internal traffic shaper is
not enabled, CLEAR_TC=No should be specified.

tcfilters are not available in Shorewall6.

f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
angle brackets. Example:

#ACTION SOURCE DEST
ACCEPT net:eth0:<2001:19f0:feee::dead:beef:cafe> dmz

Note that this includes MAC addresses as well as IPv6 addresses.

The HOSTS column in /etc/shorewall6/hosts also uses this
convention:

#ZONE HOSTS OPTIONS
chat6 eth0:<2001:19f0:feee::dead:beef:cafe>

Even when an interface is not specified, it is permitted to
enclose addresses in <> to improve readability. Example:

#ACTION SOURCE DEST
ACCEPT net:<2001:1::1> $FW

g) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.

h) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:

...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$
-

2008-12-16 Shorewall 4.2.3

-

-
Problems corrected in Shorewall 4.2.3

1) Previously, Shorewall would allow compilation for export of a
script named 'shorewall' with the unfortunate side effect that
the 'shorewall.conf' file was overwritten. Scripts named
'shorewall' now cause a fatal error to be raised.

2) Previously, Shorewall-perl attempted to do Shell variable
substitution on the first line in /etc/shorewall/compile.

3) Following the Netfilter tradition, the IPP2P maintainer has made an
incompatible syntax change (the --ipp2p option has been
removed). Shorewall has always used "-m ipp2p --ipp2p" when
detecting the presence of IPP2P support.

Shorewall-common and Shorewall-perl have been modified to use
"-m ipp2p --edk" instead.

4) When Extended Conntrack Match support was available, Shorewall-perl
would create invalid iptables-restore input for certain DNAT rules.

5) An optimization in all Shorewall-perl 4.2 versions could cause
undesirable side effects. The optimization deleted the
<interface>_in and <interface>_fwd chains and moved their rules
to the appropriate rules chain (a <zone>2<xxx> chain).

This worked badly in cases where a zone was associated with more
than one interface. Rules could be duplicated or, worse, a rule
that was intended for only input from one of the interfaces would
be applied to input from all of the zone's interfaces.

This problem has been corrected so that an interface-related
chains is only deleted if:

a) the chain has no rules in it; or
b) the interface is associated with only one zone and that zone is
associated with only that interface in which case it is safe to
move the rules.

Other changes in Shorewall 4.2.3

1) Except with the -e option is specified, the Shorewall-perl compiler
now verifies user/group names appearing in the USER/GROUP column of
the rules file.

2) The output of 'shorewall dump' now includes the output from
'netstat -tunap'.

3) Shorewall-perl now accepts '+' as an interface name in
/etc/shorewall/interfaces. That name matches any interface and is
useful for defining a zone that will match any interface that might
be added after Shorewall is started.

A couple of words of caution are in order.

a) Because '+' matches any interface name, Shorewall cannot
verify interface names appearing in other files when '+' is
defined in /etc/shorewall/interfaces.

b) The zone assigned to '+' must be the last one defined in
/etc/shorewall/zones.

4) Shorewall-perl now uses the iptables --goto parameter in obvious
cases.

5) The 'reset' command now allows you to reset the packet and byte
counter on individual chains:

shorewall reset chain1 chain2 ...
shorewall-lite reset chain1 chain2 ...
-

2008-11-20 Shorewall 4.2.2

-

-Problems corrected in Shorewall 4.2.2 -

1) Shorewall-perl now insures that each line copied from a
configuration file or user exit is terminated with a newline
character.

2) When ipranges were used to define zones, Shorewall-perl could
generate invalid iptables-restore input if 'Repeat Match' was not
available. Repeat Match is not a true match -- it rather is a
feature of recent iptables releases that allows a match to be
repeated within a rule.

3) With Shorewall-perl, if a destination port list had exactly 16
ports, where a port-range counts as two ports, then Shorewall-perl
would fail to split the rule into multiple rules and an
iptables-restore error would result.

4) The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1
compatibility contained a typo that prevented it from working
correctly.

5) If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP
address and no zone name in the DEST column, Shorewall-perl would
reject the rule. If a zone name was specified, Shorewall-perl
would issue a Warning message.

6) Previously, if Extended conntrack match support was available, a
DNAT rule that specified a server port but no destination port
would generate invalid iptables-restore input.

Other changes in Shorewall 4.2.2

1) A macro supporting JAP (anonymization protocol) has been added.
It can be used as any other macro (e.g., JAP/ACCEPT) in the rules
file.

2) A macro supporting DAAP (Digital Audio Access Protocol) has been added.
It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules
file.

3) A macro supporting DCC (Distributed Checksum Clearinghouse) has been
added. It can be used as any other macro (e.g., DCCP/ACCEPT) in the
rules file.

4) A macro supporting GNUnet (secure peer-to-peer networking) has been
added. It can be used as any other macro (e.g., GNUnet/ACCEPT) in the
rules file.

5) In 4.2.1, a single capability ("Extended conntrack match support")
was used both to control the use of --ctorigport and to trigger use
of the new syntax for inversion of --ctorigdst (e.g., "!
--ctorigdst ..."). In 4.2.2, these are controlled by two separate
capabilities. If you use a capabilities file when compiling your
configuration, be sure to generate a new one after installing
4.2.2.
-

2008-10-25 Shorewall 4.2.1
-

-
Problems corrected in Shorewall 4.2.1

1) A description of the CONNBYTES column has been added to
shorewall-tcrules(5).

2) Previously, Shorewall-perl would accept zero as the <max> value in
the CONNBYTES column of tcrules even when the <min> field was
non-zero. A value of zero for <max> was equivalent to omitting
<max>.

3) iptables 1.4.1 discontinued support of syntax generated by
shorewall in some cases. Shorewall now detects when the new syntax
is required and uses it instead.

4) The Shorewall-perl implementation of the LENGTH column in
/etc/shorewall/tcrules was incomplete with the result that
all LENGTH rules matched. Thanks to Lennart Sorensen for the patch.

5) The 'export' command no longer fails with the error:

/sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi")

Other changes in Shorewall 4.2.1

1) With the recent renewed interest in DOS attacks, it seems
appropriate to have connection limiting support in Shorewall. To
that end, a CONNLIMIT column has been added to both the policy and
rules files.

The content of these columns is of the format

[!] <limit>[:<mask>]

where

<limit> is the limit on simultaneous TCP connections.

<mask> specifies the size of the network to which
the limit applies and is specified as a
CIDR mask length. The default value for
<mask> is 32 which means that each remote
IP address can have <limit> TCP connections
active at once.

! Not allowed in the policy file. In the rules file, it
causes connections to match when the number of
current connections exceeds <limit>.

When specified in the policy file, the limit is enforced on all
connections that are subject to the given policy (just like
LIMIT:BURST). The limit is checked on new connections before the
connection is passed through the rules in the NEW section of the
rules file.

It is important to note that while the limit is only checked for
those destinations specified in the DEST column, the number of
current connections is calculated over all destinations and not
just the destination specified in the DEST column.

Use of this feature requires the connlimit match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.

2) Shorewall now supports time/date restrictions on entries in the
rules file via a new TIME column.

The contents of this column is a series of one or more "time
elements" separated by apersands ("&"). Possible time elements are:

utc Times are expressed in Greenwich Mean Time.
localtz Times are expressed in local civil time (default)
timestart=hh:mm[:ss]
timestop=hh:mm[:ss] Start and stop time of day for rule
weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or
Sun
monthdays=dd[,dd]... where dd is an ordinal day of the month.
datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
where yyyy = Year
first mm = Month
dd = Day
hh = Hour
2nd mm = Minute
ss = Second

Examples:

1) utc&timestart=10:00&timestop=12:00

Between 10am and 12 noon each day, GMT

2) datestart=2008-11-01T12:00

Beginning November 1, 2008 at noon LCT.

Use of this feature requires the time match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
-

2006-10-05 Shorewall 4.2.0

-
Release Highlights.

1) Support is included for multiple internet providers through the same
ethernet interface.

2) Support for NFLOG has been added.

3) Enhanced operational logging.

4) The tarball installers now work under Cygwin.

5) Shorewall-perl now supports IFB devices which allow traffic shaping of
incoming traffic.

6) Shorewall-perl supports definition of u32 traffic classification
filters.
-

-
-

2008-03-29 Shorewall 4.0.10

-

-
Problems corrected in Shorewall-perl 4.0.10.

1)  Shorewall-perl 4.0.9 erroneously reported an error message when a
    bridge port was defined in /etc/shorewall/interfaces:

     ERROR: Your iptables is not recent enough to support bridge ports

2)  Under Shorewall-perl, if an empty action was invoked or was named
    in one of the DEFAULT_xxx options in shorewall.conf, an
    iptables-restore error occured.

3)  If $ADMIN was empty, then the rule:

        ACCEPT loc:$ADMIN all

     became

        ACCEPT loc   net

     It is now flagged as an error.

4)  Previously, Shorewall-perl would reject an IP address range in the
    ecn and routestopped files.

5)  A POLICY of ":" in /etc/shorewall/policy would produce Perl
    run-time errors.

6)  An INTERFACE of ":" in /etc/shorewall/interfaces would produce Perl
    run-time errors.

7)  A MARK of ":" in /etc/shorewall/tcrules would produce Perl
    run-time errors.

Problems corrected in Shorewall-shell 4.0.10.

1)  Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in
    a fatal error at compile time.

Known Problems Remaining.

1)  The 'refresh' command doesn't refresh the mangle table. So changes
    made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
    not be reflected in the running ruleset.

Other changes in 4.0.10.

1)  The Sample configurations have been updated to set
    LOG_MARTIANS=keep. In 4.2, this will be changed to
    LOG_MARTIANS=Yes.

2)  Shorewall-perl now generates a fatal error if a non-existant shell
    variable is used in any configuration file (except
    /etc/shorewall/params).

3)  Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
    port 1701 in both directions and assumes that the source port will
    also be 1701. Some implementations (particularly OS X) use a
    different source port. In that case, you should use
    'generic:udp:1701' rather than 'l2tp'.
-

2008-03-01 Shorewall 3.4.8

-
1)  Shorewall now removes any default bindings of ipsets before
attempting to reload them. Previously, default bindins were not
removed with the result that the ipsets could not be destroyed.


2) When HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when
marking in the PREROUTING or OUTPUT chains. When a rule specified a
mark value > 255, the compiler was using the '--or-mark' operator
rather than the '--set-mark' operator with the result that when a
packet matched more than one rule, the resulting routing mark was
the logical product of the mark values in the rules.


Example:


0x100 192.168.1.44 0.0.0.0/0
0x200 0.0.0.0/0 0.0.0.0/0 tcp 25


A TCP packet from 192.168.1.44 with destination port 25 would end
up with a mark value of 0x300.


3) Shorewall now properly parses comma separated SOURCE (formerly
SUBNET) values in the masq configuration file. Previously, the comma
separated list was not split up into its components, resulting in an
invalid address being passed to the iptables command.


Example:


# /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 192.168.2.1,192.168.2.3


4) Previously, specifying both an interface and a MAC address in the
SOURCE column of the tcrules file caused a failure at runtime.
Thanks to Justin Joseph for the patch.


5) Previously, specifying both an interface and an address in the
tcrules DEST column would cause an incomplete rule to be generated.


Example:


1 192.168.1.4 eth2:206.124.146.177 tcp 22


The resulting tcrule would be as if this had been specified:


1 0.0.0.0/0 eth2:206.124.146.177 tcp 22


6) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match
fwmarks to routing tables overflowed the designated range for such
marks (10000 - 11000).
-
-

2008-02-23 Shorewall 4.0.9

-

-
Problems corrected in Shorewall-perl 4.0.9.1

1) In 4.0.9, Shorewall-perl incorrectly generated the following error
message:

ERROR: Your iptables is not recent enough to support bridge ports

Problems corrected in Shorewall-perl 4.0.9

1) If a zone was defined with exclusion in /etc/shorewall/hosts, then
the rules generated for directing outgoing connections to the zone
were incorrect.

Example:

/etc/shorewall/zones:

z ipv4

/etc/shorewall/interfaces:

- eth2

/etc/shorewall/hosts:

z eth2:192.168.1.0/24!192.168.1.5

Traffic from the firewall to 192.168.1.5 was incorrectly classified
as $FW->z.

2) Qualifying 'SOURCE' and 'DEST' with an IP address in a macro file
caused 'SOURCE' or 'DEST' to be interpreted incorrectly as the name
of an interface.

Example:

PARAM DEST SOURCE:224.0.0.22

3) Specifying '!<user>' in the USER/GROUP column of the files that
support it resulted in an invalid iptables rule under
Shorewall-perl.

4) Previously, Shorewall would accept both an interface and an IP
address in tcrules POSTROUTING entries (such as CLASSIFY).

Example:

1:11 eth1:192.168.4.9 - tcp 22

It also allowed both a destination interface and address.

Example:

1:P - eth1:192.168.4.9 tcp 22

Because Netfilter does not allow an input interface to be specified
in POSTROUTING or an output interface to be specified in
PREROUTING, Shorewall must use the routing table to generate a list
of networks accessed through any interface specified in these
cases. Given that a specific address (or set of addresses) has
already been specified, it makes no sense qualify it (them) by
another list of addresses.

5) Shorewall-perl incorrectly generated a fatal error when ':C',
':T' or ':CT' was used in a tcrules entry that gave $FW as the
SOURCE.

6) Users have been confused about this error message:

ERROR: Bridge Ports require Repeat match in your kernel and iptables

The message has been replaced with:

ERROR: Your iptables is not recent enough to support bridge ports

The minimum version required is 1.3.8.

Problems corrected in Shorewall-shell 4.0.9.

1) An optimization added to Shorewall-shell in 4.0.0 has been backed
out to work around a limitation of Busybox 'sed'.

2) Previously, specifying both an interface and an address in the
tcrules DEST column would cause an incomplete rule to be generated.

Example:

1 192.168.1.4 eth2:206.124.146.177 tcp 22

The resulting tcrule would be as if this had been specified:

1 0.0.0.0/0 eth2:206.124.146.177 tcp 22

3) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match
fwmarks to routing tables previously overflowed the designated
range defined for such marks (10000 - 11000).

Known Problems Remaining.

1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.

Other changes in 4.0.9.

1) The Shorewall-perl now flags unprintable garbage characters in
configuration files with the message:

ERROR: Non-ASCII gunk in file

2) The /usr/share/shorewall/modules file has been updated to reflect
module renaming in kernel 2.6.25.

3) The 'ip route replace' command is broken in kernel 2.6.24. To work
around this problem, the undocumented option BROKEN_ROUTING has
been added to shorewall.conf. The default is BROKEN_ROUTING=No.

If you are experiencing 'File Exists' errors from 'ip route
replace' commands, then add the following line to your
shorewall.conf:

BROKEN_ROUTING=Yes

Note: This workaround is only available in Shorewall-perl.
-

2008-01-25 Shorewall 4.0.8

-

-
Problems corrected in Shorewall-perl 4.0.8.

1) Mark tests (such as in the TEST column of tcrules or the MARK
column of the rules file) were ignoring the value 0. As part of
this fix, the default mask generated by entries in these columns
has been changed from 0xFF to 0xFFFF for compatibility with
Shorewall-shell.

2) The compilation date recorded in the firewall.conf file produced by
Shorewall-perl was previously mangled.

3) The ability to specify a DEST IP range (round-robin) in a DNAT rule
has been restored. In versions 4.0.5 - 4.0.7, an IP range was
incorrectly flagged as an error.

Problems corrected in Shorewall-shell 4.0.8.

1) Shorewall-shell now properly parses comma separated SOURCE (formerly
SUBNET) values in the masq configuration file. Previously, the comma
separated list was not split up into its components, resulting in an
invalid address being passed to the iptables command.

Example:

# /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 192.168.2.1,192.168.2.3

Known Problems Remaining.

1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.

Other changes in 4.0.8.

None.
-
2007-12-26 Shorewall 4.0.7 -
Problems corrected in Shorewall-perl 4.0.7
-
1)  If any of the following files was missing, a harmless Perl warning
    was issued:
-
       accounting
       maclist
       masq
       nat
       netmap
       rfc1918
       routestopped
       tunnels
-
    This problem was experienced mostly by Debian users and users of
    Debian derivatives such as Ubuntu.
-
2)  The iptables utility doesn't retry operations that fail due to
    resource shortage. Beginning with this release, Shorewall reruns
    iptables when such a failure occurs.
-
3)  Previously, Shorewall-perl did not accept log levels in upper case
    (e.g., INFO). Beginning with 4.0.7, log levels are treated in a
    case-insensitive manner by Shorewall-perl.
-
4)  The column headers in macro files were not aligned. This has been
    corrected, along with some inaccuracies in the macro.template file.
-
5)  The shorewall.conf files in the Samples did not contain some
    recently-defined options. They are now up to date.
-
6)  The names of the Jabber macros were shuffled. They are now named
    correctly.
-
7)  If ADD_IP_ALIASES=Yes, an alias was incorrectly added when the
    specified INTERFACE ended with ":" (e.g., eth0:).
-
8)  Shorewall-shell generated an incorrect iptables rule from the
    following:
-
    /etc/shorewall/rules:
-
    ACCEPT     loc:eth0:~00-02-02-02-02-02  ...
-
    /etc/shorewall/tcrules:
-
    xxxx        eth0:~00-02-02-02-02-02 ...
-
Known Problems Remaining.
-
1)  The 'refresh' command doesn't refresh the mangle table. So changes
    made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
    not be reflected in the running ruleset.
-
Other changes in 4.0.7
-
1)  If the program named in SHOREWALL_SHELL doesn't exist or is not
    executable, Shorewall and Shorewall-lite now both fall back to
    /bin/sh after issuing a warning message. Previously, both
    terminated with a fatal error.
-
2)  The error message has been improved when a non-root user attempts
    "shorewall show capabilities".
-
3)  Shorewall-perl now generates fatal error conditions when there are
    no IPv4 zones defined and when there are no interfaces defined.
-

2007-12-26 Shorewall 4.1.3

-
Problems corrected in Shorewall 4.1.3.
-
1)  If NFLOG or ULOG was specified with parameters, the resulting
    iptables-restore input contained elements that were incorrectly
    up-cased.
-
2)  If STARTUP_LOG is specified without LOG_VERBOSITY, /sbin/shorewall
    produces an error.
-
3)  If LOG_VERBOSITY is specified without STARTUP_LOG, run-time error
    messages are produced.
-
4)  Shorewall-shell was mishandling the entries in /etc/shorewall/rules
    and in /etc/shorewall/tcrules where both a SOURCE interface and MAC
    address were specified.
-
    Example:
-
    ACCEPT      net:eth0:~01-02-03-04-05-06    $FW      tcp     22
-
Other changes in Shorewall 4.1.3.
-
1)  If the program named in SHOREWALL_SHELL doesn't exist or is not
    executable, Shorewall and Shorewall-lite now both fall back to
    /bin/sh after issuing a warning message. Previously, both
    terminated with a fatal error.
-
2)  The error message has been improved when a non-root user attempts
    "shorewall show capabilities".
-
3)  Shorewall-perl now generates fatal error conditions when there are
    no IPv4 zones defined and when there are no interfaces defined.
-
4)  Shorewall now unconditionally uses tc filter rules to classify
    traffic by MARK value. Previously, Shorewall used the CLASSIFY
    target in the POSTROUTING chain if it was available.
-
5)  The Shorewall-common installer (install.sh) now works on Windows
    under Cygwin.
-
    To install Shorewall-perl under Cygwin:
-
    $ tar -xf shorewall-perl-4.1.3.tar.bz2
    $ tar -xf shorewall-common-4.1.3.tar.bz2
    $ cd shorewall-perl-4.1.3
    $ ./install.sh
    $ cd ../shorewall-common-4.1.3
    $ USER=<your user id> GROUP=None ./install.sh
   
    The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/).
-

2007-11-23 Shorewall 4.0.6

-
Problems corrected in Shorewall-perl 4.0.6.

1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST
PORT(S) list contained a service name containing a hyphen ("-") then
an ERROR was generated.

Example -- Rules file:

DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125

Results in:

ERROR: Invalid port range (ms:wbt:server) : rules (line 49)

Problem was introduced in Shorewall 4.0.5 and does not occur in
earlier releases.

2) If a long destination port list needed to be broken at a port pair,
the generated rule contained an extra comma which resulted in an
iptables-restore failure.

3) Several problems involving port ranges and port lists in REDIRECT
rules have been corrected.

4) Shorewall-perl no longer requires an address in the GATEWAY column
of /etc/shorewall/tunnels. If the column is left empty (or contains
'-') then 0.0.0.0/0 is assumed.

5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR
to the same file descriptor resulted in scrambled output between
the two. The error messages were often in the middle of the
regular output far ahead of the point where the error occurred.

This problem was possible in the Debian Shorewall init script
(/etc/init.d/shorewall) which redirects output to the
Debian-specific /var/log/shorewall-init.log file in this way:

$SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ...

6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable
results could occur when marking in the PREROUTING or OUTPUT
chains. When a rule specified a mark value > 255, the compilers
were using the '--or-mark' operator rather than the '--set-mark'
operator. Consequently, when a packet matched more than one
rule, the resulting routing mark was the logical product of the
mark values in the matching rules rather than the mark value from
the last matching rule.

Example:

0x100 192.168.1.44 0.0.0.0/0
0x200 0.0.0.0/0 0.0.0.0/0 tcp 25

A TCP packet from 192.168.1.44 with destination port 25 would have
a mark value of 0x300 rather than the expected value of 0x200.

7) Previously, a 'start -f' on Shorewall Lite would produce the
following distressing output before starting the firewall:

make: *** No rule to make target `/firewall', needed by
`/var/lib/shorewall-lite/restore'. Stop.

Furthermore, the Makefile for both Shorewall and Shorewall Lite
failed to take into account the /etc/shorewall/vardir file.

This has been corrected. As part of the fix, both /sbin/shorewall
and /sbin/shorewall-lite support a "show vardir" command that
displays the VARDIR setting.

8) Shorewall-perl was previously ignoring the USER/GROUP column of the
tcrules file.

9) Supplying the name of a built-in chain in the 'refresh' command
caused entries in the chain to be duplicated. Since this is a
feature of iptables-restore with the '-n' option, built-in chains
in the 'refresh' list will now be rejected.

Known Problems Remaining.

1) The 'refresh' command doesn't refresh the mangle table. So changes
made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
not be reflected in the running ruleset.

Other changes in Shorewall 4.0.6.

1) Shorewall-perl now uses the '--physdev-is-bridged' option when it
is available. This option will suppress messages like the following:

kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported
anymore.

This change only affects users who use bport/bport4 zones in a
briged configuration and requires that capabilities files be
regenerated using Shorewall-common or Shorewall-lite 4.0.6.

2) Shorewall-perl now allows you to embed Shell or Perl scripts in
all configuration files except /etc/shorewall/params and
/etc/shorewall/shorewall.conf (As always, you can continue to
include arbitrary shell code in /etc/shorewall/params).

To embed a one-line script, use one of the following:

SHELL <shell script>
PERL <perl script>

For multi-line scripts, use:

BEGIN SHELL
<shell script>
END SHELL

BEGIN PERL
<perl script>
END PERL

For SHELL scripts, the output from the script is processed as if it
were part of the file.

Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d
and e to the firewall:

Either:

BEGIN SHELL
for z in a b c d e; do
echo SMTP/ACCEPT $z fw tcp 25
done
END SHELL

or

SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done

Either is equivalent to:

SMTP/ACCEPT a fw tcp 25
SMTP/ACCEPT b fw tcp 25
SMTP/ACCEPT c fw tcp 25
SMTP/ACCEPT d fw tcp 25
SMTP/ACCEPT e fw tcp 25

With a Perl script, if you want to output text to be processed as
if it were part of the file, then pass the text to the shorewall()
function.

Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d
and e to the firewall:

BEGIN PERL
for ( qw/a b c d e/ ) {
shorewall "SMTP/ACCEPT $_ fw tcp 25";
}
END PERL

PERL scripts have access to any context accumulated in earlier PERL
scripts. All such embedded Perl, as well as conventional Perl
extension scripts are placed in the Shorewall::User package. That
way, your global variables and functions won't conflict with any of
Shorewall's.

To allow you to load Perl modules and initialize any global state,
a new 'compile' compile-time extension script has been added. It is
called early in the compilation process.

For additional information, see

- http://www.shorewall.net/configuration_file_basics.html#Embedded

3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl
scripts to create filter chains using
Shorewall::Chains::new_manual_chain() and then use the chain as a
target in subsequent entries in /etc/shorewall/rules.

See http://www.shorewall.net/ManualChains.html for information.

4) The 'hits' command now accepts a -t option which limits the report
to those log records generated today.

5) A DONT_LOAD option has been added to shorewall.conf. If there are
kernel modules that you don't wish to have loaded, you can list
them in this entry as a comma-separated list.

Example:

DONT_LOAD=nf_conntrack_sip,nf_nat_sip

6) Shorewall-perl now supports the --random option of the iptables
SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that
iptables support for this option is currently broken for the DNAT
and REDIRECT targets; I've sent a patch to the Netfilter team.

For MASQUERADE, simply place the word 'random' in the ADDRESS
column. This causes Netfilter to randomize the source port seen by
the remote host.

Example:

#INTERFACE SOURCE ADDRESS
eth0 eth1 random

For SNAT, follow the port list by ":random".

Example:

#INTERFACE SOURCE ADDRESS
eth0 eth1 206.124.146.179:10000-10999:random

For DNAT, follow the port list by ":random".

Example:

#ACTION SOURCE DEST PROTO DEST
# PORT(S)
DNAT net loc:192.168.1.4:40-50:random tcp 22

For REDIRECT, you must use the fully-qualified form of the DEST:

#ACTION SOURCE DEST PROTO DEST
# PORT(S)
REDIRECT net $FW::40-50:random tcp 22

Note that ':random' is only effective with SNAT, DNAT and REDIRECT
when a port range is specified in the ADDRESS/DEST column. It is
ignored by iptables/iptables-restore otherwise.
-
-

2007-10-22 Shorewall 4.0.5

-
Problems corrected in Shorewall 4.0.5.

1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
column of a REDIRECT rule, generating an error. '$FW::<port>' now
produces the same effect as '<port>'.

2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE
PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected
the entry with the error:

ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules

The rule was accepted if 'tcp' or 'udp' was used instead.

3) Shorewall-shell now removes any default bindings of ipsets before
attempting to reload them. Previously, default bindings were not
removed with the result that the ipsets could not be destroyed.

Other changes in Shorewall 4.0.5.

1) Two new options have been added to /etc/shorewall/hosts
(Shorewall-perl only).

broadcast: Permits limited broadcast (destination 255.255.255.255)
to the zone.

destonly: Normally used with the Multi-cast range. Specifies that
traffic will be sent to the specified net(s) but that
no traffic will be received from the net(s).

Example:

wifi eth1:192.168.3.0/24 broadcast
wifi eth1:224.0.0.0/4 destonly

In that example, limited broadcasts from the firewall with a source
IP in the 192.168.3.0/24 range will be acccepted as will multicasts
(with any source address).

2) A MULTICAST option has been added to shorewall.conf. This option
will normally be set to 'No' (the default). It should be set to
'Yes' under the following circumstances:

a) You have an interface that has parallel zones defined via
/etc/shorewall/hosts.
b) You want to forward multicast packets to two or more of those
parallel zones.

In such cases, you will configure a 'destonly' network on each
zone receiving multicasts.

The MULTICAST option is only recognized by Shorewall-perl and is
ignored by Shorewall-shell.

3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl
no longer supports the 'detectnets' option. Specifying that option
now results in the following message:

WARNING: Support for the 'detectnets' option has been removed

It is suggested that 'detectnets' be replaced by
'routefilter,logmartians'. That will produce the same filtering
effect as 'detectnets' while eliminating 1-2 rules per connection.

One user has asked how to retain the output of 'shorewall show
zones' if the 'detectnets' option is removed. While I don't advise
doing so, you can reproduce the current 'shorewall show' behavior
as follows.

Suppose that you have a zone named 'wifi' that produces the
following output with 'detectnets':

wifi (ipv4)
eth1:192.168.3.0/24

You can reproduce this behavior as follows:

/etc/shorewall/interfaces:

- eth1 detect ...

/etc/shorewall/hosts:

wifi eth1:192.168.3.0/24 broadcast

If you send multicast to the 'wifi' zone, you also need this entry
in your hosts file:

wifi eth1:224.0.0.0/4 destonly

4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule
may now be specified as a service name from
/etc/services. Additionally:

a) A port-range may be specified as the service port expressed in
the format <low port>-<high port>. Connections are assigned to
server ports in round-robin fashion.

b) The compiler only permits a server port to be specified if the
protocol is tcp or udp.

c) The compiler ensures that the server IP address is valid (note
that it is still not permitted to specify the server address as a
DNS name).

5) (Shorewall-perl only) Users are complaining that when they migrate
to Shorewall-perl, they have to restrict their port lists to 15
ports. In this release, we relax that restriction on destination
port lists. Since the SOURCE PORT(s) column in the configuration
files is rarely used, we have no plans to relax the restriction in
that column.

6) There have been several cases where iptables-restore has failed
while executing a COMMIT command in the .iptables_restore_input
file. This gives neither the user nor Shorewall support much to go
on when analyzing the problem. As a new debugging aid, the meaning
of 'trace' and 'debug' have been changed.

Traditionally, /sbin/shorewall and /sbin/shorewall-lite have
allowed either 'trace' or 'debug' as the first run-line
parameter. Prior to 4.0.5, the two words produced the same effect.

Beginning with Shorewall 4.0.5, the two words have different
effects when Shorewall-perl is used.

trace - Like the previous behavior.

In the Shorewall-perl compiler, generate a stack trace
on WARNING and ERROR messages.

In the generated script, sets the shell's -x option to
trace execution of the script.

debug - Ignored by the Shorewall-perl compiler.

In the generated script, causes the commands in
.iptables_restore_input to be executed as discrete iptables
commands. The failing command can thus be identified and a
diagnosis of the cause can be made.

Users of Shorewall-lite will see the following change when using a
script that was compiled with Shorewall-perl 4.0.5 or later.

trace - In the generated script, sets the shell's -x option to
trace execution of the script.

debug - In the generated script, causes the commands in
.iptables_restore_input to be executed as discrete iptables
commands. The failing command can thus be identified and a
diagnosis of the cause can be made.

In all other cases, 'debug' and 'trace' remain synonymous. In
particular, users of Shorewall-shell will see no change in
behavior.

WARNING: The 'debug' feature in Shorewall-perl is strictly for
problem analysis. When 'debug' is used:

a) The firewall is made 'wide open' before the rules are applied.
b) The routestopped file is not consulted and the rules are applied
in the canonical iptables-restore order (ASCIIbetical by chain).
So if you need critical hosts to be always available during
start/restart, you may not be able to use 'debug'.

7) /usr/share/shorewall-perl/buildports.pl,
/usr/share/shorewall-perl/FallbackPorts.pm and
/usr/share/shorewall-perl/Shorewall/Ports.pm have been removed.

Shorewall now resolves protocol and port names as using Perl's
interface to the the standard C library APIs getprotobyname() and
getservbyname().

Note 1:

The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL',
'icmp' and 'ICMP' are still resolved by Shorewall-perl
itself.

Note 2:

Those of you running Shorewall-perl under Cygwin may wish to
install "real" /etc/protocols and /etc/services files
in place of the symbolic links installed by Cygwin.

8) The contents of the Shorewall::*::$VERSION variables are now a
only of interest for Perl programs that are using the modules and
specifying a minimum version (e.g., "use Shorewall::Config
4.0.5;"). Each module continues to carry a separate version which
indicates the release of Shorewall-perl when the module was last
modified
-
-

2007-10-02 Shorewall 3.4.7

-
Problems Corrected in Shorewall 3.4.7

1) A bug prevented proper handling of PREROUTING marks when
HIGH_ROUTE_MARKS=No and the track option was specified in
/etc/shorewall/providers.

2) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.

#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000

The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.

This problem occurred with both compilers.

3) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
-
-

2007-09-28 Shorewall 4.0.4

-
Problems Corrected in Shorewall 4.0.4

1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command failed:

ERROR: No filter chain found with name blacklst

New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.

2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':

chainlist_reload: Not found

3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.

4) During start/restart, the script generated by Shorewall-perl was
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.

5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:

ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)

6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.

Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.

7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations would have incorrect logging.

8) Previously, when 'shorewall restore' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.

With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during 'restore' as it is during the processing of
other commands.

9) Although the shorewall.conf manpage indicates that the value
'internal' is allowed for TC_ENABLED, that value was previously
rejected ('Internal' was accepted).

10) The meaning of the 'loose' provider option was accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).

11) If the 'bridge' option was specified on an interface but there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.

12) In commands such as:

shorewall compile <directory>
shorewall restart <directory>
shorewall check <directory>

if the name of the <directory> contained a period ("."), then
Shorewall-perl would incorrectly substitute the current working
directory for the name.

13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.

#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000

The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.

This problem occurred with both compilers.

14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.

15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.

16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
multiple of 256. That restriction was being enforced by
Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
enforces this restriction.

17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
failed with an "Unknown interface" error when using Shorewall-perl.

Other Changes in Shorewall 4.0.4

1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.

Example:

-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...

When using Shorewall-shell, the availability of 'Repeat Match' can
speed up compilation very slightly.

2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:

ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000

The third command should fail but doesn't; instead, it incorrectly
removes the rule added by the first command.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.

3) When using Shorewall-perl, the following message is now issued if
the 'detectnets' option is specified in /etc/shorewall/interfaces:

WARNING: Support for the 'detectnets' option will be removed from
Shorewall-perl in version 4.0.5; better to use 'routefilter' and
'logmartians

The 'detect' options has always been rather silly. On input, it
duplicates the function of 'routefilter'. On output, it is a no-op
since traffic that doesn't match a route out of an interface won't
be sent through that interface (duh!).

Beginning with Shorewall 4.0.5, the warning message will read:

WARNING: Support for the 'detectnets' option has been removed
-
-

2007-09-01 Shorewall 4.0.3

-
Problems Corrected in 4.0.3

1) Using the LOG target in the rules file could result in two LOG
rules being generated by Shorewall-shell. Additionally, using an IP
address range in a rule that performed logging could result in an
invalid iptables command.

2) Shorewall now loads the act_police kernel module needed by traffic
shaping.

3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.

4) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.

Example: fw2net:LOG:HTTPSoutIN= OUT=eth0

Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.

Example: fw2net:LOG:HTTPSou IN= OUT=eth0

5) Previously, if:

- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Neither Z1 nor Z2 had parent zones
- There were no Z1->Z2 rules

then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.

6) The 'shorewall add' and 'shorewall delete' command would fail when:

- The running configuration was compiled with Shorewall-perl.
- The name of the interface specified in the command contained an
embedded special character such as '.' or '-'.

This problem was the result of the change in Shorewall 4.0.2 that
removed the legacy mapping of interface names when embedding such
names in a Netfilter chain name. To correct the problem, the
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.

5) A bug in Shorewall-shell prevented proper handling of PREROUTING
marks when HIGH_ROUTE_MARKS=No and the track option was specified
in /etc/shorewall/providers.

6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
the params file would fail at script execution time with "INCLUDE:
not found". This has been corrected.

7) Shorewall-perl was mis-sorting the zone list when zones were nested
more than one deep.

8) Stale references to http://www.shorewall.net/Documentation.htm have
been removed from the config files (including samples). That URL
has been replaced by the online manpages.

Other Changes in 4.0.3

1) A script generated by Shorewall-perl now tries to modify/restore
/etc/iproute2/rt_tables only if the file is writable. This prevents
run-time errors when /etc is mounted read-only.

A new KEEP_RT_TABLES option has been added to shorewall.conf. When
set to Yes, this option prevents Shorewall from altering the
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
recognized by Shorewall-perl and is ignored by Shorewall-shell.

2) Shorewall-perl now requires the FindBin Perl module.

3) When an optional provider is not available, a script generated by
Shorewall-perl will no longer add the corresponding
routing rules.

4) A new 'isusable' extension script has been added. This script
allows you to extend the availability test that Shorewall performs
on optional providers.

Here's an example that uses ping to ensure that the default
gateways through eth0 and eth1 are reachable:

case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
return
;;
*)
# Assume we don't need to do any additional testing
# for this interface beyond Shorewall's
return 0
;;
esac

Additional information is available at
http://www.shorewall.net/shorewall_extension_scripts.htm.

5) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.

6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
commands were processed by the generated script from the
last successful 'start', 'restart' or 'refresh' command. This had
the side effect that updates to the /etc/shorewall/routestopped
file did not take effect until one of those three commands was
successfully processed.

Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
the default and the 4.0 behavior is enabled using the '-f' command
option.

Example: shorewall stop -f

is only recognized by Shorewall-perl and causes Shorewall to set
the MSS field in forwarded TCP SYN packets going in or out the
interface to the value that you specify.

Example:

#ZONE INTERFACE BROADCAST OPTIONS
vpn ppp0 - mss=1400

The mss option only affects incoming traffic that has not been
decrypted by IPSEC and outgoing traffic that will not subsequently
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
'mss' option in /etc/shorewall/zones.

8) Shorewall now detects the presence of the 'hashlimit match'
capability. There is no builtin support yet for hashlimit but
detection allows extension scripts for user-supplied actions to
determine if the capability exists.

With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
capability exists.

With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
a boolean context if the capability exists. Shorewall-perl users
may also code the following in their extension script:

use Shorewall::Config;

require_capability( 'HASHLIMIT_MATCH', #Capability
'My hashlimit action' , #Feature requiring
#capability
's' ); #Feature is singular
#(if plural, pass the
empty string)

That call would procduce the following fatal error if the
capability isn't available:

ERROR: My hashlimit action requires the Hashlimit match capability
in your kernel and iptables

9) NFQUEUE support has been added to Shorewall-perl.

NFQUEUE may appear in actions, macros, rules and as a policy.
When NFQUEUE is used by itself, queue number zero is assumed. To
specify a queue number, follow NFQUEUE by a slash ("/") and the
queue number.

Examples (/etc/shorewall/rules):

NFQUEUE loc net tcp #Queue number 0
NFQUEUE/22 loc net udp #Queue number 22
NFQUEUE/22:info loc net gre #With logging

An NFQUEUE_DEFAULT option has been added to shorewall.conf for
specifying the default action to use with NFQUEUE policies.

Use of NFQUEUE requires the NFQUEUE Target capability in your
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
then you must install Shorewall-lite 4.0.3 in order to build a
capabilities file that includes NFQUEUE Target. If your
capabilities file was generated by a Shorewall/Shorewall-lite
version earlier that 4.0.3, you will receive a warning during
compilation.

10) The 'refresh' command can now refresh chains other than 'blacklst'.

The syntax of the command is now:

shorewall refresh [ <chain> ... ]

If no <chain> is given then 'blacklst' is assumed. Otherwise, the
Shorewall-perl compiler compiles a script whose 'refresh' command
refreshes the listed <chain>(s).

The listed chains are assumed to be in the filter table. You can
refresh chains in other tables by prefixing the chain name with the
table name followed by ":" (e.g., nat:net_dnat). Chain names which
follow are assumed to be in that table until the end of the list or
until an entry in the list names another table.

This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.
-
-

2007-08-19 Shorewall 3.4.6

-
Problems Corrected in 3.4.6.

1) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables
commands to be generated.

2) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.

3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.

4) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file caused an invalid iptables command
to be generated.

5) Using the LOG target in the rules file could result in two LOG
rules being generated. Additionally, using an IP address range in a
rule that performed logging could result in an invalid iptables
command.

6) Shorewall now loads the act_police kernel module needed by traffic
shaping.

7) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.

8) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.

Example: fw2net:LOG:HTTPSoutIN= OUT=eth0

Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.

Example: fw2net:LOG:HTTPSou IN= OUT=eth0

9) Previously, if:

- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Z1 and Z2 were orphans (neither had parent zones)
- There were no Z1->Z2 rules

then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.

Other changes in 3.4.6.

1) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.
-
-

2007-08-10 Shorewall 4.0.2

-
Problems corrected in 4.0.2

1) The Shorewall-perl compiler was still generating invalid
iptables-restore input from entries in /etc/shorewall/ecn.

2) When using Shorewall-perl, unless an interface was specified as
'optional' in the interfaces file, the 'restore' command would
fail if the routes through the interface or the addresses on the
interface could not be detected.

Route detection occurs when the interface is named in the SOURCE
column of the masq file. Address detection occurs when
DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
or REDIRECT rule or when 'maclist' is specified for the interface.

Since the 'restore' command doesn't use the detected information,
detection is now skipped if the command is 'restore'.

3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.

4) When Shorewall-shell was not installed, certain options in
/etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
'add' and 'delete' commands to fail with a missing library error.

OPTION FILE
maclist interfaces,hosts
proxyarp interfaces

5) The /var/lib/shorewall/zones file was being overwritten during
processing of the 'refresh' command by a script generated with
Shorewall-perl. The result was that hosts previously added to
dynamic zones could not be deleted after the 'refresh'.

6) If the file named as the output file in a Shorewall-perl 'compile'
command was a symbolic link, the generated error message
erroneously stated that the file's parent directory was a symbolic
link.

As part of this change, cosmetic changes were made to a number of
other error messages.

7) Some intra-zone rules were missing when a zone involved multiple
interfaces or when a zone included both IPSEC and non-IPSEC
networks.

8) Shorewall was not previously loading the xt_multiport kernel
module.

9) The Russian and French translations no longer have English headings
on notes, cautions, etc..

10) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file could cause an invalid iptables
command to be generated by Shorewall-shell.

11) If there were no bridges in a configuration, Shorewall-perl would
ignore the CHAIN column in /etc/shorewall/accounting.

Other changes in 4.0.2

1) Shorewall-perl now detects when a port range is included in a list
of ports and iptables/kernel support for Extended Multi-port Match
is not available. This avoids an iptables-restore failure at
run-time.

2) Most chains created by Shorewall-shell have names that can be
embedded within shell variable names. This is a workaround for
limitations in the shell programming language which has no
equivalent to Perl hashes. Often chain names must have the name of
a network interface encoded in them. Given that interface names can
contain characters that are invalid in a shell variable name,
Shorewall-shell performs a name mapping which was carried forward to
Shorewall-perl:

- Trailing '+' is dropped.
- The characters ".", "-", "%' and "@" are translated to "_".

This mapping has been elminated in the 4.0.2 release of Shorewall-
perl. So where before you would see chain "eth0_0_in", you may now
see the same chain named "eth0.0_in". Similarly, a chain previously
named "ppp_fwd" may now be called "ppp+_fwd".

3) Shorewall-perl now uses the contents of the BROADCAST column in
/etc/shorewall/interfaces when the Address Type match capability is
not available.
-
-

2007-07-30 Shorewall 4.0.1

-
Problems corrected in 4.0.1.

1) The Shorewall Lite installer was producing an empty shorewall-lite
manpage. Since the installer runs as part of creating the RPM, the
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
packages were re-uploaded with this problem corrected.

2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
rather than /sbin/shorewall-lite.

3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
uninstaller correctly does "shorewall-lite clear" and both
uninstallers only perform the 'clear' operation if the other
product is not installed. This prevents the removal of one of the
two products from clearing the firewall configuration established
by the other one.

4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
Shorewall-perl. If the zone type was changed to 'ipsec' or
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
the configuration worked properly.

5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
Shorewall-perl produced the following:

Compiling...
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)

6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
locating the binary using the PATH environmental variable rather
than the PATH setting in shorewall.conf. If no PATH was available
when Shorewall-perl was run and IPTABLES was not set in
shorewall.conf, the following messages were issued:

Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
ERROR: Can't find iptables executable
ERROR: Shorewall restart failed

7) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables commands
to be generated. This problem occurred with both compilers.

8) Shorewall now starts at reboot after an upgrade from shorewall <
4.0.0. Previously, Shorewall was not started automatically at
reboot after an upgrade using the RPMs.

9) Shorewall-perl was generating invalid iptables-restore input when a
log level was specified with the dropBcast and allowBcast builtin
actions and when a log level followed by '!' was used with any
builtin actions.

10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
time in rate-limiting specifications.

11) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.

Other changes in Shorewall 4.0.1.

1) A new EXPAND_POLICIES option is added to shorewall.conf. The
option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.

Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
enforced in that chain. For example, if the policy entry is

#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info

then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.

2) The Shorewall-perl dependency on the "Address Type Match"
capability has been relaxed. This allows Shorewall 4.0.1 to be used
on releases like RHEL4 that don't support that capability.

3) Shorewall-perl now detects dead policy file entries that result
when an entry is masked by an earlier entry. Example:

all all REJECT info
loc net ACCEPT

4) Recent kernels are apparently hard to configure and we have been
seeing a lot of problem reports where the root cause is the lack of
state match support in the kernel. This problem is difficult to
diagnose when using Shorewall-perl so the generated shell program
now checks specifically for this problem and terminates with an
error if the capability doesn't exist.
-
-

2007-07-20 Shorewall 4.0.0

-
----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S
----------------------------------------------------------------------------
1) This is the first Shorewall release that fully integrates the new
Shorewall-perl compiler. See the "New Features" section below.

2) You are now offered a choice as to which compiler(s) you install. In
4.0.0, there are the following packages:

- Shorewall-common ( common files )
- Shorewall-shell ( the shell-based compiler )
- Shorewall-perl (the Perl-based compiler )

You must install at least one of the compiler packages (you may
install them both) along with Shorewall-common.

YOU DO NOT NEED TO UNINSTALL ANY OF YOUR CURRENT PACKAGES.

See the Migration Considerations below for further information.

3) The facilities for supporting bridge/firewalls under earlier
releases are deprecated and their documentation is omitted from the
4.0 distribution. New bridge support is implemented in the
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.

Problems corrected in 4.0.0 Final.

1) The shorewall-lite install.sh may now be run multiple times from
the same directory. Previously, the manpages were gzipped in-place
which made it impossible to rerun the script.

2) If shorewall.conf contained SHOREWALL_COMPILER=shell (which it can
on Shorewall 3.4.2-4 systems) and the shorewall-shell RPM was
removed, subsequent "shorewall [re]start" operations failed. When
shorewall-shell is removed, the shorewall.conf file is modified to
specify SHOREWALL_COMPILER= and the original is saved in
shorewall.conf.rpmsave.

3) The contents of the LOG LEVEL column in /etc/shorewall/policy are
now validated at compile time by Shorewall-perl.

Other changes in Shorewall 4.0.0 Final.

1) The Perl modules in /usr/share/shorewall-perl/Shorewall/ have been
consolidated somewhat, leading to slightly faster compilation.

Migration Considerations:

1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'
package. Rather there are two compiler packages (shorewall-shell
and shorewall-perl) and a set of base files (shorewall-common)
which are required by either compiler package.

Although the names of the packages are changing, you can upgrade
without having to uninstall/reinstall.

To repeat: YOU DO NOT NEED TO UNINSTALL ANY EXISTING PACKAGE.

If you attempt to upgrade using the shorewall-common RPM, you get
this result:
gateway:~ # rpm -Uvh shorewall-common-4.0.0.noarch.rpm
error: Failed dependencies:
shorewall_compiler is needed by shorewall-common-4.0.0-1.noarch
gateway:~ #

You must either:

rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \
shorewall-common-4.0.0.noarch.rpm

or

rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \
shorewall-perl-4.0.0.noarch.rpm \
shorewall-common-4.0.0.noarch.rpm

If you don't want to use shorewall-perl exclusively then use the
second command above then

rpm -e shorewall-shell

If you are upgrading using the tarball, you must install
shorewall-shell and/or shorewall-perl before you upgrade
using shorewall-common. Otherwise, the install.sh script fails with:

ERROR: No Shorewall compiler is installed

The shorewall-shell and shorewall-perl packages are installed from
the tarball in the expected way; untar the package, and run the
install.sh script.

Example 1: You have 'shorewall' installed and you want to continue
to use the shorewall-shell compiler.

tar -jxf shorewall-common-4.0.0.tar.bz2
tar -jxf shorewall-shell-4.0.0.tar.bz2

cd shorewall-shell-4.0.0
./install.sh
cd ../shorewall-common-4.0.0
./install.sh
shorewall check
shorewall restart

Example 2: You have shorewall 3.4.4 and shorewall-perl 4.0.0-Beta7
installed and you want to upgrade to 4.0. You do not need the
shell-based compiler.

tar -jxf shorewall-common-4.0.0.tar.bz2
tar -jxf shorewall-perl-4.0.0.tar.bz2

cd shorewall-perl-4.0.0
./install.sh
cd ../shorewall-common-4.0.0
./install.sh
shorewall check
shorewall restart

Be sure to modify shorewall.conf if it still has
SHOREWALL_COMPILER=shell.

2) The ROUTE_FILTER and LOG_MARTIANS options in shorewall.conf work
slightly differently in Shorewall 4.0.0. In prior releases, leaving
these options empty was equivalent to setting them to 'No' which
caused the corresponding flag in /proc to be reset for all
interfaces. Beginning in Shorewall 4.0.0, leaving these options
empty causes Shorewall to leave the flags in /proc as they are. You
must set the option to 'No' in order to obtain the old behavior.

3) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.

If you plan on continuing to use Shorewall-shell and you want to
use the "-f" option at boot time, then you must add the following
to /etc/sysconfig/shorewall or /etc/default/shorewall:

OPTIONS="-f"

If you currently have neither of those files, you will need to
create one of them.

4) This issue will only affect you if you use Shorewall Lite and have
modified /usr/share/configpath to specify a different LITEDIR.

The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).

To meet these objectives:

a) The LITEDIR variable has been eliminated in
/usr/share/shorewall[-lite]/configpath.

b) A new file /etc/shorewall[-lite]/vardir has been added. This
file is not created by default but may be added as needed. It
is expected to contain a single variable assignment:

VARDIR=<directory>

Example:

VARDIR=/root/shorewall

To change VARDIR, copy the old directory to the new one before you
restart Shorewall[-lite].

To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.

----------------------------------------------------------------------------
N E W F E A T U R E S
----------------------------------------------------------------------------
1) Shorewall-perl

This Shorewall package includes a complete rewrite of the compiler
in Perl.

I decided to make Shorewall-perl a separate package for several reasons:

a) Embedded applications are unlikely to adopt Shorewall-perl; even
Mini-Perl has a substantial disk and RAM footprint.

b) Because of the gross incompatibilities between the new compiler and the
old (see below), migration to the new compiler must be voluntary.
------------------------------------------------------------------------
T H E G O O D N E W S:
------------------------------------------------------------------------
a) The compiler has a small disk footprint.
b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast.
d) The new compiler does a much better job of validating the
configuration and catches many errors that resulted in run-time
failures with the old compiler.
e) Use of the Shorewall-perl is optional! The old slow clunky
Bourne-shell compiler is still available.
------------------------------------------------------------------------
T H E B A D N E W S:
------------------------------------------------------------------------
There are a number of incompatibilities between the Perl-based compiler
and the Bourne-shell one.

a) The Perl-based compiler requires the following capabilities in your
kernel and iptables.

- addrtype match
- multiport match

These capabilities are in current distributions.

b) Now that Netfilter has features to deal reasonably with port lists,
I see no reason to duplicate those features in Shorewall. The
Bourne-shell compiler goes to great pain (in some cases) to
break very long port lists ( > 15 where port ranges in lists
count as two ports) into individual rules. In the new compiler, I'm
avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't
have extended multiport support.

c) The old BRIDGING=Yes support has been replaced by new bridge
support that uses the reduced 'physdev match' capabilities found
in kernel 2.6.20 and later. This new implementation may be used
where it is desired to control traffic through a bridge.

The new implementation includes the following features:

a) A new "Bridge Port" zone type is defined. Specify 'bport' or
'bport4' in the TYPE column of /etc/shorewall/zones.

Bridge Port zones should be a sub-zone of a regular ipv4 zone
that represents all hosts attached to the bridge.

b) A new 'bridge' option is defined for entries in
/etc/shorewall/interfaces. Bridges should have this option
specified, even if you don't want to filter traffic going
through the bridge.

c) Bridge ports must now be defined in
/etc/shorewall/interfaces. The INTERFACE column contains
both the bridge name and the port name separated by a colon
(e.g., "br0:eth1"). No OPTIONS are allowed for bridge
ports. The bridge must be defined before its ports and must
have the 'bridge' option.

Bridge Port (BP) zones have a number of limitations:

a) Each BP zone may only be associated with ports on a single
bridge.

b) BP zones may not be associated with interfaces that are not
bridge ports.

c) You may not have policies or rules where the DEST is a BP
zone but the source is not a BP zone. If you need such
rules, you must use the BP zone's parent zone as the DEST
zone.

Example (Bridge br0 with ports eth1 and tap0):

/etc/shorewall/zones:

fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport

/etc/shorewall/interfaces:

net eth0 - ...
loc br0 - ...
lan eth1
vpn tap0

When using the /etc/shorewall/hosts file to define a bport4
zone, you specify only the port name:

Example:

/etc/shorewall/zones:

fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport

/etc/shorewall/hosts

lan eth1:192.168.2.0/24 ...

The structure of the accounting rules changes slightly when
there are bridges defined in the Shorewall
configuration. Because of the restrictions imposed by Netfilter
in kernel 2.6.21 and later, output accounting rules must be
segregated from forwarding and input rules.

To accomplish this separation, Shorewall-perl creates two
accounting chains:

- accounting - for input and forwarded traffic.
- accountout - for output traffic.

If the CHAIN column contains '-', then:

- If the SOURCE column in a rule includes the name of the
firewall zone (e.g., $FW), then the rule is add only
to the accountout chain.

- Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0,
then the rule is added to both accounting and accountout.

- Otherwise, the rule is added to accounting only.

See http://www.shorewall.net/bridge-Shorewall-perl.html for
additional information about the new bridge support.

d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will
receive a warning.

e) Because the compiler is written in Perl, some of your extension
scripts from earlier versions will no longer work because
Shorewall-perl runs those extension scripts at compile-time rather
than at run-time.

Compile-time scripts are:

initdone
maclog
All per-chain scripts including those associated with actions.

Compile-time extension scripts are executed using the Perl 'eval
`cat <file>`' mechanism. Be sure that each script returns a
'true' value; otherwise, the compiler will assume that the
script failed and will abort the compilation.

All scripts will need to begin with the following line:

use Shorewall::Chains;

For more complex scripts, you may need to 'use' other Shorewall
Perl modules -- browse /usr/share/shorewall-perl/Shorewall/ to
see what's available.

When a script is invoked, the $chainref scalar variable will hold a
reference to a chain table entry.

$chainref->{name} contains the name of the chain
$chainref->{table} holds the table name

To add a rule to the chain:

add_rule( $chainref, <the rule> );

Where

<the rule> is a scalar argument holding the rule text. Do
not include "-A <chain name>"

Example:

add_rule( $chainref, '-j ACCEPT' );

To insert a rule into the chain:

insert_rule( $chainref, <rulenum>, <the rule> );

The log_rule_limit function works like it does in the shell
compiler with two exceptions:

- You pass the chain reference rather than the name of
the chain.
- The commands are 'add' and 'insert' rather than '-A'
and '-I'.
- There is only a single "pass as-is to iptables"
argument (so you must quote that part).

Example:

log_rule_limit(
'info' ,
$chainref ,
$chainref->{name},
'DROP' ,
'', #Limit
'' , #Log tag
'add', #Command
'-p tcp' #Pass as-is
);

Note that in the 'initdone' script, there is no default chain
($chainref). You can objtain a reference to a standard chain by:

my $chainref = $chain_table{<table>}{<chain name>};

Example:

my $chainref = $chain_table{'filter'}{'INPUT'};

The continue script is eliminated. That script was designed to
allow you to add special rules during [re]start. Shorewall-perl
doesn't need such rules.

See http://www.shorewall.net/shorewall_extension_scripts.htm
for further information about extension scripts under
Shorewall-perl.

f) The 'refresh' command now works like 'restart' with the
following exceptions:

- The refresh command is rejected if Shorewall is not running.
- The refresh command only rebuilds the 'blacklst' chain.
- A directory name may not be specified in the refresh command.

g) The /etc/shorewall/tos file now has zone-independent SOURCE and
DEST columns as do all other files except the rules and policy
files.

The SOURCE column may be one of the following:

[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
$FW[:<address>[,...]]

The DEST column may be one of the following:

[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]

This is a permanent change. The old zone-based rules have never
worked right and this is a good time to replace them. I've tried
to make the new syntax cover the most common cases without
requiring change to existing files. In particular, it will
handle the tos file released with Shorewall 1.4 and earlier.

h) Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter
ruleset is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
cannot be done while there are any current rules using ipsets.

So:

i) Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in
/etc/shorewall/start:

if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -F
ipset -X
ipset -R < /my/ipset/contents
fi

The file '/my/ipset/contents' (not its real name of
course) will normally be produced using the ipset -S
command.

The above will work most of the time but will fail in a
'shorewall stop' - 'shorewall start' sequence if you
use ipsets in your routestopped file (see below).

ii) Your ipsets may not be reloaded until Shorewall is stopped
or cleared.

iii) If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets.

As a consequence, scripts generated by the Perl-based compiler
will ignore /etc/shorewall/ipsets and will issue a warning if
you set SAVE_IPSETS=Yes in shorewall.conf.

i) Because the configuration files (with the exception of
/etc/shorewall/params) are now processed by the Perl-based
compiler rather than by the shell, only the basic forms of Shell
expansion ($variable and ${variable}) are supported. The more
exotic forms such as ${variable:=default} are not
supported. Both variables defined in /etc/shorewall/params and
environmental variables (exported by the shell) can be used in
configuration files.

j) USE_ACTIONS=No is not supported. That option is intended to
minimize Shorewall's footprint in embedded applications. As a
consequence, Default Macros are not supported.

k) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
atomically loaded with one execution of iptables-restore.

l) MAPOLDACTIONS=Yes is not supported. People should have converted
to using macros by now.

m) The pre Shorewall-3.0 format of the zones file is not supported;
neither is the /etc/shorewall/ipsec file.

n) BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
combination doesn't work in previous versions of Shorewall so
the Perl-based compiler simply rejects it.

o) Shorewall-perl has a single rule generator that is used for all
rule-oriented files. So it is important that the syntax is
consistent between files.

With shorewall-shell, there is a special syntax in the SOURCE
column of /etc/shorewall/masq to designate "all traffic entering
the firewall on this interface except...".

Example:

#INTERFACE SOURCE ADDRESSES
eth0 eth1!192.168.4.9 ...

Shorewall-perl uses syntax that is consistent with the rest of
Shorewall:

#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...

p) The 'allowoutUPnP' built-in action is no longer supported. The
Netfilter team have removed support for '-m owner --owner-cmd'
which that action depended on.

q) The treatment of the following interface options has changed under
Shorewall-perl.

- arp_filter
- routefilter
- logmartians
- proxy_arp
- sourceroute

With the Shorewall-shell compiler, Shorewall resets these options
on all interfaces then sets the option on those interfaces
for which the option is defined in /etc/shorewall/interfaces.

Under Shorewall-perl, these options can be specified with the value
0 or 1 (e.g., proxy_arp=0). If no value is specified, the value 1
is assumed. Shorewall will modify only the setting of those
interfaces for which the option is specified and will set the
option to the given value.

A fatal compilation error is also generated if you specify one of
these options with a wildcard interface (one ending with '+').

r) The LOG_MARTIANS and ROUTE_FILTER options are now tri-valued in
Shorewall-perl.

Yes - Same as before
No - Same as before except that it applies regardless of
whether any interfaces have the logmartians/routefilter
option
Keep - Shorewall ignores the option entirely (which is the
default).

s) Shorewall-perl support nn 'optional' option has been added to
/etc/shorewall/interfaces. This option is recognized by
Shorewall-perl but not by Shorewall-shell. When 'optional' is
specified for an interface, Shorewall will be silent when:

- a /proc/sys/net/ipv4/conf/ entry for the interface cannot be
modified (including for proxy ARP).

- The first address of the interface cannot be obtained.

I specify 'optional' on interfaces to Xen virtual machines that
may or may not be running when Shorewall is [re]started.

CAUTION: Use 'optional' at your own risk. If you [re]start
Shorewall when an 'optional' interface is not available and then
do a 'shorewall save', subsequent 'shorewall restore' and
'shorewall -f start' operations will instantiate a ruleset that
does not support that interface, even if it is available at the
time of the restore/start.

t) Shorewall-perl validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
u) Shorewall-perl checks configuration files for the presense of
characters that can cause problems if they are allowed into the
generated firewall script:

- Double Quotes. These are prohibited except in the
shorewall.conf and params files.

- Single Quotes. These are prohibited except in the
shorewall.conf and params files and in COMMENT lines.

- Single back quotes. These are prohibited except in the
shorewall.conf and params files.

- Backslash. Probibited except as the last character on a line
to denote line continuation.

v) Under Shorewall-perl, macros may invoke other macros with the
restriction that such macros may not be invoked within an action
body.

When marcros are invoked recursively, the parameter passed to an
invocation are automatically propagated to lower level macros.

Macro invocations may be nested to a maximum level of 5.
------------------------------------------------------------------------
P R E R E Q U I S I T E S
------------------------------------------------------------------------
- Perl (I use Perl 5.8.8 but other versions should work fine)
- Perl Cwd Module
- Perl File::Basename Module
- Perl File::Temp Module
- Perl Getopt::Long Module
------------------------------------------------------------------------
U S I N G T H E N E W C O M P I L E R
If you only install one compiler, then that compiler will be used.

If you install both compilers, then the compiler actually used depends
on the SHOREWALL_COMPILER setting in shorewall.conf.

The value of this new option can be either 'perl' or 'shell'.

If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf
then by default, the new compiler will be used on the system. If you
add it to shorewall.conf in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be
used when you compile from that directory.

If you only install one compiler, it is suggested that you do not set
SHOREWALL_COMPILER.

You can also select the compiler to use on the command line using the
'C option:

'-C shell' means use the shell compiler
'-C perl' means use the perl compiler

The -C option overrides the setting in shorewall.conf.

Example:

shorewall restart -C perl

2) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to
read the comments in the macro file before trying to use this
macro.

3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.

Beginning with this release, you may define an alternative means
for accessing the remote firewall system.

Two new options have been added to shorewall.conf:

RSH_COMMAND
RCP_COMMAND

The default values for these are as follows:

RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}

Shell variables that will be set when the commands are envoked are
as follows:

root - root user. Normally 'root' but may be overridden using
the '-r' option.

system - The name/IP address of the remote firewall system.

command - For RSH_COMMAND, the command to be executed on the
firewall system.

files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.

destination - The directory on the remote system that the files
are to be copied into.

4) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK and CONNMARK value (CONNMARK is
only accepted under Shorewall Perl).

5) SOURCE and DEST are now reserved zone names to avoid problems with
bi-directional macro definitions which use these as names as key
words.

6) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").

Example:

Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007

fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0

In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.

7) The 'shorewall version' command now lists the version of the
installed compiler(s) if the -a option is used:

gateway:/bulk/backup # shorewall version -a
4.0.0-Beta1
Shorewall-shell 4.0.0-Beta1
Shorewall-perl 4.0.0-Beta1
gateway:/bulk/backup #

8) The Perl compiler is externalized. Both the compiler.pl program
and the Perl Module interface are documented.

The compiler program is /usr/share/shorewall-perl/compiler.pl:

compiler.pl [ <option> ... ] [ <filename> ]

If a <filename> is given, then the configuration will be compiled
output placed in the named file. If <filename> is not given, then
the configuration will simply be syntax checked.

Options are:

-v <verbosity>
--verbosity=<verbosity>

The <verbosity> is a number between 0 and 2 and corresponds to
the VERBOSITY setting in shorewall.conf. This setting controls
the verbosity of the compiler itself.

-e
--export

If given, the configuration will be compiled for export to
another system.

-d <directory>
--directory=<directory>

If this option is omitted, the configuration in /etc/shorewall
is compiled/checked. Otherwise, the configuration in the named
directory will be compiled/checked.

-t
--timestamp

If given, each progress message issued by the compiler and by
the compiled program will be timestamped.

--debug

If given, when a warning or error message is issued, it is
supplimented with a stack trace. Requires the Carp Perl
module.

Example (compiles the configuration in the current directory
generating a script named 'firewall' and using VERBOSITY
2).

/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall

Note: For compatibility with the Shorewall 3.4.2 and 3.4.3
releases, options not passed on the run-line get their values from
environmental variables:

Option Variable

--verbosity VERBOSE
--export EXPORT
--directory SHOREWALL_DIR
--timestamp TIMESTAMP

The Perl Module is externalized as follows:

use lib '/usr/share/shorewall-perl';
use Shorewall::Compiler;

compiler $filename, $directory, $verbose, $options

The arguments to the compiler function are as follows:

$filename - Name of the compiled script to be created.
If the arguments evaluates to false, the
configuration is syntax checked

$directory - The directory containing the configuration.
If passed as '', then /etc/shorewall/ is assumed.

$verbose - The verbosity level (0-2).

$options - A bitmap of options. Shorewall::Compiler
exports two constants to help building this
argument:

EXPORT = 0x01
TIMESTAMP = 0x02

The compiler raises an exception with 'die' if it encounters an
error; $@ contains the 'ERROR' messages describing the problem.

The compiler function can be called repeatedly with different
inputs.

9) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.

10) During installation, Shorewall generates the Perl module
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
/etc/protocols and /etc/services as input.

To re-generate the module from those two files:

1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm

Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.

Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.

11) Tuomo Soini has contributed bi-directional macros for various
tunnel types:

IPsecah
GRE
IPsec
IPIP
IPsecnat
L2TP

12) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.


To re-generate the module from those two files:

1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm

Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.

Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.

11) Tuomo Soini has contributed bi-directional macros for various
tunnel types:

IPsecah
GRE
IPsec
IPIP
IPsecnat
L2TP

12) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.

13) The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).

To meet these objectives:

a) The LITEDIR variable has been eliminated in
/usr/share/shorewall[-lite]/configpath.

b) A new file /etc/shorewall[-lite]/vardir has been added. This
file is not created by default but may be added as needed. It
is expected to contain a single variable assignment:

VARDIR=<directory>

Example:

VARDIR=/root/shorewall

To change VARDIR, copy the old directory to the new one before you
restart Shorewall[-lite].

To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
-
-

2007-07-15 Shorewall 3.4.5

-
Problems Corrected in 3.4.5.

1) DYNAMIC_ZONES=Yes can now coexist with Shorewall-perl's 'bport'
zones. Those zones themselves may not be dynamically modified but
the presence of bport zones no longer causes the 'shorewall add'
command to fail.

2) Shorewall's internal traffic shaper once again works when the 'sed'
utility is provided by the Busybox package.

3) Version 3.4.4 erroneously accepted the values On, Off, on, off, ON
and OFF for the IP_FORWARDING option. These values were treated
like 'Keep'. The listed values are now once again flagged as an
error.

4) If 'routeback' and 'detectnets' were specified on an interface,
limited broadcasts (to 255.255.255.255) and multicasts were dropped
when forwarded through the interface. This could cause
broadcast-based and multicast applications to fail when running
through a bridge with 'detectnets'.

5) The 'hits' command works once again.

6) IPSECFILE=ipsec (either explicitly or defaulted) works
now. Previously, processing of the ipsec file was bypassed; often
with a confusing "missing file" message.

7) If DETECT_DNAT_IPADDRS=Yes in shorewall.conf but you did't have conntrack
match support, then the generated script was missing 'done's.

Other changes in 3.4.5.

1) When a Shorewall release includes detection of an additional
capability, existing capabilities files become out of
date. Previously, this condition was not detected.

Beginning with this release, each generated capabilities file
contains a CAPVERSION specification which defines the capabilities
version of the file. If the CAPVERSION in a capabilities file is
less than the current CAPVERSION, then Shorewall will issue the
following message:

WARNING: <file> is out of date -- it does not contain all of
the capabilities defined by Shorewall version <version>

where

<file> is the name of the capabilities file.
<version> is the current Shorewall version.

Existing capabilities files contain no CAPVERSION. When such a file
is read, Shorewall will issue this message:

WARNING: <file> may be not contain all of the capabilities defined
by Shorewall version <version>

2) When a directory is specified in a command such as 'start' or
'compile', Shorewall now reads the shorewall.conf file (if any) in
that directory before deciding which compiler to use. So if
SHOREWALL_COMPILER is not specified in
/etc/shorewall/shorewall.conf and the -C option was not specified
on the run-line, then if Shorewall-perl is installed, the additional
shorewall.conf file is read to see if it specifies a
SHOREWALL_COMPILER.

3) The 'save' command now uses iptables-save from the same directory
containing iptables. Previously, iptables-save was located via the
PATH setting.
-
-

2007-06-17 Shorewall 3.4.4

-
Problems corrected in 3.4.4:

1) The commands "shorewall add <interface> <zone>" and "shorewall
delete <interface> <zone>" no longer produce spurious error
messages.

2) The command "shorewall delete <interface> <zone>" now actually deletes
entries when it successfully completes. Previously, it would appear
to remove an entry, even when removing that entry should fail.

3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.

4) When run as root, the 'shorewall load' and 'shorewall reload'
commands would fail if the LOGFILE setting in
/etc/shorewall/shorewall.conf specified a non-existant file.

5) Entries in /etc/shorewall/tcrules that specify both a source and
destination port fail with the following diagnostic:

iptables v1.3.3: multiport can only have one option

6) Previously, Shorewall-lite did not allow DHCP traffic through an
interface when the interface was a bridge with 'dhcp' specified
unless there was a bridge on the administrative system with the
same name.

7) SOURCE and DEST are now flagged as invalid zone name to avoid
problems with macros that use those names as keywords.

8) Previously, Shorewall could *increase* the MSS under some
circumstances. This possibility is now eliminated, provided that
the system has TCPMSS match support (be sure to update your
capabilities files!).

9) Firewall zone names other than 'fw' no longer cause a error when
IPSECFILE is not set or is set to 'ipsec'.

10) The 'proxyarp' option on an interface was previously ignored when
the /etc/shorewall/proxyarp file was empty.

11) Previously, if action 'a' was defined then the following
rule generated an error:

a: z1 z2 ...

The trailing ":" is now ignored.

12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
generated error messages referred to the rule as a DROP rule.

13) The 'nolock' keyword was previously ignored on several
/sbin/shorewall[-lite] commands.

Other changes in 3.4.4:

1) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK value.

2) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").

Example:

Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007

fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
br0:0.0.0.0/0
eth4:0.0.0.0/0
eth5:0.0.0.0/0
+eth1:0.0.0.0/0
dmz (ipv4)
eth3:0.0.0.0/0
vpn (ipv4)
tun+:0.0.0.0/0

In the above output, "eth1:0.0.0.0/0" was dynamically added to the
'loc' zone. As part of this change, "shorewall delete" will only
delete entries that have been added dynamically. In earlier
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.

3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.

Beginning with this release, you may define an alternative means
for accessing the remote firewall system.

Two new options have been added to shorewall.conf:

RSH_COMMAND
RCP_COMMAND

The default values for these are as follows:

RSH_COMMAND: ssh ${root}@${system} ${command}
RCP_COMMAND: scp ${files} ${root}@${system}:${destination}

Shell variables that will be set when the commands are envoked are
as follows:

root - root user. Normally 'root' but may be overridden using
the '-r' option.

system - The name/IP address of the remote firewall system.

command - For RSH_COMMAND, the command to be executed on the
firewall system.

files - For RCP_COMMAND, a space-separated list of files to
be copied to the remote firewall system.

destination - The directory on the remote system that the files
are to be copied into.

4) You may now select the compiler to use on the command line using
the '-C' option. This option is available on the following
commands:

check
compile
export
load
reload
restart
start
try
safe-start
save-restart

Example:

shorewall try -C perl .
-
-

2007-06-12 New Host for www.shorewall.net and -ftp.shorewall.net

-
I'm pleased to announce that Ty Christiansen and the folks at Master Mind
Productions (http://mastermindpro.com) have volunteered to host
www.shorewall.net and ftp.shorewall.net.

The new site is up and running and I've just changed DNS to point to the new
server. Let me know if you experience any problems.

Please join me in thanking Ty and Master Mind for their support of the
Shorewall project.
-
-

2007-04-30 Shorewall 3.4.3

-

Problems corrected in Shorewall 3.4.3

-
1) The shorecap program was not loading modules correctly.
-
2) The CHAIN variable is now set correctly before the 'maclog' script
-
   is invoked.
-
-
3) The 'shorewall load' and 'shorewall reload' commands redundently
-
   re-generated the capabilities file when it resided in the export
-
   directory.
-
-
4) Setting LOGFILE to the value of a shell variable from the params
-
   file now works.
-
-
5) The 'shorewall-lite restore' command can fail with a 'startup not
-
   enabled' error.
-
-
6) When ROUTE_FILTER=Yes in shorewall.conf, Shorewall no longer clears
-
   the rp_filter flag for all interfaces.
-
-
7) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears
-
   the log_martians flag for all interfaces.
-
-
8) The 'shorewall add' and 'shorewall delete' commands no longer fail
-
   with the message 'ERROR: Only one firewall zone may be defined'.
-
-
9) It was previously impossible to disable martian logging.
-
-
10) IP addresses (aliases) added by ADD_IP_ALIASES and ADD_SNAT_ALIASES
-
    are now correctly deleted when Shorewall stops.
-
-
11) The 'shorewall add' and 'shorewall delete' commands no longer fail
-
    with the error 'Only one firewall zone may be defined'.
-
-
12) The special 'detect' value now works correctly in the ADDRESSES
-
    column of /etc/shorewall/masq.
-
-
Other changes in Shorewall 3.4.3
-
-
1) A LOCKFILE option has been added to shorewall.conf. This file is
-
   used to serialize updates to the active firewall configuration.
-
   If not specified, the defaults are:
-
-

Shorewall - /var/lib/shorewall/lock

-

Shorewall Lite - /var/lib/shorewall-lite/lock

-
- -
-

2007-04-08 Shorewall 3.2.10
-

-
Problems Corrected in 3.2.10

1) Previously, if a 'start' or 'restart' command failed during the
compilation step, /sbin/shorewall erroneously returned an exit
status of zero.

2) If IMPLICIT_CONTINUE=Yes was in effect, then sub-zones received the
implicit CONTINUE policy for their intra-zone traffic (rather than
the implicit ACCEPT policy for such traffic). This could cause
intra-zone traffic to be rejected by rules in one of the parent
zones.

3) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. With this
change, shorewall will only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.

4) The /usr/share/shorewall[-lite]/modules file has been updated for
kernel 2.6.20.

5) The /proc/net/ip_conntrack pseudo-file has been inexplicably
renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli
library has been updated to look for both files.

6) Tunnels of type 'ipsecnat' failed to work properly due to a missing
rule.

7) The 'shorecap' program was not loading modules correctly.
-
-2007-04-01 Shorewall 3.4.2
-
-
Problems corrected in Shorewall 3.4.2

1) The /usr/share/shorewall[-lite]/modules file has been updated for
kernel 2.6.20.

2) The /proc/net/ip_conntrack pseudo-file has been inexplicably
renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli
library has been updated to look for both files.

3) Shoreall 3.4 was not consistent with respect to its treatment of
log level 'none' and 'none!' and built-in actions. In particular,
specifying 'none' with the Limit action produced a run-time error.
Shorewall now correctly suppresses generation of log messages when
a log level of 'none' or 'none!' is given to a built-in action.

4) Tunnels of type 'ipsecnat' would sometimes fail to work because of
a missing rule.
- -
2007-03-15 -Shorewall 3.4.1
-
-
Problems Corrected in 3.4.1

1) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. There was a
partial fix included in 3.4.0; unfortunately, it did not correct the
problem completely. Shorewall 3.4.1 includes the rest of the change
necessarey to only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.

2) If the log-prefix in a log message exceeded 29 characters,
'shorewall restart' fails with 'truncate: command not found' and a
possible segmentation fault in iptables.

3) Log messages specifying a log tag had two spaces appended to the
log prefix. This could cause mysterious "log-prefix truncated"
messages.

4) When nested zones were defined in the /etc/shorewall/zones file and
IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf,
shell error messages ( usually '<zone>: not found' ) during
compilation resulted.

5) Use of CONTINUE policies lead to startup errors with a message
such as the following:

Applying Policies...
iptables v1.3.7: Couldn't load target
`CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed

6) If there were hosts defined as 'critical' in
/etc/shorewall/routestopped then problems occured in two cases:

i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall
clear' was issued.

ii) On Shorewall or Shorewall lite system when 'start' or 'restart'
failed during execution of the compiled script and there was no saved
configuration ('shorewall[-lite] save' has not been issued).

The symptoms were that the following shell messages were issued and
the 'critical' hosts were not enabled:

/var/lib/shorewall/.start: line nnn: source_ip_range: command not found
/var/lib/shorewall/.start: line nnm: dest_ip_range: command not found

Other changes in 3.4.1

1) Several changes are included which allow testing of experimental
versions of Shorewall on systems with 3.4.1 and later 3.4 releases
installed. Among these changes is the detection and reporting of
"Address Type Match" which may be used in future 3.4 releases.
These changes have no effect on normal Shorewall operation.
- -
2007-03-10 -Shorewall 3.4.0
-
-
Shorewall 3.4.0

Release Highlights

1) Shorewall can now be tailored to reduce its footprint on embedded
systems. As part of this change, actions are now completely
optional.

See http://www.shorewall.net/Modularization.html for details.

2) Exclusion is now possible in /etc/shorewall/hosts. This is required
for bridge/firewalls under kernel 2.6.20 and later.

See http://www.shorewall.net/NewBridge.html.

3) Shorewall and Shorewall Lite now include man pages. There is a
man page for shorewall(8), one for shorewall-lite(8) and one for
each configuration file. As part of this change, all documentation
has been removed from Shorewall configuration files. This should
make it easier from users to upgrade from one release to the next
since the configuration files will only change when column is added
or renamed.

See http://www.shorewall.net/manpages/Manpages.html

4) Shorewall now remembers the changes that it has made to routing as
a result of entries in /etc/shorewall/providers and
/etc/shorewall/route_rules and reverses those changes when
appropriate.

Problems Corrected in 3.4.0 Final.

1) In the rules file, following the action with "!" is supposed to
exempt the rule from being suppressed by OPTIMIZE=1. That feature
was not working.

2) If both a macro body and a macro invocation contained an entry in the
SOURCE or DEST column, then compilation failed with the error:

merge_macro_source_dest: command not found

3) An obscure bug in rule activation having to do with the new
exclusion feature in /etc/shorewall/hosts has been corrected.

4) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. With this
change, shorewall will only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.

New Features in Shorewall 3.4:

1) In order to accomodate small embedded applications, Shorewall 3.4
is now modularized. In addition to the base files, there are
loadable "libraries" that may be included or omitted from an
embedded system as required.

Loadable Shorewall libraries reside in /usr/share/shorewall/ and
have names that begin with "lib.". The following libraries are
included in Shorewall 3.4:

- lib.accounting. Must be available if you include entries in
/etc/shorewall/accounting.

- lib.actions. Must be available if you do not specify
USE_ACTIONS=No in /etc/shorewall/shorewall.conf.

- lib.base. The base Shorewall library required by all programs,
including compiled firewall scripts. This library is also
released as part of Shorewall Lite and is installed in
/usr/share/shorewall-lite/.

- lib.cli. Library containing the code common to /sbin/shorewall,
/sbin/shorewall-lite. This library is also released as part of
Shorewall Lite and is installed in /usr/share/shorewall-lite/.

- lib.config. Library containing the code that is common to
/usr/share/shorewall/compiler and /usr/share/shorewall/firewall.

- lib.dynamiczones. Must be available if you specify
DYNAMIC_ZONES=Yes in shorewall.conf.

- lib.maclist. Must be available if you specify the 'maclist'
option in /etc/shorewall/interfaces or /etc/shorewall/hosts.

- lib.nat. Must be available if you have entries in
/etc/shorewall/masq, /etc/shorewall/nat or /etc/shorewall/netmap
or if you use DNAT or REDIRECT rules.

- lib.providers. Must be available if you have entries in
/etc/shorewall/providers.

- lib.proxyarp. Must be available if you have entries in
/etc/shorewall/proxyarp or if you specify the 'proxyarp' option
in /etc/shorewall/interfaces.

- lib.tc. Must be available if you have entries in
/etc/shorewall/tcdevices and /etc/shorewall/tcclasses.

- lib.tcrules. Must be available if you have entries in
/etc/shorewall/tcrules.

- lib.tunnels. Must be available if you have entries in
/etc/shorewall/tunnels.

Embedded applications can further decrease the size of the Shorewall
footprint by:

- Omitting the macro files.
- Omitting all unused extension scripts.

See http://www.shorewall.net/Modularization.html for additional
details.

2) As hinted in the previous bullet, there is a new USE_ACTIONS option
in /etc/shorewall/shorewall.conf. Shorewall actions can be very
powerful but they also require a lot of code to implement. Embedded
applications can omit that code by setting
USE_ACTIONS=No. Shorewall will ignore all action-related files
including /usr/share/shorewall/actions.std and
/etc/shorewall/actions. Builtin actions will still be available for
use in rules and macros.

The 'Limit' action has been converted to a builtin so that Limit is
available even when USE_ACTIONS=No.

See the next item for more information.

3) Prior to Shorewall 3.4, default actions were specified in
/usr/share/shorewall/actions.std or in /etc/shorewall/actions.

This approach has two drawbacks:

a) All DROP policies must use the same default action and all
REJECT policies must use the same default action.

b) Now that we have modularized action processing (see the New
Features section below), we need a way to define default rules
for a policy that does not involve actions.

The solution is two-fold:

- Four new options have been added to the
/etc/shorewall/shorewall.conf file that allow specifying the
default action for DROP, REJECT, ACCEPT and QUEUE.

The options are DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT and
QUEUE_DEFAULT.

DROP_DEFAULT describes the rules to be applied before a
connection request is dropped by a DROP policy; REJECT_DEFAULT
describes the rules to be applied if a connection request is
rejected by a REJECT policy. The other two are similar for
ACCEPT and QUEUE policies.

The value assigned to these may be:

a) The name of an action.
b) The name of a macro
c) 'None' or 'none'

The default values are:

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT=none
QUEUE_DEFAULT=none

If USE_ACTIONS=Yes, then these values refer to action.Drop and
action.Reject respectively. If USE_ACTIONS=No, then these values
refer to macro.Drop and macro.Reject.

If you set the value of either option to "None" then no default
action will be used and the default action or macro (if any)
must be specified in /etc/shorewall/policy

- The POLICY column in /etc/shorewall/policy has been extended.

In /etc/shorewall/policy, when the POLICY is DROP, REJECT,
ACCEPT or QUEUE then the policy may be followed by ":" and one
of the following:

a) The word "None" or "none". This causes any default
action defined in /etc/shorewall/shorewall.conf
to be omitted for this policy.
b) The name of an action (requires that USE_ACTIONS=Yes
in shorewall.conf). That action will be invoked
before the policy is enforced.
c) The name of a macro. The rules in that macro will
be applied before the policy is enforced. This
does not require USE_ACTIONS=Yes.<
br>
Example:

#SOURCE DEST POLICY LOG
# LEVEL
loc net ACCEPT
net all DROP:MyDrop info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT:MyReject info

4) For users whose kernel and iptables have Extended MARK Target
support, it is now possible to logically AND or OR a value into the
current packet mark by preceding the mark value (and optional mask)
with an ampersand ("&") or vertical bar ("|") respectively.

Example: To logically OR the value 4 into the mark value for
packets from 192.168.1.1:

#MARK SOURCE
|4 192.168.1.1

5) Previously, zone names were restricted to five characters in
length. That limit derives from the --log-prefix in Netfilter log
messages which must be 29 bytes or less in length. With the
standard Shorewall LOGFORMAT, that leaves 11 characters for the
chain name; given that many chain names are of the form
<zone1>2<zone2>, that gives a maximum zone name length of 5.

Beginning with this release, the maximum length of a zone name is
dependent on the LOGFORMAT (the maximum length may never be less
than 5 but it may be greater than 5). For example, setting
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.

6) Netfilter provides support for attachment of comments to Netfilter
rules. Comments can be up to 255 bytes in length and are visible
using the "shorewall show <chain>", "shorewall show nat",
"shorewall show mangle" and "shorewall dump" commands. Comments are
delimited by '/* ... */" in the output.

Beginning with Shorewall 3.4, you may place COMMENT lines in the
/etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
and /etc/shorewall/masq files and in action files. The remainder of
the line is treated as a comment and it will be attached as a
Netfilter comment to the rule(s) generated by succeding entries
in the file.

Note: Do not prefix the comment with "#". Shorewall's two-pass
compiler strips off "#" comments in the first pass and processes
COMMENT lines in the second pass. Hence, by the time that COMMENT
is processed, the "#" and everything following it has been removed
(see example below).

To stop the current comment from being attached to further
rules, simply include COMMENT on a line by itself (so that the
following rules will have no comment) or specify a new COMMENT.

If you do not have Comment support in your iptables/kernel (see the
output of "shorewall[-lite] show capabilities") then COMMENTS are
ignored with this warning:

COMMENT ignored -- requires comment support in iptables/Netfilter

Example from my rules file:

#SOURCE SOURCE DEST PROTO DEST PORT(S)

COMMENT Stop Microsoft Noise

REJECT loc net tcp 137,445
REJECT loc net udp 137:139

COMMENT # Stop comment from being attached to rules below

The output of "shorewall show loc2net" includes (folded):

0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,445 /* Stop Microsoft Noise */
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* Stop Microsoft Noise */

7) A new macro (macro.RDP) has been added for Microsoft Remote
Desktop. This macro was contributed by Tuomo Soini.

8) A new 'maclog' extension file has been added. This file is
processed just before logging based on the setting of
MACLIST_LOG_LEVEL is done. When the extension is invoked, the CHAIN
variable will contain the name of the chain where rules should be
inserted. Remember that if you have specified MACLIST_TABLE=mangle,
then your run_iptables commands should include "-t mangle".

9) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
more accurately describe the contents of the column.

10) Previously, it was not possible to use exclusion in
/etc/shorewall/hosts. Beginning with this release, you may now use
exclusion lists in entries in this file. Exclusion lists are
discussed at:

http://www.shorewall.net/configuration_file_basics.htm#Exclusion.

Example:

loc eth0:192.168.1.0/24!192.168.1.4,192.168.1.16/28

In that example, the 'loc' zone is defined to be the subnet
192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
and hosts in the sub-network 192.168.1.16/28.

11) New "shorewall[-lite] show ip" and "shorewall[-lite] show routing"
commands have been added. The first produces the same output as "ip
addr ls". The second produces a report about your routing rules and
tables.

12) Beginning with this release, Shorewall and Shorewall Lite will
share common change logs and release notes.

13) In Shorewall versions prior to 3.4, multiple jumps to a '2all'
chain could be generated in succession.

Example from an earlier shorewall version:

gateway:~ # shorewall-lite show eth2_fwd
Shorewall Lite 3.4.0-Beta1 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006

Counters reset Thu Oct 19 08:34:47 PDT 2006

Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
gateway:~ #

This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.

gateway:~ # shorewall-lite show eth2_fwd
Shorewall Lite 3.4.0-Beta1 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006

Counters reset Thu Oct 19 09:15:19 PDT 2006

Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ #

Note that with OPTIMIZE=1, traffic destined for an
interface/Address that falls outside of all defined zones may now
be logged out of a '2all' chain rather than out of the FORWARD
chain.

The OPTIMIZE setting also controls the suppression of redundant
wildcard rules (those specifying "all" in the SOURCE or DEST
column). A wildcard rule is considered to be redundant when it
has the same ACTION and Log Level as the applicable policy.

Example:

/etc/shorewall/policy

#SOURCE DEST POLICY LEVEL
loc net ACCEPT

/etc/shorewall/rules

#ACTION SOURCE DEST PROTO DEST
# PORT(S)
...
ACCEPT all all icmp 8

OPTIMIZE=0

gateway:~ # shorewall show loc2net
Shorewall Lite 3.4.0-Beta1 Chains loc2net at gateway - Thu Oct 26 07:55:03 PDT 2006

Counters reset Thu Oct 26 07:54:58 PDT 2006<
br>
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

gateway:~

OPTIMIZE=1

gateway:~ # shorewall show loc2net
Shorewall Lite 3.4.0-Beta1 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006

Counters reset Thu Oct 26 07:56:38 PDT 2006

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
...
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

gateway:~

If you really want a rule that duplicates the policy, follow the
action with "!":

#ACTION SOURCE DEST PROTO DEST
# PORT(S)
...
ACCEPT! all all icmp 8

14) IP Address ranges are now allowed in the drop, reject, allow and
logdrop shorewall[-lite] commands.

15) Previously, Shorewall has not attempted to undo the changes it has
made to the firewall's routing as a result of entries in
/etc/shorewall/providers and /etc/shorewall/routes. Beginning with
this release, Shorewall will attempt to undo these changes.

When Shorewall starts or is restarted and there are entries in
/etc/shorewall/providers, Shorewall will capture the contents
of /etc/shorewall/rt_tables and will restore that database when
Shorewall is stopped or restarted. Similarly, the default route
will be captured the first time that you [re]start Shorewall using
this version and will be restored under the following conditions:

a) shorewall stop
b) shorewall clear
c) shorewall restart or restore and there are no entries in
/etc/shorewall/providers.

Once the default route has been restored, Shorewall will delete
the saved copy so that it will once again be captured at the next
shorewall start or shorewall restore.

16) Shorewall no longer includes policy matches in its generated
ruleset when no IPSEC zones or IPSEC networks are defined (IPSEC
networks are defined using the 'ipsec' option in
/etc/shorewall/hosts).

17) The Makefile installed in /usr/share/shorewall/configfiles/ is now
the same one mentioned at
http://www.shorewall.net/CompiledPrograms.html.

Once the file is copied into an export directory, you modify the
setting of the HOST variable to match the name of the remote
firewall.

The default target is the "firewall" script so "make" compiles the
firewall script if any of the configuration files have
changed. "make install" builds "firewall" if necessary then
installs it on the remote firewall. "make capabilities" will
generate the "capabilities" file. "make save" will save the running
configuration on the remote firewall.

18) Shorewall and Shorewall Lite now include the following manpages.

shorewall-accounting(5)
shorewall-actions(5)
shorewall-blacklist(5)
shorewall.conf(5)
shorewall-ecn(5)
shorewall-exclusion(5)
shorewall-hosts(5)
shorewall-interfaces(5)
shorewall-lite.conf(5)
shorewall-lite(8)
shorewall-maclist(5)
shorewall-masq(5)
shorewall-nat(5)
shorewall-nesting(5)
shorewall-netmap(5)
shorewall-params(5)
shorewall-policy(5)
shorewall-providers(5)
shorewall-proxyarp(5)
shorewall-rfc1918(5)
shorewall-route_rules(5)
shorewall-routestopped(5)
shorewall-rules(5)
shorewall-tcclasses(5)
shorewall-tcdevices(5)
shorewall-tcrules(5)
shorewall-template(5)
shorewall-tos(5)
shorewall-tunnels(5)
shorewall(8)
shorewall-zones(5)

Now that the manpages are in place, command-specific help has been
removed since it duplicates information in the man pages.

19) From the beginning, the Shorewall configuration files in
/etc/shorewall/ have contained documentary comments. While these
comments are useful, they present an upgrade problem. Beginning
with this release, these comments are removed from the
configuration files themselves and are replaced by the manpages
described in the preceding release note entry.

20) Shorewall now uses tc fwmark filters to classify packets for
traffic shaping when the DEVICE isn't an interface described in
/etc/shorewall/interfaces. This is in preparation for the upcoming
change to the way that --physdev-out works in iptables/Netfilter;
that change is now scheduled for kernel 2.6.20.

21) If your kernel and iptables have extended multiport support, then
Shorewall will use that support for the destination port when
generating rules from entries in the /etc/shorewall/tcrules file.
22) The 'safe-start' and 'safe-restart' command have been
improved. Both now accept an optional directory name; if supplied,
Shorewall will look first in that directory for configuration
files.

The commands have also been enhanced to only restore the
configuration once in the event of a failure. Previously, if there
was a current 'save' command in effect, then that configuration
would be restored on a failure and then the last-running
configuration would be restored.

23) The 'try' command has been reimplemented with new semantics.

If Shorewall is started then the firewall state is saved to a
temporary saved configuration (/var/lib/shorewall/.try). Next, if
Shorewall is currently started then a restart command is issued;
otherwise, a start command is performed. if an error occurs during
the compliation phase of the restart or start, the command
terminates without changing the Shorewall state. If an error occurs
during the restart phase, then a 'shorewall restore' is performed
using the saved configuration. If an error occurs during the start
phase, then Shorewall is cleared. If the start/restart succeeds
and a timeout is specified then a 'clear' or 'restore' is performed
after timeout seconds.

24) The syntax of the 'export' command has been made slightly
friendlier.

The old syntax:

export <directory1> [user@]system:[<directory2>]

It is now:

export <directory1> [user@]system[:<directory2>]

In other words, if you don't need to specify <directory2>, you may
omit the colon (":") following the system name.

The old syntax is still accepted -- that is, you can still
type:

export firewall2:

which is equivalent to

export firewall2

25) Shorewall commands may be speeded up slightly by using a
'capabilities' file. The 'capabilities' file was originally
designed for use with Shorewall Lite and records the
iptables/Netfilter features available on the target system.

To generate a capabilities file, execute the following command as
root:

shorewall show -f capabilities > /etc/shorewall/capabil
ities

When you install a new kernel and/or iptables, be sure to generate
a new capabilities file.

26) When syslogd is run with the -C option (which in some
implementations causes syslogd to log to an in-memory circular
buffer), /sbin/shorewall will now use the 'logread' command to read
the log from that buffer. This is for combatibility with OpenWRT.

27) There is now a ":T" qualifier in /etc/shorewall/tcrules which
causes the resulting rule to be inserted into the POSTROUTING
chain.

28) The program /usr/share/shorewall/wait4ifup can be used to wait for
a network device (such as a ppp device) to reach the UP state.

/usr/share/shorewall/wait4ifup <interface> [ <seconds> ]

The program will wait for up to <seconds> seconds for the
named <interface> to reach the UP state. If <seconds> is not given,
60 seconds is assumed.

The exit status is zero if <interface> comes up within <seconds>
seconds and non-zero otherwise.

29) Previously, 'ipsecnat' tunnels allowed AH traffic by default
(unless 'isecnat:noah' was given). Given that AH is incompatible
with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah'.

30) Shorewall now generates half as many rules as previously in the
'blacklst' chain when BLACKLIST_LOGLEVEL is specified.

31) Beginning with Shorewall 3.4.0, if EXPORTPARAMS=No in
shorewall.conf then Shorewall will not process
/etc/shorewall/params when the compiled script is run. With
EXPORTPARAMS=No, any shell variables needed at run-time must be set
in /etc/shorewall/init.

In a Shorewall/Shorewall Lite environment, this allows
/etc/shorewall/params to be written to run exclusively
on the administrative system while /etc/shorewall/init runs
exclusively on the firewall system.

So shell variables required at compile time may be set in
/etc/shorewall/params and those required at run-time may be set in
/etc/shorewall/init.

Note 1: If you need shell variables values in your
/etc/shorewall/stop or /etc/shorewall/stopped script, then you need
to set their values in /etc/shorewall/stop. /etc/shorewall/init is
not invoked during processing of the 'stop' and 'clear' commands.

Note 2: EXPORTPARAMS was actually introduced in Shorewall version
3.2.9. It is described here for the benefit of those who did not
install that version.
- -
Old -News here
-
- - diff --git a/web/Notices.html b/web/Notices.html deleted file mode 100644 index ee6913579..000000000 --- a/web/Notices.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - Shorewall Notices - - - - - -
- - - - - - - - - - - - - -
Attention -Shorwall-shell Users
-
Attention -Shorewall-perl 4.2 Users
-
Attention -Users of Shorewall's Multi-ISP Feature
-
Attention Users of BRIDGING=YesAttention Kernel 2.4 Users
-
-
2009-08-18
-
-

End-of-life for Shorewall-shell in -Shorewall 4.4
-

-Shorewall 4.4, released in August 2009, does not include -Shorewall-shell. Because Shorewall 4.0 is included in Debian Lenny, the -4.0 release of Shorewall-shell will continue to be supported until -Debian Squeeze is released. The 4.2 release of Shorewall-shell will -continue to be supported until Shorewall 4.6 is released in 2010.
-
-Shorewall-shell users concerned about upgrading are encouraged to -migrate to Shorewall-perl before upgrading to Shorewall 4.4. By -migrating -before upgrading, you will be able to have both -Shorewall-shell and Shorewall-perl installed at the same time; that -way, you can quickly fall back to Shorewall-shell if you have problems.
-
-Users who -run Shorewall-shell on an embedded system that is too small to support -Perl should consider switching to Shorewall-lite -with Shorewall-perl installed on an administrative system (may be a -Windows[tm] system running Cygwin[tm]).
-

Attention -Shorewall-perl 4.2 Users

-

Shorewall-perl 4.2.8

-Shorewall-perl 4.2.8 was dead on arrival. The compiler did not rename -the generated script file with the result that it was removed when the -compiler terminated. This lead to:
-
    -
  1. It was not possible to start Shorewall or Shorewall6 for the -first time after installing 4.2.8
  2. -
  3. Changes to the configuration were apparently ignored.
  4. -
-This problem was corrected in Shorewall-perl-4.2.8.1.
-

Shorewall-perl 4.2.6 and Earlier
-

-On February 28, Klemens Rutz reported a problem that affects all -Shorewall-perl 4.2 versions prior to 4.2.6.1.
-
-
The problem:
-
    -
  1. Only occurs when there are multiple non-firewall zones.
  2. -
  3. Results in the following interface options not being applied to -forwarded traffic.
  4. -
-
blacklist
-dhcp
-maclist (when MACLIST_TABLE=filter)
-norfc1918
-nosmurfs
-tcpflags
-
-
-User are encouraged to either:
-
    -
  • Upgrade to Shorewall-perl-4.2.6.1 or later; or
  • -
  • Apply the patch found at:
  • -
- -
-
To apply the patch, execute this -command:
-
-
-
 patch /usr/share/shorewall-perl/Shorewall/Rules.pm < forward.patch
-
-
The patch may apply with fuzz and/or an -offset, depending on your particular version.
-

Attention Users of Shorewall's Multi-ISP -Feature

-

A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and -Shorewall-shell -4.0.0-4.0.2 prevents proper handling of PREROUTING marks when -HIGH_ROUTE_MARKS=No and the track option is -specified. -Patches are available to correct this problem:

-

Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff

-

Shorewall version 3.4.4-3.4.6: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff

-

Shorewall-shell version 4.0.0-4.0.2: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff

-

Note that a patch may succeed with an offset when applied to a -release -other than the one for which it was specifically prepared. For example, -when -the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release -3.2.10) is applied to release 3.4.3, the following is the result:

-
root@wookie:~# cd /usr/share/shorewall
-root@wookie/usr/share/shorewall#: patch < ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff 
patching file compiler
Hunk #1 succeeded at 958 (offset -1669 lines).
root@wookie:/usr/share/shorewall#
-

Update -- 7 November 2007

-

A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and -4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks -when -HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this -problem:

-

Shorewall version 3.2.3-3.2.11: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff

-

Shorewall version 3.4.0-3.4.7: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff

-

Shorewall version 4.0.0-4.0.5: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff -and http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff.

-
-

Attention Users of BRIDGING=Yes

-

In Linux Kernel version 2.6.20, the Netfilter team changed Physdev -Match -so that it is no longer capable of supporting BRIDGING=Yes. The -solutions -available to users are to either:

-
    -
  1. Switch to using the technique described at http://www.shorewall.net/3.0/NewBridge.html; -or
    -
  2. -
  3. Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and -follow the instructions at http://www1.shorewall.net/bridge-Shorewall-perl.html. -
  4. -
-

The first approach allows you to switch back and forth between -kernels -older and newer than 2.6.20. The second approach is a better long-term -solution.

-
-

Attention Users of Kernel 2.4

-The Shorewall developers do not test Shorewall running on Kernel 2.4 -and we make no representation about the functionality of Shorewall on -that Kernel. Any failure of Shorewall on Kernel 2.4 will not be -investigated by the Shorewall team.
-
-Copyright © 2001-2009 Thomas M. Eastep
-
-Permission is granted to copy, distribute and/or modify this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled "GNU Free Documentation License". - - diff --git a/web/SeattleInTheSpring.html b/web/SeattleInTheSpring.html deleted file mode 100644 index c3d0bc3f4..000000000 --- a/web/SeattleInTheSpring.html +++ /dev/null @@ -1,28 +0,0 @@ - - - - - - Wintertime in Seattle - - - - -

-

-

Our Home

-(Our House)
-
-
-

-

Updated 11/02/2008 - Tom Eastep

-

Copyright 2008 Thomas M. Eastep.

-
-
-
- - diff --git a/web/Shorewall_CA_html.html b/web/Shorewall_CA_html.html deleted file mode 100644 index 1dc09bb64..000000000 --- a/web/Shorewall_CA_html.html +++ /dev/null @@ -1,104 +0,0 @@ - - - - - - - Shorewall Certificate Authority - - - - - -

Shorewall Certificate Authority - (CA) Certificate

- Tom Eastep
-
-
Copyright © 2001-2003 Thomas M. Eastep
-
- Permission is granted to copy, distribute and/or modify this - document under the terms of the GNU Free Documentation License, - Version 1.2 or any later version published by the Free Software - Foundation; with no Invariant Sections, with no Front-Cover, - and with no Back-Cover Texts. A copy of the license is included - in the section entitled “GNU Free Documentation - License”.
-
- 2003-12-31
-
- Given that I develop and support Shorewall without asking for - any renumeration, I can hardly justify paying $200US+ a year to - a Certificate Authority such as Thawte (A Division of VeriSign) - for an X.509 certificate to prove that I am who I am. I have - therefore established my own Certificate Authority (CA) and - sign my own X.509 certificates. I use these certificates on my - list server (https://lists.shorewall.net) - which hosts parts of this web site.
-
- X.509 certificates are the basis for the Secure Socket Layer - (SSL). As part of establishing an SSL session (URL - https://...), your browser verifies the X.509 certificate - supplied by the HTTPS server against the set of Certificate - Authority Certificates that were shipped with your browser. It - is expected that the server's certificate was issued by one of - the authorities whose identities are known to your browser. -
-
- This mechanism, while supposedly guaranteeing that when you - connect to https://www.foo.bar you are REALLY connecting to - www.foo.bar, means that the CAs literally have a license to - print money -- they are selling a string of bits (an X.509 - certificate) for $200US+ per year!!!I
-
- I wish that I had decided to become a CA rather that designing - and writing Shorewall.
-
- What does this mean to you? It means that the X.509 certificate - that my server will present to your browser will not have been - signed by one of the authorities known to your browser. If you - try to connect to my server using SSL, your browser will frown - and give you a dialog box asking if you want to accept the - sleezy X.509 certificate being presented by my server.
-
- There are two things that you can do:
- -
    -
  1. You can accept the mail.shorewall.net certificate when - your browser asks -- your acceptence of the certificate can - be temporary (for that access only) or perminent.
  2. - -
  3. You can download and install my - (self-signed) CA certificate. This will make my - Certificate Authority known to your browser so that it will - accept any certificate signed by me.
    -
  4. -
- What are the risks?
- -
    -
  1. If you install my CA certificate then you assume that I - am trustworthy and that Shorewall running on your firewall - won't redirect HTTPS requests intented to go to your bank's - server to one of my systems that will present your browser - with a bogus certificate claiming that my server is that of - your bank.
  2. - -
  3. If you only accept my server's certificate when prompted - then the most that you have to loose is that when you connect - to https://mail.shorewall.net, the server you are connecting - to might not be mine.
  4. -
- I have my CA certificate loaded into all of my browsers but I - certainly won't be offended if you decline to load it into - yours... :-)
-
-
-
-
- - - diff --git a/web/Shorewall_index_frame.htm b/web/Shorewall_index_frame.htm deleted file mode 100644 index 12b239352..000000000 --- a/web/Shorewall_index_frame.htm +++ /dev/null @@ -1,55 +0,0 @@ - - - - - Shorewall - - - - - -

Home
-Important Notices
-Download
-Documentation
-Support
-Mirrors
-News
-How -to Contribute
-Trac Wiki
-Other Links -
-

- - - -

-
-
Please report errors -on this site to the Webmaster -
-
-
-Shorweall Logo
-
-
-
-Get Shoreline Firewall (Shorewall) at SourceForge.net. Fast, secure and Free Open Source software downloads -
-

-
-
- - diff --git a/web/copyright.htm b/web/copyright.htm deleted file mode 100644 index 3d32b6ba2..000000000 --- a/web/copyright.htm +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - Copyright - - -

Copyright
-

-

Copyright © 2000-2009 Thomas M Eastep 
-

-

The Shorewall -Logo is the work of Gareth Davies of Thusa and is licensed under the -Creative -Commons -Attribution-Share Alike 2.5 South Africa License. To view a copy of -this -licence, visit http://creativecommons.org/licenses/by-sa/2.5/za/ -or send a -letter to Creative Commons, 171 Second Street, Suite 300, San -Francisco, -California 94105, USA.
-

-
-

Permission is granted to copy, distribute and/or -modify this document under the terms of the GNU Free Documentation -License, Version 1.1 or any later version published by the Free -Software Foundation; with no Invariant Sections, with no Front-Cover, -and with no Back-Cover Texts. A copy of the license is included in the -section entitled "GNU Free Documentation -License".

-
-
-
- - diff --git a/web/download.htm b/web/download.htm deleted file mode 100644 index 0ae2fb228..000000000 --- a/web/download.htm +++ /dev/null @@ -1,617 +0,0 @@ - - - - - Download - - - - - - -

Shorewall Download
-

-
- - - - - - - - - - - -
Package Information
-
Distribution-specific Download Sites
-
Standard Download Sites
-
Finding Updates that Correct Known Problems
-
SVN
-
Git
-
-

-
2009-08-21 -

Package Information

-

Before trying to install, we strongly urge you to read and print -a -copy -of the Shorewall QuickStart -Guide for the configuration that most closely matches your own. -

-

The documentation in both XML and HTML formats is available for -download -from the Download Sites listed in the table below.

-

NOTICE: There are three current Shorewall -Release -Series:

-
    -
  • The STABLE release series is 4.4. -Choose this release if you value stability and good documentation.
  • -
  • The prior STABLE release series is 4.2. We release updates to -this series to correct problems but usually don't make enhancements to -it. 
  • -
  • The release included with Debian Etch is 4.0. We release updates -to this series to correct security problems but usually don't make -other changes to it.
  • -
-For additional information, see this article about the Shorewall Release Model. -

In Shorewall version 4.4.*, -the Shorewall-common, Shorewall-shell and -Shorewall-perl packages are discontinued and replaced with a single Shorewall package which combines the -functions of Shorewall-common and Shorewall-perl. The shell-based -compiler is retired. So with Shorewall 4.4 onward, there are four -packages:
-

-
    -
  • Shorewall -- Includes -everything needed to create an IPv4 firewall.
  • -
  • Shorewall6 -- Requires -the Shorewall package and adds the capability to create an IPv6 -firewall.
  • -
  • Shorewall-lite -- a -light-weight Shorewall version that will run -compiled firewall scripts generated on a system with one of the -compiler packages installed.
  • -
  • Shorewall6-lite -- a -light-weight Shorewall6 version that will -run compiled firewall scripts generated on a system with Shorewall6 -installed.
  • -
-

In Shorewall version 4.2.*, -there are six packages:
-

-
    -
  • Shorewall-shell -- the -legacy Shorewall configuration compiler -written in Bourne Shell. Not recommended for new installations.
    -
  • -
  • Shorewall-perl -- an -implementation of the Shorewall -configuration compiler written in the Perl programming language. This -compiler is much faster than Shorewall-shell and produces a firewall -script that runs faster. It is the preferred compiler for new Shorewall -installations.
  • -
  • Shorewall-common -- A -base package required by both -Shorewall-shell and Shorewall-perl.
  • -
  • Shorewall-lite -- a -light-weight Shorewall version that will run -compiled firewall scripts generated on a system with one of the -compiler packages installed.
  • -
  • Shorewall6 -- Provides -/sbin/shorewall6 for controlling an IPv6 -firewall. Requires Shorewall-common and Shorewall-perl,  4.2.4 or -later.
    -
  • -
  • Shorewall6-lite -- a -light-weight Shorewall6 version that will -run compiled firewall scripts generated on a system with Shorewall6 -installed.
  • -
-

In Shorewall version 4.0.*, -there are four related -packages:

-
    -
  • Shorewall-shell -- the -legacy Shorewall configuration compiler -written in Bourne Shell. Not recommended for new installations.
    -
  • -
  • Shorewall-perl -- an -implementation of the Shorewall -configuration compiler written in the Perl programming language. This -compiler is much faster than Shorewall-shell and produces a firewall -script that runs faster. It is the preferred compiler for new Shorewall -installations.
  • -
  • Shorewall-common -- A -base package required by both -Shorewall-shell and Shorewall-perl.
  • -
  • Shorewall-lite -- a -light-weight Shorewall version that will run -compiled firewall scripts generated on a system with one of the -compiler packages installed.
  • -
-To summarize: -
    -
  • If you are installing Shorewall -4.4 or later:
  • -
      -
    • On at least one system in your network, you must install the -Shorewall package. If you need IPv6 firewalls then you must also -install the Shorewall6 package.
    • -
    • If you have a single firewall, then that system should be your -firewall system.
    • -
    • If you have more than one firewall, you may wish to install -Shorewall (and possibly Shorewall6) on a single administrative -system and install Shorewall-lite and/or Shorewall6-lite on the -firewalls. Doing so will allow for centralized administration and -configuration of the firewalls.
    • -
    -
  • If you are installing Shorewall -4.2 or earlier:
    -
  • -
      -
    • On at least one system in your network, you must install one or -both of the compilers (Shorewall-shell and/or Shorewall-perl; Shorewall-perl is highly recommended), -the -Shorewall-common package and possibly the Shorewall6 package.
    • -
    • If you only have a single firewall, then that system should be -your firewall system.
    • -
    • If you have more than one firewall, you may wish to install one -or both of the compilers on a single administrative system -and install Shorewall-lite and/or Shorewall6-lite on the firewalls. -Doing so will allow for -centralized administration and configuration of the firewalls.
    • -
    • When RPM is used to install Shorewall, the compiler -(shorewall-shell -and/or shorewall-perl) and shorewall-common must be installed in a -single execution of the -rpm utility.
    • -
    -
-

Here are the installation instructions.

-

Distribution-specific Download Sites

-

Once you've printed the appropriate QuickStart Guide, download the -appropriate Packages:

- -

You will probably also want to download the HTML version of the -documentation for easy reference.

-

Standard Download Sites

-

Use the sites below to download the -tarball, the documentation and the standard RPM -for -(SUSE, Power PPC, Trustix and TurboLinux).
-
-Packages are GPG signed, please verify the integrity of the files -using our public key https://lists.shorewall.net/shorewall.gpg.key -

-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

SERVER LOCATION

-
-

DOMAIN

-
-

HTTP

-
-

FTP

-
-

Slovak Republic

-
-

Shorewall.net

-
-

Browse

-
-

Browse

-
-

Seattle, Washington, USA
-

-
-

Shorewall.net

-
-

Browse

-
-

Browse

-
-

Frankfurt/Main, Germany

-
-

Shorewall.de

-
-

Browse

-
-

N/A

-
Moscow, Russia
-
Shorewall.ru
-
Browse
-
Browse
-
-

Shoreline, Wa, USA

-
-

Shorewall.net

-
-

Browse

-
-

Browse

-
-

Australia
-

-
-

Shorewall.com.au

-
-

Browse

-
-

N/A

-
-

Argentina

-
-

Shorewall.net

-
-

Browse

-
-

N/A
-

-
Chicago, Illinois, USA -(Incomplete)
-
Sourceforge.net
-
BrowseN/A
-
-
-

Finding Updates that Correct Known Problems

-

Beginning with Shorewall 4.0.6, updated packages that include fixes -to -known problems are made available.

-

Example:

-
-
ftp> cd pub/shorewall/4.0/shorewall-4.0.6
250 OK. Current directory is /pub/shorewall/4.0/shorewall-4.0.6
ftp> ls
200 PORT command successful
150 Connecting to port 36018
drwxr-sr-x 4 1006 8 4096 Dec 1 08:16 .
drwxr-sr-x 9 1006 8 4096 Nov 23 08:22 ..
-rw-r--r-- 1 1006 8 194 Nov 24 07:38 4.0.6-2.md5sums
-rw-r--r-- 1 1006 8 218 Nov 24 07:38 4.0.6-2.sha1sums
-rw-r--r-- 1 1006 8 841 Nov 26 13:26 4.0.6.md5sums
-rw-r--r-- 1 1006 8 945 Nov 26 13:26 4.0.6.sha1sums
-rw-r--r-- 1 1006 8 322 Nov 26 08:35 README.txt
drwxr-xr-x 4 1006 8 4096 Nov 23 08:21 base
-rw-r--r-- 1 1006 8 1570 Dec 1 08:16 known_problems.txt
-rw-r--r-- 1 1006 8 148363 Nov 23 08:22 patch-4.0.6
-rw-r--r-- 1 1006 8 4238 Nov 24 16:49 patch-perl-4.0.6.1
-rw-r--r-- 1 1006 8 5249 Nov 29 07:38 patch-perl-4.0.6.2
...

-rw-r--r-- 1 1006 8 102295 Nov 24 07:38 shorewall-perl-4.0.6-2.noarch.rpm <=========
-rw-r--r-- 1 1006 8 99884 Nov 24 07:38 shorewall-perl-4.0.6.2.tar.bz2 <=========
-rw-r--r-- 1 1006 8 300 Nov 24 07:38 shorewall-perl-4.0.6.2.tar.bz2.asc <=========
-rw-r--r-- 1 1006 8 124814 Nov 24 07:38 shorewall-perl-4.0.6.2.tgz <=========
-rw-r--r-- 1 1006 8 300 Nov 24 07:38 shorewall-perl-4.0.6.2.tgz.asc <=========
-rw-r--r-- 1 1006 8 59124 Nov 23 08:22 shorewall-shell-4.0.6-0base.noarch.rpm
-rw-r--r-- 1 1006 8 76500 Nov 23 08:22 shorewall-shell-4.0.6.tar.bz2
-rw-r--r-- 1 1006 8 300 Nov 23 08:22 shorewall-shell-4.0.6.tar.bz2.asc
-rw-r--r-- 1 1006 8 95193 Nov 23 08:22 shorewall-shell-4.0.6.tgz
-rw-r--r-- 1 1006 8 300 Nov 23 08:22 shorewall-shell-4.0.6.tgz.asc
drwxr-sr-x 2 1006 8 4096 Nov 26 08:33 superseded
226-Options: -a -l
226 41 matches total
ftp
-
-
-

The lines flagged with <====== show that the Shorewall-perl -package has been updated to include two bug fixes (note the "-2" and -".2" in the file names). The base tarballs for the release are found in -the base -directory. The unified diff files patch-4.0.6.* -may be applied sequentially to the base (4.0.6) Shorewall-perl release -(from the base directory) to -produce -4.0.6.2. The obsoleted 4.0.6 Shorewall-perl packages may be found in -the superseded -directory. The known_problems.txt file indicates -which problems are fixed in each updated package.

-
-

SVN

-
The SVN Repository at Sourceforge is used as a -safe-store for Shorewall releases up to and including Shorewall 4.2.
-
-You should download and use the latest SVN version only at your own -risk -- please do not attempt to install Shorewall from -the SVN components; you will end up with an incomplete and non-working -installation. -

If you want to build your own packages from the SVN images, use -the build script found in tools/build/buildshorewall.

-

If you are looking for bug fixes for the current release, see above.
-
-The following SVN projects are currently active:
-

-
-
    -
  1. -
    -

    branches

    -

    This project contains sub-projects for each of the stable -releases.

    -

    The current stable version is branch named -x.y where x.y is the major version. Example: 3.4.
    -

    -

    You can download it using the following commands:
    -
    -    svn co -https://shorewall.svn.sourceforge.net/svnroot/shorewall/branches/x.y/Shorewall

    -
    -
  2. -
  3. -
    Shorewall
    -
    -
    This project contains the Shorewall code.
    -
    -
    -You can download it using the following commands:
    -
    -    svn co -https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/Shorewall
    -
    -
  4. -
  5. -
    manpages
    -

    -Beginning with Shorewall 3,4,0, this project contains the man pages for -Shorewall. 'trunk' is the current development version.
    -
    -You can download it using the following commands:
    -
    -    svn co -https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/manpages
    -
  6. -
  7. -
    manpages-lite
    -

    -Beginning with Shorewall 3.4.0, this project contains the man pages for -Shorewall Lite. 'trunk'  is the current development version.
    -
    -You can download it using the following commands:
    -
    -    svn co -https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/manpages-lite
    -
  8. -
  9. -
    docs
    -
    -
    This project contains the Shorewall documenation.
    -trunk is the current development version.
    -
    -
    -You can always get the current documentation in XML Docbook format -using the following command:
    -
    -    svn co -https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk/docs
    -
  10. -
  11. -
    web
    -
    -
    The project contains the part of this Web site not included -in the "docs" project.
    -
  12. -
  13. -
    tools
    -
    -
    This project includes the tools used by the Shorewall -developers to build Shorewall releases and to publish content to the -web sites.
    -
  14. -
  15. -
    Samples
    -
    -
    This project contains the sample configurations.
    -
  16. -
  17. -
    Shorewall-lite
    -
    -
    This project contains Shorewall Lite -- introduced in -Shorewall version 3.2.0 RC1.
    -
    -
  18. -
  19. -
    Shorewall6
    -
    -
    This project contains Shorewall6 -- introduced in Shorewall -version -4.2.4.
    -
  20. -
  21. -
    Shorewall6-lite
    -
    -
    This project contains Shorewall6 Lite -- introduced in -Shorewall -version 4.2.4.
    -
  22. -
-

Git

-Beginning with Shorewall 4.3, the Shorewall project is migrating from -SVN to Git. You may browse the Shorewall -Git repository at Sourceforge.
-
-You should download and use the latest Git version only at your own -risk -- please do not attempt to install Shorewall from -the Git components; you will end up with an incomplete and non-working -installation. -

If you want to build your own packages from the Git images, use -the script found in tools/build/build44 (see http://www.shorewall.net/Build.html).
-

-If you are looking for bug fixes for the current release, see above. -To create your own copy of the repository, use this command:
-
-
git clone git://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall
-
-
-
Copyright ©  2001-2009 -Thomas M. Eastep -

Permission is granted to copy, distribute and/or modify this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled “GNU Free Documentation License”.

- - diff --git a/web/favicon.ico b/web/favicon.ico deleted file mode 100644 index 81822ec99..000000000 Binary files a/web/favicon.ico and /dev/null differ diff --git a/web/gnu_mailman.htm b/web/gnu_mailman.htm deleted file mode 100644 index 0c4c85cee..000000000 --- a/web/gnu_mailman.htm +++ /dev/null @@ -1,91 +0,0 @@ - - - - - - - - - - - GNU Mailman - - - -

GNU Mailman/Postfix the Easy - Way 

- Tom Eastep
- -

Copyright � 2001-2003 - Thomas M. Eastep
-
- Permission is granted to - copy, distribute and/or modify this document under the terms of - the GNU Free Documentation License, Version 1.2 or any later - version published by the Free Software Foundation; with no - Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section - entitled �GNU Free Documentation License�.
-
- 2003-12-31

-
- -

The following was posted on the Postfix mailing list on - 5/4/2002 by Michael Tokarev as a suggested addition to the - Postfix FAQ.

- -

Q: Mailman does not work with Postfix, complaining about GID - mismatch
-
- A: Mailman uses a setgid wrapper that is designed to be used in - system-wide aliases file so that rest of mailman's mail - handling processes will run with proper uid/gid. Postfix has an - ability to run a command specified in an alias as owner of that - alias, thus mailman's wrapper is not needed here. The best - method to invoke mailman's mail handling via aliases is to use - separate alias file especially for mailman, and made it owned - by mailman and group mailman. Like:
-
- alias_maps = hash:/etc/postfix/aliases, - hash:/var/mailman/aliases
-
- Make sure that /var/mailman/aliases.db is owned by mailman user - (this may be done by executing postalias as mailman - userid).
-
- Next, instead of using mailman-suggested aliases entries with - wrapper, use the following:
-
- instead of
- mailinglist: /var/mailman/mail/wrapper post mailinglist
- mailinglist-admin: /var/mailman/mail/wrapper mailowner - mailinglist
- mailinglist-request: /var/mailman/mail/wrapper mailcmd - mailinglist
- ...
-
- use
- mailinglist: /var/mailman/scripts/post mailinglist
- mailinglist-admin: /var/mailman/scripts/mailowner - mailinglist
- mailinglist-request: /var/mailman/scripts/mailcmd - mailinglist
- ...

- -

The above tip works with Mailman 2.0; Mailman 2.1 has - adopted something very similar so that no workaround is - necessary. See the README.POSTFIX file included with - Mailman-2.1.
-

-
-
-
- - - diff --git a/web/images/100_0269.jpg b/web/images/100_0269.jpg deleted file mode 100644 index 9e3a0c61c..000000000 Binary files a/web/images/100_0269.jpg and /dev/null differ diff --git a/web/images/Blizzard-of-05-p1000205.jpg b/web/images/Blizzard-of-05-p1000205.jpg deleted file mode 100644 index 7b3b4b9d0..000000000 Binary files a/web/images/Blizzard-of-05-p1000205.jpg and /dev/null differ diff --git a/web/images/Blizzard-of-05-p1000206.jpg b/web/images/Blizzard-of-05-p1000206.jpg deleted file mode 100644 index b86f9c1fc..000000000 Binary files a/web/images/Blizzard-of-05-p1000206.jpg and /dev/null differ diff --git a/web/images/Blizzard-of-05-p1000207.jpg b/web/images/Blizzard-of-05-p1000207.jpg deleted file mode 100644 index 929b0ae2a..000000000 Binary files a/web/images/Blizzard-of-05-p1000207.jpg and /dev/null differ diff --git a/web/images/Blizzard-of-05-p1000208.jpg b/web/images/Blizzard-of-05-p1000208.jpg deleted file mode 100644 index 515c0f801..000000000 Binary files a/web/images/Blizzard-of-05-p1000208.jpg and /dev/null differ diff --git a/web/images/Blizzard-of-05-p1000209.jpg b/web/images/Blizzard-of-05-p1000209.jpg deleted file mode 100644 index 85c6daf67..000000000 Binary files a/web/images/Blizzard-of-05-p1000209.jpg and /dev/null differ diff --git a/web/images/Hiking1.jpg b/web/images/Hiking1.jpg deleted file mode 100644 index b3f826ad3..000000000 Binary files a/web/images/Hiking1.jpg and /dev/null differ diff --git a/web/images/Logo.png b/web/images/Logo.png deleted file mode 100644 index 7189589ee..000000000 Binary files a/web/images/Logo.png and /dev/null differ diff --git a/web/images/Logo1.gif b/web/images/Logo1.gif deleted file mode 100644 index 34b1c43fb..000000000 Binary files a/web/images/Logo1.gif and /dev/null differ diff --git a/web/images/Logo1.png b/web/images/Logo1.png deleted file mode 100644 index 05f02a0c0..000000000 Binary files a/web/images/Logo1.png and /dev/null differ diff --git a/web/images/Logo2.gif b/web/images/Logo2.gif deleted file mode 100644 index 457199c50..000000000 Binary files a/web/images/Logo2.gif and /dev/null differ diff --git a/web/images/Logo3.png b/web/images/Logo3.png deleted file mode 100644 index c92a6f7b6..000000000 Binary files a/web/images/Logo3.png and /dev/null differ diff --git a/web/images/MDKlinux.jpg b/web/images/MDKlinux.jpg deleted file mode 100644 index 92888d12c..000000000 Binary files a/web/images/MDKlinux.jpg and /dev/null differ diff --git a/web/images/ORE.jpg b/web/images/ORE.jpg deleted file mode 100644 index fd7803d2d..000000000 Binary files a/web/images/ORE.jpg and /dev/null differ diff --git a/web/images/P1000048.jpg b/web/images/P1000048.jpg deleted file mode 100644 index 01e4ebd6f..000000000 Binary files a/web/images/P1000048.jpg and /dev/null differ diff --git a/web/images/P1000049.jpg b/web/images/P1000049.jpg deleted file mode 100644 index 4531f2b6a..000000000 Binary files a/web/images/P1000049.jpg and /dev/null differ diff --git a/web/images/P1000050.jpg b/web/images/P1000050.jpg deleted file mode 100644 index 16e9b0f72..000000000 Binary files a/web/images/P1000050.jpg and /dev/null differ diff --git a/web/images/P1000244.JPG b/web/images/P1000244.JPG deleted file mode 100644 index 37561f5bb..000000000 Binary files a/web/images/P1000244.JPG and /dev/null differ diff --git a/web/images/ProtectedBy.png b/web/images/ProtectedBy.png deleted file mode 100644 index b38a0a1cd..000000000 Binary files a/web/images/ProtectedBy.png and /dev/null differ diff --git a/web/images/Proxmox.png b/web/images/Proxmox.png deleted file mode 100644 index 4b6b8214e..000000000 Binary files a/web/images/Proxmox.png and /dev/null differ diff --git a/web/images/SY00079.gif b/web/images/SY00079.gif deleted file mode 100644 index 845bc5921..000000000 Binary files a/web/images/SY00079.gif and /dev/null differ diff --git a/web/images/Shorewall_Banner.gif b/web/images/Shorewall_Banner.gif deleted file mode 100644 index 8f64d0add..000000000 Binary files a/web/images/Shorewall_Banner.gif and /dev/null differ diff --git a/web/images/Tom.jpg b/web/images/Tom.jpg deleted file mode 100644 index 3d7e78192..000000000 Binary files a/web/images/Tom.jpg and /dev/null differ diff --git a/web/images/TomNTarry.png b/web/images/TomNTarry.png deleted file mode 100644 index a38a19111..000000000 Binary files a/web/images/TomNTarry.png and /dev/null differ diff --git a/web/images/TotemCompletePlain.png b/web/images/TotemCompletePlain.png deleted file mode 100644 index 956020075..000000000 Binary files a/web/images/TotemCompletePlain.png and /dev/null differ diff --git a/web/images/TotemCompletePlain.svg b/web/images/TotemCompletePlain.svg deleted file mode 100644 index 8990b91b6..000000000 --- a/web/images/TotemCompletePlain.svg +++ /dev/null @@ -1,2373 +0,0 @@ - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TuxTotem is a TradeMark of LinuxFest Northwest - diff --git a/web/images/Vexira_Antivirus_Logo.gif b/web/images/Vexira_Antivirus_Logo.gif deleted file mode 100644 index 7c8b182b6..000000000 Binary files a/web/images/Vexira_Antivirus_Logo.gif and /dev/null differ diff --git a/web/images/alz_logo2.gif b/web/images/alz_logo2.gif deleted file mode 100644 index e800214ec..000000000 Binary files a/web/images/alz_logo2.gif and /dev/null differ diff --git a/web/images/apache_pb1.gif b/web/images/apache_pb1.gif deleted file mode 100644 index 65fb3506d..000000000 Binary files a/web/images/apache_pb1.gif and /dev/null differ diff --git a/web/images/but3.png b/web/images/but3.png deleted file mode 100644 index 25997e886..000000000 Binary files a/web/images/but3.png and /dev/null differ diff --git a/web/images/cache_now.gif b/web/images/cache_now.gif deleted file mode 100644 index 751f13384..000000000 Binary files a/web/images/cache_now.gif and /dev/null differ diff --git a/web/images/clamav-logo.png b/web/images/clamav-logo.png deleted file mode 100644 index ae37429fb..000000000 Binary files a/web/images/clamav-logo.png and /dev/null differ diff --git a/web/images/compaq.gif b/web/images/compaq.gif deleted file mode 100644 index 25047d94d..000000000 Binary files a/web/images/compaq.gif and /dev/null differ diff --git a/web/images/courier-imap.png b/web/images/courier-imap.png deleted file mode 100644 index a57e1708e..000000000 Binary files a/web/images/courier-imap.png and /dev/null differ diff --git a/web/images/debian.jpg b/web/images/debian.jpg deleted file mode 100644 index db62d7a03..000000000 Binary files a/web/images/debian.jpg and /dev/null differ diff --git a/web/images/dyndns_anim2.gif b/web/images/dyndns_anim2.gif deleted file mode 100644 index cdfd02f46..000000000 Binary files a/web/images/dyndns_anim2.gif and /dev/null differ diff --git a/web/images/g2679.png b/web/images/g2679.png deleted file mode 100644 index 8a457ccf5..000000000 Binary files a/web/images/g2679.png and /dev/null differ diff --git a/web/images/gareth-davies-logo3.png b/web/images/gareth-davies-logo3.png deleted file mode 100644 index 8a457ccf5..000000000 Binary files a/web/images/gareth-davies-logo3.png and /dev/null differ diff --git a/web/images/gareth-davies-logo3_88x31.png b/web/images/gareth-davies-logo3_88x31.png deleted file mode 100644 index 3e97e3b63..000000000 Binary files a/web/images/gareth-davies-logo3_88x31.png and /dev/null differ diff --git a/web/images/j0213519.gif b/web/images/j0213519.gif deleted file mode 100644 index ac0a94d1d..000000000 Binary files a/web/images/j0213519.gif and /dev/null differ diff --git a/web/images/j0233056.gif b/web/images/j0233056.gif deleted file mode 100644 index ee6bb6cc6..000000000 Binary files a/web/images/j0233056.gif and /dev/null differ diff --git a/web/images/leaflogo.gif b/web/images/leaflogo.gif deleted file mode 100644 index 11ad3c381..000000000 Binary files a/web/images/leaflogo.gif and /dev/null differ diff --git a/web/images/leaflogo.jpg b/web/images/leaflogo.jpg deleted file mode 100644 index 1238bbba3..000000000 Binary files a/web/images/leaflogo.jpg and /dev/null differ diff --git a/web/images/linux_powered.gif b/web/images/linux_powered.gif deleted file mode 100644 index a40d352f9..000000000 Binary files a/web/images/linux_powered.gif and /dev/null differ diff --git a/web/images/logo-sm.jpg b/web/images/logo-sm.jpg deleted file mode 100644 index 94a4c0112..000000000 Binary files a/web/images/logo-sm.jpg and /dev/null differ diff --git a/web/images/logo2.png b/web/images/logo2.png deleted file mode 100644 index 931d9eb7d..000000000 Binary files a/web/images/logo2.png and /dev/null differ diff --git a/web/images/medbutton.png b/web/images/medbutton.png deleted file mode 100644 index 50ba0efb2..000000000 Binary files a/web/images/medbutton.png and /dev/null differ diff --git a/web/images/netfilterlogo.png b/web/images/netfilterlogo.png deleted file mode 100644 index 99e9b93fd..000000000 Binary files a/web/images/netfilterlogo.png and /dev/null differ diff --git a/web/images/new10.gif b/web/images/new10.gif deleted file mode 100644 index 01c8c8769..000000000 Binary files a/web/images/new10.gif and /dev/null differ diff --git a/web/images/newlog.gif b/web/images/newlog.gif deleted file mode 100644 index e07218d63..000000000 Binary files a/web/images/newlog.gif and /dev/null differ diff --git a/web/images/ninjalogo.png b/web/images/ninjalogo.png deleted file mode 100644 index 64f9957d2..000000000 Binary files a/web/images/ninjalogo.png and /dev/null differ diff --git a/web/images/obrasinf.gif b/web/images/obrasinf.gif deleted file mode 100644 index 09bf635a0..000000000 Binary files a/web/images/obrasinf.gif and /dev/null differ diff --git a/web/images/ol600_01mic.png b/web/images/ol600_01mic.png deleted file mode 100644 index fdaec5aad..000000000 Binary files a/web/images/ol600_01mic.png and /dev/null differ diff --git a/web/images/openlogo-nd-50.png b/web/images/openlogo-nd-50.png deleted file mode 100644 index 411c9d964..000000000 Binary files a/web/images/openlogo-nd-50.png and /dev/null differ diff --git a/web/images/openwrt.png b/web/images/openwrt.png deleted file mode 100644 index 842c5698d..000000000 Binary files a/web/images/openwrt.png and /dev/null differ diff --git a/web/images/opera.png b/web/images/opera.png deleted file mode 100644 index e32c17472..000000000 Binary files a/web/images/opera.png and /dev/null differ diff --git a/web/images/p1000221-600-800.jpg b/web/images/p1000221-600-800.jpg deleted file mode 100644 index e5b20016d..000000000 Binary files a/web/images/p1000221-600-800.jpg and /dev/null differ diff --git a/web/images/penguin_in_red_compaq_racer.gif b/web/images/penguin_in_red_compaq_racer.gif deleted file mode 100644 index c850a9dbc..000000000 Binary files a/web/images/penguin_in_red_compaq_racer.gif and /dev/null differ diff --git a/web/images/penquin_in_blue_racer_sm2.gif b/web/images/penquin_in_blue_racer_sm2.gif deleted file mode 100644 index e8e858e5c..000000000 Binary files a/web/images/penquin_in_blue_racer_sm2.gif and /dev/null differ diff --git a/web/images/postfix-white.gif b/web/images/postfix-white.gif deleted file mode 100644 index 16389b29e..000000000 Binary files a/web/images/postfix-white.gif and /dev/null differ diff --git a/web/images/poweredby.png b/web/images/poweredby.png deleted file mode 100644 index 616a8400f..000000000 Binary files a/web/images/poweredby.png and /dev/null differ diff --git a/web/images/poweredbycompaqlog0.gif b/web/images/poweredbycompaqlog0.gif deleted file mode 100644 index ff021ce67..000000000 Binary files a/web/images/poweredbycompaqlog0.gif and /dev/null differ diff --git a/web/images/pure.jpg b/web/images/pure.jpg deleted file mode 100644 index c1531ad3a..000000000 Binary files a/web/images/pure.jpg and /dev/null differ diff --git a/web/images/pureftp-d.jpg b/web/images/pureftp-d.jpg deleted file mode 100644 index c6f5e751b..000000000 Binary files a/web/images/pureftp-d.jpg and /dev/null differ diff --git a/web/images/razor.gif b/web/images/razor.gif deleted file mode 100644 index 1dfd32450..000000000 Binary files a/web/images/razor.gif and /dev/null differ diff --git a/web/images/sf_logo_metal2.jpg b/web/images/sf_logo_metal2.jpg deleted file mode 100644 index 2f9e8d05e..000000000 Binary files a/web/images/sf_logo_metal2.jpg and /dev/null differ diff --git a/web/images/sflogo.png b/web/images/sflogo.png deleted file mode 100644 index b2a9e99c5..000000000 Binary files a/web/images/sflogo.png and /dev/null differ diff --git a/web/images/shorewall.jpg b/web/images/shorewall.jpg deleted file mode 100644 index 0d70c605b..000000000 Binary files a/web/images/shorewall.jpg and /dev/null differ diff --git a/web/images/shorewallicon.png b/web/images/shorewallicon.png deleted file mode 100644 index cbd202d43..000000000 Binary files a/web/images/shorewallicon.png and /dev/null differ diff --git a/web/images/small-picture.gif b/web/images/small-picture.gif deleted file mode 100644 index d8c86fc1b..000000000 Binary files a/web/images/small-picture.gif and /dev/null differ diff --git a/web/images/squidnow.gif b/web/images/squidnow.gif deleted file mode 100644 index c026d12d7..000000000 Binary files a/web/images/squidnow.gif and /dev/null differ diff --git a/web/images/totem350a.png b/web/images/totem350a.png deleted file mode 100644 index a6191a48c..000000000 Binary files a/web/images/totem350a.png and /dev/null differ diff --git a/web/images/washington.jpg b/web/images/washington.jpg deleted file mode 100644 index 3b2a95694..000000000 Binary files a/web/images/washington.jpg and /dev/null differ diff --git a/web/index.htm b/web/index.htm deleted file mode 100644 index 1102d9d0a..000000000 --- a/web/index.htm +++ /dev/null @@ -1,22 +0,0 @@ - - - -Shoreline Firewall - - - - - - - - - -<body><p>This page uses frames, but your browser doesn't -support them.</p></body> - diff --git a/web/mailing_list.htm b/web/mailing_list.htm deleted file mode 100644 index 5590cd965..000000000 --- a/web/mailing_list.htm +++ /dev/null @@ -1,124 +0,0 @@ - - - - - - - - - Shorewall Mailing Lists - - - -

Old Shorewall Mailing List Archives
-

-Tom Eastep
-
-Copyright 2001-2005 Thomas M. Eastep
-
-
-
-

Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, with no Front-Cover, and with no Back-Cover -Texts. A copy of the license is included in the section entitled �GNU Free -Documentation License�.

-
-
-
-

2005-08-14
-

-
-

See the Shorewall -Website for Shorewall information and documentation.

-

Table of Contents

- - -
-

Old Mailing List Archives Search

- - - - - - -
-
-
- - - - - - -
Google
-
-
-
-
-

Shorewall Users Mailing List -Archives
-

-

The Shorewall Users Mailing list provides a way for -users to get answers to questions and to report problems. Information -of general interest to the Shorewall user community is also posted to -this list.
-

-

The list archives are at pipermail/shorewall-users.

-
-

Shorewall Announce Mailing List

-The list archives are at pipermail/shorewall-announce. -
-

Shorewall Development Mailing List

-

The list archives are at pipermail/shorewall-devel.
-

-
-

Shorewall Newbies Mailing List -(Closed)
-

-This list previously provided a place where people who are new to -Shorewall could get questions answered and could receive help with -problems. It proved to be less that a success and has been discontinued.
-

The list archives are at -pipermail/shorewall-newbies.

-
-

Frustrated by having to -Rebuild Mailman to use it with Postfix?

-

Check out these instructions

-
- - diff --git a/web/oldnews.html b/web/oldnews.html deleted file mode 100644 index 685f1a79a..000000000 --- a/web/oldnews.html +++ /dev/null @@ -1,9891 +0,0 @@ - - - - Old News - - - -2007-02-10 Shorewall 3.2.9
-
-
Problems Corrected in 3.2.9

1) While most distributions store the Shorewall Lite compiled program
in /var/lib/shorewall-lite/, Shorewall includes features that allow
that location to be changed on a per-distribution basis. The
default for a particular distribution may be determined by the
command "shorewall[-lite] show config".

teastep@lists:~/shorewall/trunk$ shorewall show config
Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
LITEDIR is /var/lib/shorewall-lite
teastep@lists:~/shorewall/trunk$

The LITEDIR setting is the location where the compiled script
should be placed. Unfortunately, the "shorewall [re]load" command
previously used the setting on the administrative system rather
than the one from the firewall system so it was possible for that
command to upload the compiled script to the wrong directory.

To work around this problem, Shorewall now determines the LITEDIR
setting on the firewall system and uses that setting for uploading
the compiled script and its companion .conf file.

2) Previously, IP ranges and ipset names were handled incorrectly in
the last column of the maclist file with the result that run-time
errors occured.

3) The new SIP and H323 Netfilter helper modules were not being
automatically loaded by Shorewall. They have now been added to the
/usr/share/shorewall[-lite]/modules files.

Other Changes in 3.2.9

1) Previously, 'ipsecnat' tunnels allowed AH traffic by default
(unless 'isecnat:noah' was given). Given that AH is incompatible
with nat-traversal, 'ipsecnat' now implies 'ipsecnat:noah'.

2) A macro that handles SixXS has been contributed by Christian
Roessner.

3) It is rather difficult to code a 'params' file that assigns other
than constant values such that it works correctly with Shorewall
Lite. To work around this problem, a new EXPORTPARAMS option
has been added to shorewall.conf. When EXPORTPARAMS=No, the
'params' file is no longer copied to the compiler output.

With EXPORTPARAMS=No, if you need to set environmental variables on
the firewall system for use by your extension scripts, then do so
in the init extension script.

The default is EXPORTPARAMS=Yes to retain the current behavior. So
if you are happy with the current behavior, you need make no change
to your shorewall.conf file.
-
-style="font-weight: -bold;">2007-01-16 Shorewall 3.2.8
-
-
Problems Corrected in 3.2.8

1) The 'ash' shell produced an error when processing an entry with a
log tag from /etc/shorewall/rules.

2) If the file /etc/shorewall/init did not exist, then the compiler
would incorrectly copy /usr/share/shorewall/init into the
compiled script. /usr/share/shorewall/init is a symbolic link
to the Shorewall init script (usually /etc/init.d/shorewall).

3) Previously, "ipp2p:udp" was incorrectly rejected in the PROTO
column of an action definition.

Other Changes in 3.2.8.

1) New macros for network printing protocols have been added,
courtesy of Tuomo Soini. Tuomo also provided a macro for TFTP.

The print-oriented macros are:

macro.IPP
macro.Jetdirect
macro.Printer
- -
-
-
2006-12-14 Shorewall 3.2.7
-
Problems Corrected in 3.2.7

1) Handling of saved ipsets in /etc/shorewall/ipsets is broken when
used on a system running Shorewall Lite. If there is a file named
'ipsets' on the CONFIG_PATH when the firewall script is compiled,
then the compiled script attempts to restore the ipsets from that
file (which may not exist on the firewall system).

2) The 'try' command failed on systems whose /bin/sh is Busybox ash:

/sbin/shorewall: export: 2158: Illegal option -n

3) Previously, Shorewall has assumed that the root user is named
'root'. Beginning with this release, the root user may have a
different name. This required the addition of an '-r' option for
the 'shorewall load' and 'shorewall reload' commands.

[re]load [ -e ] [ -c ] [ -r <root user> ] [ <dir> ] system

Example: shorewall reload -r foobar firewall

4) On systems with a light-weight shell such as ash or dash for /bin/sh,
the output of "shorewall show macros" was garbled.

Other Changes in 3.2.7

1) Prior to this release, on firewall systems with Shorewall Lite
installed, the local modules file is used to determine which kernel
modules to load. Beginning with this release, if there is a
'modules' file in the export directory when the firewall script is
compiled, then that file will be copied into the compiled script
and used on the firewall system.

2) When syslogd is run with the -C option (which in some
implementations causes syslogd to log to an in-memory circular
buffer), /sbin/shorewall will now use the 'logread' command to read
the log from that buffer. This is for combatibility with OpenWRT.

3) Failures of the start, restart and restore commands are now logged
using 'logger'. These failures are logged with the 'kern' facility
and 'err' priority. As part of this change, normal state changes
are now logged with the 'kern' facility and 'info' priority.
- -
-2006-11-18 Shorewall 3.2.6
-
-
Problems Corrected in 3.2.6.

1) When using a light-weight shell (e.g., ash) with multiple
providers, the /etc/iproute2/rt_tables database may become corrupted.

2) A startup error occurred when the LENGTH or TOS column was
non-empty in /etc/shorewall/tcrules.

3) A startup error resulted when whitespace as included in LOGFORMAT.

4) Previously, when conntrack match support was not available, the
'norfc1918' option on an interface or host group was incorrectly
filtering IPSEC traffic whose source IP address was reserved by RFC
1918.

5) If a DNAT or REDIRECT rule was used where the effective policy
between the source and final destination zones is ACCEPT, the ACCEPT
part of the rule was not generated. This was intended as an
optimizaiton but it could lead to confusing results if there was a
DROP or REJECT rule following.

This optimization has been removed. You may always use DNAT- and
REDIRECT- to suppress generation of the ACCEPT rule.

6) Shorewall[-lite] previously would return an error exit status to a
"start" command where Shorewall was already running. It not returns
a "success" status.

7) The install.sh scripst have been corrected to work properly when
used to create packages on Slackware and Arch Linux.

5) A change in version 3.2.5 broke Mac Filtration in some
cases. Result was:

Setting up MAC Filtration -- Phase 1...
iptables v1.3.6: policy match: invalid policy `--dir'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A eth1_fwd -s 0.0.0.0/0 -m state
--state NEW -m policy --pol --dir in -j eth1_mac" Failed

6) At VERBOSITY 1 and higher, the 'shorewall add' and 'shorewall
delete' commands generated a fractured message. The message
contents depended in the setting of IPSECFILE as follows:

IPSECFILE=ipsec

ipsec...

IPSECFILE=zones

IPSEC...

The messages have been corrected and are only produced at VERBOSITY
2 and higher as follows:

IPSECFILE=ipsec

Processing /etc/shorewall/ipsec...

IPSECFILE=zones

Processing IPSEC...

7) Previously, when <action>:none appeared in a rule, the name of the
action chain created was preceded by "%" and might have a one- or
two-digit number appended. If both <action> and <action>:none
appeared, then two chains were created. This has been corrected
such that <action> and <action>:none are treated identically.

8) If SAVE_IPSETS=Yes in shorewall.conf, the "shorewall[-lite] save"
command produced error messages as follows:

Dynamic Rules Saved
Currently-running Configuration Saved to /var/lib/shorewall/restore
grep: /var/lib/shorewall/restore-base: No such file or directory
grep: /var/lib/shorewall/restore-base: No such file or directory
Current Ipset Contents Saved to
/var/lib/shorewall/restore-ipsets

9) If BRIDGING=No in shorewall.conf, then an attempt to define a zone
using ipsets fails as follows:

ERROR: BRIDGING=Yes is needed for this zone definition: z eth0:+iset

Other Changes in 3.2.6.

1) The "shorewall [re]load" command now supports a "-c" option.

Example:

shorewall reload -c gateway

When -c is given, Shorewall will capture the capabilities of the
remote system to a file named "capabilities" in the export
directory before compiling the configuration.

If the file "capabilities" does not currently exist in the
export directory then "-c" is automatically assumed.

2) If 0 (zero) is specified for the IN-BANDWIDTH in
/etc/shorewall/tcdevices then no ingress qdisc will be created for
the device.
- -
-2006-10-28 Shorewall 3.2.5
-
-
Problems Corrected in 3.2.5

1) Entries such as the following in /etc/shorewall/masq generate a
run-time error:

eth0 eth1!192.168.1.12 206.124.146.176

Omitting the exclusion (!192.168.1.12) avoids the error.

2) Previously, the 'provider' portion of the packet mark was not being
cleared after routing for traffic that originates on the firewall
itself.

3) In prior releases, it was not possible to mark an outgoing packet
with a high mark (HIGH_ROUTE_MARKS=Yes) when the packet originated
on the firewall itself.

4) The detected capabilities were not displayed by 'shorewall dump'
when the effective VERBOSITY was less than 2.

Other changes in 3.2.5

1) For users whose kernel and iptables have Extended MARK Target
support, it is now possible to logically AND or OR a value into the
current packet mark by preceding the mark value (and optional mask)
with an ampersand ("&") or vertical bar ("|") respectively.

Example: To logically OR the value 4 into the mark value for
packets from 192.168.1.1:

#MARK SOURCE
|4 192.168.1.1

2) A new macro (macro.RDP) has been added for Microsoft Remote
Desktop. This macro was contributed by Tuomo Soini.

3) A new 'maclog' extension file has been added. This file is
processed just before logging based on the setting of
MACLIST_LOG_LEVEL is done. When the script is copyied at compile
time, the CHAIN variable will contain the name of the chain where
rules should be inserted. Remember that if you have specified
MACLIST_TABLE=mangle, then your run_iptables commands should
include "-t mangle".

4) Beginning with this release, Shorewall and Shorewall lite will
share the same change log and release notes.
- -
-2006-10-6 Shorewall 3.0.9
-
-
Problems corrected in 3.0.9

1) When using a light-weight shell like ash or dash, "shorewall
[re]start" fails when using the built-in traffic shaper. The error
messages resemble these:

local: 3: eth0:: bad variable name
ERROR: Command "tc class add dev eth0 parent 1: classid 1:1 htb rate 800kbit mtu" Failed

2) The output formating of the 'hits' command under BusyBox 1.2.0 has
been corrected.

3) In prior versions, setting 'mss=' in /etc/shorewall/zones did not
affect traffic to/from the firewall zone. That has been corrected.

4) Previously, using IP address ranges in the accounting file could
cause non-fatal iptables errors during shorewall [re]start.

Other changes in 3.0.9

1) It is now possible to use the special value 'detect' in the ADDRESS
column of /etc/shorewall/masq. This allows you to specify SNAT (as
opposed to MASQUERADE) without having to know the ip address of the
external interface. Shorewall must be restarted each time that the
external address (the address of the interface named in the
INTERFACE column) changes.

2) Experimental optimization for PPP devices has been added to the
providers file. If you omit the GATEWAY column for a ppp device (or
enter "-" in the column) then Shorewall will generate routes
for the named INTERFACE that do not specify a gateway IP address
(the peer address will be assumed).

3) Normally, Shorewall tries to protect users from themselves by
preventing PREROUTING and OUTPUT tcrules from being applied to
packets that have been marked by the 'track' option in
/etc/shorewall/providers.

If you really know what you are doing and understand packet marking
thoroughly, you can set TC_EXPERT=Yes in shorewall.conf and
Shorewall will not include these cautionary checks.

4) Previously, CLASSIFY tcrules were always processed out of the
POSTROUTING chain. Beginning with this release, they are processed
out of the POSTROUTING chain *except* when the SOURCE is
$FW[:<address>] in which case the rule is processed out of the
OUTPUT chain.
- -
-2006-09-27 Shorewall 3.2.4
-
-
Shorewall Problems corrected in 3.2.4

1) Previously, the directory name in the command "shorewall start
<directory name>" was being dropped by "/sbin/shorewall".

2) Previous, when /usr/share/shorewall/xmodules had been copied to
/etc/shorewall/modules, Shorewall was not looking in the correct
directory for the "xt_..." modules. There are two parts to the fix:

- The /usr/share/shorewall/xmodules file has been removed. The
/usr/share/shorewall/modules file will now load all required
modules regardless of which kernel version you are running.
- The MODULESDIR option can now contain a colon-separated list of
directories to search for modules with the default being:

/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter

3) Rules in /etc/shorewall/tos which specify zones defined
using entries in /etc/shorewall/hosts applied to all traffic
to/from the zone interfaces (the bridge port, ipset or IP
address(es) in the zone definition were ignored).

4) Previously, 'shorewall-lite dump' did not report traffic shaping
information even if TC_ENABLED was set to Yes or Internal in the
shorewall.conf file used to compile the exported firewall script.

To correct this problem, the firewall script must be recompiled and
re-exported.

5) Previously, errors during the compile phase were not reflected in
the exit status of /sbin/shorewall. Thanks to Tuomo Soini for
finding and correcting this problem.

Other Shorewall changes in 3.2.4

1) Previously, scripts compiled for export (-e option) depended on
/usr/share/shorewall-lite/functions in order to run correctly. This
made it possible for a compiled script to be incompatible with the
version of Shorewall Lite installed on a firewall system.

Beginning with Shorewall 3.2.4, this dependency is removed such
that version incompatibility between Shorewall and Shorewall Lite
should not be a concern going forward.

2) Two new macros have been added, courtesy of Tuomo Soini

macro.Finger
macro.Telnets

3) The output of "shorewall show macros" has been enhanced to show
macros in each directory in the CONFIG_PATH.

Shorewall Lite problems corrected in 3.2.4

1) Previous, when /usr/share/shorewall-lite/xmodules had been copied to
/etc/shorewall-lite/modules, Shorewall was not looking in the correct
directory for the "xt_..." modules. There are two parts to the fix:

- The /usr/share/shorewall-lite/xmodules file has been removed. The
/usr/share/shorewall-lite/modules file will now load all required
modules regardless of which kernel version you are running.
- The MODULESDIR option can now contain a colon-separated list of
directories to search for modules with the default being:

/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname
-r)/kernel/net/netfilter

/usr/share/shorewall-lite/modules contains a *lot* of modules. If
you use module autoloading (which non-embedded Linux distributions
do), then you can improve your "shorewall [re]start" time by
trimming all but the helper modules from the file. To do that,
create the file /etc/shorewall-lite/modules with the following
entries:

loadmodule ip_conntrack_amanda
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_irc
loadmodule ip_conntrack_netbios_ns
loadmodule ip_conntrack_pptp
loadmodule ip_conntrack_tftp
loadmodule ip_nat_amanda
loadmodule ip_nat_ftp
loadmodule ip_nat_irc
loadmodule ip_nat_pptp
loadmodule ip_nat_snmp_basic
loadmodule ip_nat_tftp

Other Shorewall Lite changes in 3.2.4

None.
- -
-2006-08-26 Shorewall 3.2.3
-
-
Shorewall Problems Corrected in 3.2.3

1) A problem in 'install.sh' resulted in sandbox violations on
Gentoo and, when Shorewall is installed using an RPM, the problem
caused an incorrect copy of shorewall.conf to be installed in
/usr/share/shorewall/configfiles/.

2) A typo in the functions file caused startup errors when the user's
distribution did not support a true mktemp program (such as
Bering Uclibc). Patch courtesy of Cédric Schieli.

3) Several erroneous references to ip_addr_del() were made in
/var/lib/shorewall/compiler and in the code that it generates.

a) These should have been references to del_ip_addr()
b) One of the calls also had an incorrect parameter list.

4) Previously, "shorewall check -e" would erroneously attempt to
detect interfaces configured for traffic shaping.

5) SUBSYSLOCK functionality has been restored.

6) In prior versions, setting 'mss=' in /etc/shorewall/zones did not
affect traffic to/from the firewall zone. That has been corrected.

7) When /sbin/shorewall was run under BusyBox ash, shell errors would
occur if certain command options were given.

8) Previously, the 'optional' provider option did not detect the case
where the interface was DOWN but still had a configured IP
address. Shorewall was detecting such interfaces as UP and later
'ip replace route' commands would fail.

It should also be clarified that the 'optional' option is intended
to detect cases where a provider interface is in a state that would
cause 'shorewall [re]start' to fail; it is not intended to
determine whether communication is possible using the interface.

9) Previously, the "shorewall add" command would fail with error
messages indicating that the commands "chain_exists" and
"verify_hosts_file" could not be found.

10) Using earlier Shorewall versions, the following sequence of
commands produced inconsistant results:

a) shorewall [re] start
b) Modify /etc/shorewall/tcdevices and/or /etc/shorewall/tcclasses
c) shorewall refresh
d) shorewall save
e) shorewall restore (or reboot and shorewall start -f during boot
up)

After that series of commands, the state of traffic shaping was as
it was after step a) rather than as it was after step c). The fix
involved re-implementing 'shorewall refresh' as a compile/execute
procedure similar to [re]start. While the entire configuration is
recompiled, only ecn, blacklisting, tcrules and traffic control
will be updated in the running configuration.

11) DNAT rules generated under DETECT_DNAT_IPADDRS=Yes may have been
incorrect with the result that the rules didn't work at all.

Other Shorewall changes in 3.2.3

1) A 'shorewall export' command has been added.

shorewall export [ <directory1> ] [user@]<system>:[<directory2>]

If <directory1> is omitted, then the current working directory is
assumed.

Causes the shorewall configuration in <directory1> to be compiled
into a program called '<directory1>/firewall'. If compilation is
successful, the '<directory1>/firewall' script is copied via scp
to the specified <system>.

Example:

shorewall export admin@gateway:

This command would compile the configuration in the current working
directory then copy the 'firewall' (and 'firewall.conf') files to
admin's home directory on system 'gateway'.

2) Normally, Shorewall tries to protect users from themselves by
preventing PREROUTING and OUTPUT tcrules from being applied to
packets that have been marked by the 'track' option in
/etc/shorewall/providers.

If you really know what you are doing and understand packet marking
thoroughly, you can set TC_EXPERT=Yes in shorewall.conf and
Shorewall will not include these cautionary checks.

3) Previously, CLASSIFY tcrules were always processed out of the
POSTROUTING chain. Beginning with this release, they are processed
out of the POSTROUTING chain *except* when the SOURCE is
$FW[:<address>] in which case the rule is processed out of the
OUTPUT chain.

See the Migration Considerations section for further information.

4) Previously, if you specified 'detectnets' on an interface with a
default route, Shorewall would ignore the default route with a
warning message. This could lead to systems that were inaccessible
from the net, even from systems listed in the 'routestopped' file.

Specifying 'detectnets' on an interface with a default route now
generates a fatal error.

Shorewall Lite problems corrected in 3.2.3

1) A typo in /usr/share/shorewall-lite/functions caused startup errors
on distributions like Bering Uclibc that don't have a true mktemp
utility.

Other Shorewall Lite changes in 3.2.3

None.
- -
-2006-08-10 Shorewall 3.2.2
- -
Problems corrected in 3.0.8

1) If the 'upnp' interface option was specified on one or more
interfaces but no forwardUPnP rule was included, the following
diagnostic messages were issued:

WARNING:Missing forwardUPnP rule (required by 'upnp' interface option on
eth0)
ERROR: Fatal error in find_logactionchain

Given that the fatal error message is obscure if the first WARNING
isn't noticed, the ERROR message has been eliminated with the
result that Shorewall now starts but won't handle UPnP properly.

2) If BRIDGING=No in shorewall.conf, then an entry in
/etc/shorewall/hosts such as the following would result in an
obscure failure of an iptables command:

loc br0:eth0

Shorewall now detects this case and issues a more helpful error
message:

ERROR: BRIDGING=Yes is required for this zone definition: loc br0:eth0

3) Users of the Multi-ISP feature may experience this error during startup:

/usr/share/shorewall/firewall: line 1393: 20000 + (1 - 1) * 256 +
$rulenum : syntax error: operand expected (error token is
"$rulenum ")

4) A more useful diagnostic is now given when a command fails during
setup of traffic shaping.

5) Shorewall now checks to see if devices in /etc/shorewall/tcdevices
exist. If a device does not exist, a warning message is issued and
that device's entries in /etc/shorewall/tcclasses are ignored. This
applies to "shorewall start", "shorewall restart" and "shorewall
refresh".

6) It is now possible to exclude a single source MAC address using
!<MAC address>. Previously, a startup error occurred.

7) Shorewall would use the incorrect shell for compilation in the
following case:

8) Reporting of the "Mangle FORWARD Chain" capability was broken. While
Shorewall correctly detected and used the capability, the output of
"shorewall show capabilities" and "shorewall dump" showed the
capability as "Not Available".

9) Extension scripts for policy chains (chains with the word 'all' in
their name) were not being run previously.

-Tom
- -
-2006-07-24 End of support for Shorewall -2.4
-
-
Support for Shorewall 2.4 has ended. As always, we will try to help you
with your problems but I personally will not spend any time reading old
code trying to solve your problem and I will not provide patches for any
bugs found in versions earlier than 3.0.
- -
-2006-07-21 Shorewall 3.2.1
-
-
Problems Corrected in Shorewall 3.2.1:

1) The output formatting of the 'hits' command under BusyBox 1.2.0 has
been corrected.

2) Shorewall no longer requires extended MARK support to use the 'track'
provider option when HIGH_ROUTE_MARKS=No.

3) The output of the 'hits' command was previously scrambled if
/etc/services contained spaces as column delimiters rather than
tabs.

4) The /usr/share/shorewall/xmodules file was previously just a copy
of /usr/share/shorewall/modules.

5) The version number in the comments at the top of shorewall.conf has
been corrected.

6) The script generated when the -e option is given to the 'compile'
command is setting CONFIG_PATH to the value given in the remote
firewall's shorewall.conf processed at compile time. This is
generally incorrect and results in the inability to load any kernel
modules on the firewall during 'shorewall-lite [re]start'.

Problems Corrected in Shorewall Lite 3.2.1:

1) The output formatting of the 'hits' command under BusyBox 1.2.0 has
been corrected.

2) The output of the 'hits' command was previously scrambled if
/etc/services contained spaces as column delimiters rather than
tabs.

3) The /usr/share/shorewall-lite/xmodules file was previously just a
copy of /usr/share/shorewall-lite/modules.

4) The version number in the comments at the top of shorewall.conf has
been corrected.
- -
-2006-07-19 Shorewall bridge/firewall support -change upcoming
-
-
I regret to announce that Shorewall bridge/firewall support in its
current form (BRIDGING=Yes in shorewall.conf) is going away. I will
retain the code in Shorewall for the foreseeable future but users
migrating to new kernels coming out next year will find that their
current bridge configurations no longer work. Shorewall bridge/firewall
users upgrading to more immediate new kernel releases (possibly as early
as 2.6.18) will find Netfilter warning messages appearing in their
kernel log when Shorewall [re]starts.

The reason that this support is going away is that the underlying
Netfilter feature that BRIDGING=Yes depends on (physdev match) is being
reduced in scope to the point that it will no longer be possible to use
that feature for Shorewall zone definition. There is a significant list
of pending Netfilter bug reports than cannot be resolved so long as
'physdev match' works the way that it does today.

While 'physdev match' was a great idea in terms of the function that it
provides, it appears impossible to implement that function without
breaking other parts of the greater Linux IP stack; in short, 'physdev
match' in its current form should never have been released in the first
place.

So -- what can current Shorewall bridge/firewall users do?
-----------------------------------------------------------------------
a) Configure Shorewall as if you have a simple bridge
(http://www.shorewall.net/SimpleBridge.html) and use ebtables to filter
traffic in and out of the individual bridge ports.

b) Configure Shorewall so that you specifically enumerate the IP
addresses of the hosts connected to all but one of the bridge ports.

Example where br0 connects to 192.168.1.0/24:

/etc/shorewall/shorewall.conf

BRIDGING=<doesn't matter>

/etc/shorewall/zones

z1 ipv4
z2 ipv4

/etc/shorewall/interfaces

- br0 detect routeback

/etc/shorewall/hosts:

z1 br0:192.168.1.1-192.168.1.15,192.168.1.18,...
z2 br0:192.168.1.0/24

In other words, explicitly specify the hosts in the first zone listed
in /etc/shorewall/zones (z1 in the above example) then simply specify
the entire network for the second zone. If the second zone contains your
default gateway, then you would enter 0.0.0.0/0 rather than
192.168.1.0/24.

I will expand these instructions into an article on the web site just as
soon as I find the time.

c) If you have ipset support, you can take the same approach as in b)
above but define 'z1' using one or more ipsets rather than with an
explicit lists of network/host IP addresses. That will generally result
in a smaller ruleset.
-----------------------------------------------------------------------
I realize that the options available to you are more cumbersome to
configure and maintain than what you have today but at the moment, I see
no alternatives. I will however continue to ponder the problem, and if I
come up with something better I will let you know.

-Tom
- -
-2006-07-11 Shorewall 3.2.0
-
-
New Features:

1) Shorewall has always been very noisy (lots of messages). No longer.

You set the default level of verbosity using the VERBOSITY option in
shorewall.conf. If you don't set it (as would be the case if you use your
old shorewall.conf file) then VERBOSITY defaults to a value of 2 which
results in behavior compatible with previous Shorewall versions.
A value of 1 suppresses some of the output (like the old -q option did)
while a value of 0 makes Shorewall almost silent. A value of -1
suppresses all output except warning and error messages.

The value specified in the 3.2 shorewall.conf is 1. So you can make
Shorewall as verbose as previously using a single -v and you can make it
almost silent by using a single -q.

If VERBOSITY is set at 2, you can still make a command nearly
silent by using two "q"s (e.g., shorewall -qq restart).

In summary, each "q" subtracts one from VERBOSITY while each "v" adds one
to VERBOSITY.

The "shorewall show log", "shorewall logwatch" and "shorewall dump"
commands require VERBOSITY to be greater than or equal to 3 to
display MAC addresses.This is consistent with the previous
implementation which required a single -v to enable MAC display but
means that if you set VERBOSITY=0 in shorewall.conf, then you will
need to include -vvv in commands that display log records in order
to have MACs displayed.

To make the display of MAC addresses less cumbersome, a '-m' option has
been added to the "show" and logwatch commands:

shorewall show -m log
shorewall logwatch -m

2) A new 'shorewall compile' command has been added.

shorewall compile [ -e ] [ <config directory> ] <script file>

where:

-e Allows the generated script to run
on a system with Shorewall Lite installed.
Generates an error if the configuration uses
an option that would prevent the generated
script from running on a system other than
where the 'compile' command is running (see
additional consideration a) below).

<config directory> Is an optional directory to be searched for
configuration files prior to those listed
in CONFIG_DIR in
/etc/shorewall/shorewall.conf.

<script file> Is the name of the output file.

The 'compile' command processes the configuration and generates a
script file which may then be executed to configure the firewall.

The generated script supports the following commands:

start - starts the firewall
stop - stops the firewall
clear - clears the firewall (removes all iptables rules)
restart - restarts the firewall
status - displays the firewall status
version - displays the version of shorewall used to create the
script

The generated script contains error checking and will terminate if an
important command fails. Before terminating:

a) The script will check for the existence of the restore script
specified by the RESTOREFILE variable in shorewall.conf. If that
restore script exists, it is executed.

b) If the restore script doesn't exist but Shorewall appears to be
installed on the system, the equivalent of an
"/sbin/shorewall stop" command is executed.

Some additional considerations:

a) When you run 'compile' on one system and then run the generated script
on another system under Shorewall Lite, there are certain limitations.

1) A compatible version of Shorewall Lite must be running on the remote
system. Going forward, the goal is that any minor version of
the current major version will be compatible. So if the
program is compiled using Shorewall 3.2.x, any 3.2.y version
or 3.p.q version (where p > 2) of Shorewall Lite will be compatible.
2) The 'detectnets' interface option is not allowed.
3) DYNAMIC_ZONES=Yes is not allowed.
4) You must supply the file /etc/shorewall/capabilities to provide
the compiler with knowledge of the capabilities of the system
where the script is to be run. See below.
5) If your /etc/shorewall/params file contains code other than simple
assignment statements with contant values, then you should move
that code to /etc/shorewall/init. That way, the code will be
executed on the target system when the compiled script is run and
not on the local system at compile time.

b) If you run the "shorewall compile" or "shorewall check" commands under
a user other than 'root', then you must supply
/etc/shorewall/capabilities.

c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
is provided in the Shorewall Lite package and is installed in
/usr/share/shorewall-lite/shorecap when you install Shorewall Lite.

For instructions about running shorecap, see the comments at the
top of the program file (it's a simple shell script).

The "shorewall start" and "shorewall restart" commands have been
rewritten to use compilation. They both compile a temporary program
then run it. This results in a slightly longer elapsed time than the
similar commands required under earlier versions of Shorewall but new
connections are blocked for a much smaller percentage of that time.

If an error is found during the compilation phase, /sbin/shorewall
terminates and the Shorewall state is unchanged.

Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
on my firewall:

real 0m16.599s
user 0m6.292s
sys 0m9.885s

Of the elapsed 16.5 seconds, new connections are disabled less than
3.5 seconds. Here are some numbers for comparison:

A) shorewall restart (Shorewall 3.0.4)

real    0m17.540s
user    0m5.956s
sys     0m10.737s

B) ./foo restart # foo created using "shorewall compile"

real 0m3.297s
user 0m1.444s
sys 0m1.728s

C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"

real    0m1.164s
user    0m0.556s
sys     0m0.608s

D) shorewall restore (shorewall 3.1.5)

real 0m1.637s
user 0m0.728s
sys 0m0.584s

The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The time
difference between C and D results from the fact that the "restore"
command in Shorewall 3.1 runs the compiled program in a way that
turns all iptables commands into no-ops then invokes
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.

As a final part of this change, the "check" command now compiles the
current configuration and writes the compiled output to /dev/null. So
"check" performs all of the same validation that compile does. Note that
there is still no guarantee that the generated script won't encounter
run-time errors.

2) The /etc/shorewall/maclist file has a new column layout. The first column
is now DISPOSITION. This column determines what to do with matching
packets and can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it
can also contain REJECT). This change is upward compatible so your existing
maclist file can still be used.

ACCEPT, DROP and REJECT may be optionally followed by a log level to
cause the packet to be logged.

4) In macro files, you can now use the reserved words SOURCE and DEST
in the columns of the same names. When Shorewall expands the
macro, it will substitute the SOURCE from the macro invocation for
SOURCE and the DEST from the invocation for DEST. This allows you
to write macros that act in both directions (from source to destination
and from destination to source).

Example:

macro.FOO:

PARAM SOURCE DEST udp 500
PARAM DEST SOURCE udp 500

/etc/shorewall/rules:

FOO/ACCEPT fw net

Resulting rules:

ACCEPT fw net udp 500
ACCEPT net fw udp 500

This new feature has been used to implement the SMBBI macro.
SMBBI is the same as the SMB macro with the exception that
it passes SMB traffic in both directions whereas SMB only
passes that traffic in one direction.

5) In the /etc/shorewall/rules file and in actions, you may now specify
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).

As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.

6) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.

Example (VERBOSITY=0 in shorewall.conf):

gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #

7) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished.

8) Two new dynamic blacklisting commands have been added:

logdrop -- like 'drop' but causes the dropped packets to be logged.

logreject -- like 'reject' but causes the rejected packets to be
logged.

Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
last "shorewall [re]start"; otherwise, they are logged at the 'info'
log level.

9) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
this option is set to "Yes", it causes subzones to be treated differently
with respect to policies.

Subzones are defined by following their name with ":" and a list of parent
zones (in /etc/shorewall/zones). Normally, you want to have a set of
special rules for the subzone and if a connection doesn't match any of
those subzone-specific rules then you want the parent zone rules and
policies to be applied. With IMPLICIT_CONTINUE=Yes, that happens
automatically.

If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
subzones are not subject to this special treatment.

With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
by including an explicit policy (one that does not specify "all" in either
the SOURCE or the DEST columns).

Example:

/etc/shorewall/zones:

prnt ipv4
chld:prnt ipv4

Traffic to/from the 'chld' zone will first pass through the applicable
'chld' rules and if none of those rules match then it will be passed through
the appropriate 'prnt' rules. If the connection request does not match
any of the 'prnt' rules then the relevant 'prnt' policy is applied.

If you want the fw->chld policy to be ACCEPT, simply add this entry to
/etc/shorewall/policy:

$FW chld ACCEPT

Traffic from all other zones to 'chld' will be subject to the implicit
CONTINUE policy.

10) Shorewall now includes support for explicit routing rules when the
/etc/shorewall/providers file is used. A new file,
/etc/shorewall/route_rules can be used to add routing rules based on
packet source and/or destination.

The file has the following columns:

SOURCE(optonal) An ip address (network or host) that
matches the source IP address in a packet.
May also be specified as an interface
name optionally followed by ":" and an
address. If the define 'lo' is specified,
the packet must originate from the firewall
itself.

DEST(optional) An ip address (network or host) that
matches the destination IP address in a packet.

If you choose to omit either SOURCE or DEST,
place "-" in the column. Note that you
may not omit both SOURCE and DEST.

PROVIDER The provider to route the traffic through.
May be expressed either as the provider name
or the provider number. You may also specify
the 'main' routing table here, either by
name or by number (254).

PRIORITY
The rule's priority which determines the order
in which the rules are processed.

1000-1999 Before Shorewall-generated
'MARK' rules

11000- 11999 After 'MARK' rules but before
Shorewall-generated rules for
provider interfaces.

26000-26999 After provider interface rules but
before 'default' rule.

Rules with equal priority are applied in
the order in which they appear in the file.

Example 1: You want all traffic coming in on eth1 to be routed to the ISP1
provider:

#PROVIDER PRIORITY SOURCE DEST
ISP1 1000 eth1

Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple
providers. In this case you have to set up a rule to ensure that
the OpenVPN traffic is routed back through the tunX interface(s)
rather than through any of the providers. 10.8.0.0/24 is the
subnet choosen in your OpenVPN configuration (server 10.8.0.0
255.255.255.0)

#SOURCE DEST PROVIDER PRIORITY
- 10.8.0.0/24 main 1000

11) Prior to now, it has not been possible to use connection marking in
/etc/shorewall/tcrules if you have a multi-ISP configuration that uses the
'track' option.

Beginning with this release, you may now set HIGH_ROUTE_MARKS=Yes in
shorewall.conf to effectively divide the packet mark and connection mark
into two 8-byte mark fields.

When you do this:

a) The MARK field in the providers file must have a value that is
less than 65536 and that is a multiple of 256 (using hex
representation, the values are 0x0100-0xFF00 with the low-order
8 bits being zero).

b) You may only set those mark values in the PREROUTING chain.

c) Marks used for traffic shaping must still be in the range of 1-255
and may still not be set in the PREROUTING chain.

d) When you SAVE or RESTORE in tcrules, only the TC mark value is
saved or restored. Shorewall handles saving and restoring the
routing (provider) marks.

12) A TOS column has been added to /etc/shorewall/tcrules. This allows marking
based on the contents of the TOS field in the packet header.

13) Beginning with this release, the way in which packet marking in the
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
has changed in two ways:

a) Packets *arriving* on a tracked interface are now passed to the PREROUTING
marking chain so that they may be marked with a mark other than the
'track' mark (the connection still retains the 'track' mark).

b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
in the PREROUTING chain (i.e., you can specify a mark value of zero).

14) Shorewall will now attempt to detect the MTU of devices listed in
/etc/shorewall/tcdevices and will use the detected MTU in setting
up traffic shaping.

15) In /etc/shorewall/rules, the values "all-" and "all+-" may now be
used for zone names. "all-" means "All zones except the firewall";
"all+-" means "All zones except the firewall" and intra-zone
traffic is included.

16) Kernel version 2.6.16 introduces 'xtables', a new common packet
filtering and connection tracking facility that supports both IPv4
and IPv6. Because a different set of kernel modules must be loaded
for xtables, Shorewall now includes two 'modules' files:

a) /usr/share/shorewall/modules -- the former
/etc/shorewall/modules

b) /usr/share/shorewall/xmodules -- a new file that support
xtables.

If you wish to use the new file, then simply execute this command:

cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules

17) Shorewall now checks to see if devices in /etc/shorewall/tcdevices
exist. If a device does not exist, a warning message is issued and
that device's entries in /etc/shorewall/tcclasses are ignored. This
applies to "shorewall start", "shorewall restart" and "shorewall
refresh".

18) "load" and "reload" commands have been added. These commands allow
a non-root user with ssh access to a remote system running
Shorewall Lite to compile a firewall script on the local system and
to install that script on the remote system.

Syntax is:

shorewall [re]load [ <directory> ] <system>

If <directory> is omitted, the current working directory is
assumed.

The command is equivalent to:

/sbin/shorewall compile -e <directory> firewall &&\
scp firewall root@<system>:/var/lib/shorewall-lite/ &&\
ssh root@<system> '/sbin/shorewall-lite [re]start' # Note 1

In other words, the configuration in the specified (or defaulted)
directory is compiled to a file called firewall in that
directory. If compilation succeeds, then 'firewall' is copied to the
(usually remote) <system> using scp. If the copy succeeds,
Shorewall Lite on <system> is started or restarted via ssh (
load causes Shorewall Lite to be started and 'reload' causes
Shorewall Lite to be re-started)

Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved
from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in
packages from shorewall.net. The package maintainers for the
various distributions are free to choose the directory where the
script will be stored under their distribution by altering the
value of LITEDIR in /usr/share/shorewall/configpath. You can run the
"shorewall show config" command to see how your distribution
defines LITEDIR.
- -
-2006-06-21 Shorewall 3.0.8
-
-
Problems corrected in 3.0.8

1) If the 'upnp' interface option was specified on one or more
interfaces but no forwardUPnP rule was included, the following
diagnostic messages were issued:

WARNING:Missing forwardUPnP rule (required by 'upnp' interface option on
eth0)
ERROR: Fatal error in find_logactionchain

Given that the fatal error message is obscure if the first WARNING
isn't noticed, the ERROR message has been eliminated with the
result that Shorewall now starts but won't handle UPnP properly.

2) If BRIDGING=No in shorewall.conf, then an entry in
/etc/shorewall/hosts such as the following would result in an
obscure failure of an iptables command:

loc br0:eth0

Shorewall now detects this case and issues a more helpful error
message:

ERROR: BRIDGING=Yes is required for this zone definition: loc br0:eth0

3) Users of the Multi-ISP feature may experience this error during startup:

/usr/share/shorewall/firewall: line 1393: 20000 + (1 - 1) * 256 +
$rulenum : syntax error: operand expected (error token is
"$rulenum ")

4) A more useful diagnostic is now given when a command fails during
setup of traffic shaping.

5) Shorewall now checks to see if devices in /etc/shorewall/tcdevices
exist. If a device does not exist, a warning message is issued and
that device's entries in /etc/shorewall/tcclasses are ignored. This
applies to "shorewall start", "shorewall restart" and "shorewall
refresh".

6) It is now possible to exclude a single source MAC address using
!<MAC address>. Previously, a startup error occurred.

7) Shorewall would use the incorrect shell for compilation in the
following case:

8) Reporting of the "Mangle FORWARD Chain" capability was broken. While
Shorewall correctly detected and used the capability, the output of
"shorewall show capabilities" and "shorewall dump" showed the
capability as "Not Available".

9) Extension scripts for policy chains (chains with the word 'all' in
their name) were not being run previously.
- -
-2006-05-27 Shorewall 2.4.9
-
-
Problems corrected in 2.4.9

1) Updated the bogons file to reflect recent IANA allocations.

2) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq and
if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall start" will
fail with the error 'Error: an inet prefix is expected rather than "SAME".'.

3) It is now possible to exclude a single source MAC address using
!<MAC address>. Previously, a startup error occurred.
- -
-2006-05-06 Shorewall 3.0.7
-
-
Problems corrected in 3.0.7

1) Previously, if your kernel did not supply the mangle table FORWARD chain
then "shorewall [re]start" would fail. Now, if your mangle table does
not supply this chain Shorewall will avoid using either that chain or
the mangle table POSTROUTING chain. This change is strictly to stop Shorewall
from blowing up during [re]start on very old kernels (such as 2.4.17
running on a PS2); if your kernel does not support these chains and you
try to mark packets in either of them using entries in
/etc/shorewall/tcrules, [re]start will fail.

2) Previously, if there were more than 10 IP addresses on a multi-ISP interface,
some of the routing rules generated by Shorewall were placed after the
default rule which resulted in them not being recognized.

3) When install.sh is used to install on a Debian or Ubuntu system, the
SUBSYSLOCK option in shorewall.conf was not being cleared.
It will now be cleared, provided that Perl is installed on the system.

4) When exclusion lists appeared in the /etc/shorewall/tcrules file, the
resulting 'exclusion chains' (whose names begin with 'excl_') were not
deleted as part of 'shorewall [re]start'. This meant that 'refresh'
would fail, either the first or second time that it was done since
the last 'shorewall [re]start'.

Other changes in 3.0.7

None.
- - - -
-2006-03-28 Shorewall moved to Subversion
-
-
 Effectively today, Shorewall source code repository was migrated to Subversion SCM.

Please read https://sourceforge.net/svn/?group_id=22587 -and http://www.shorewall.net/download.htm#SVN -for more information.
- - - -
-2006-03-28 Shorewall 3.0.6
-
-
Problems corrected in 3.0.6

1) A typo in the output of "help drop" has been corrected.

2) Previously, 'shorewall start' would fail in the presence of a network
interface named 'inet'.

3) A shell syntax error was reported when duplicate policies appeared in
/etc/shorewall/policy.

4) The iptable_nat and iptable_mangle modules were previously omitted
from /etc/shorewall/modules.

5) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq
and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall
start" will fail with the error 'Error: an inet prefix is expected rather
than "SAME".'.

6) Previously, the 'routeback' option was ignored in an entry in the
/etc/shorewall/hosts file that referred to a (set of) bridge port(s).

Example:

dmz xenbr0:vif+ routeback

Other changes in 3.0.6

1) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished.
- - - -
-2006-02-10 Shorewall 3.0.5
-
-
Problems corrected in Shorewall 3.0.5

1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
but not when Shorewall was restored.

2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the
policy match patch and the Netfilter/IPSEC patches, previously an
entry in /etc/shorewall/tunnels was not sufficient in cases where:

a) gw<->gw traffic was encrypted
b) The gw<->gw policy through the tunnel was not ACCEPT

Thanks to Tuomo Soini, this has been corrected. By simply including the
remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
additional rules are required.

3) Extra blank output lines are no longer produced by install.sh (patch
courtesy of Tuomo Soini).

4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
rules file previously didn't work (they had the "--syn" parameter
added to them which resulted in a rule that no traffic would match).

WARNING: If you use the QUEUE target from an action, Shorewall will
still insert --syn if the protocol is tcp. So you don't want to
invoke such an action from the ESTABLISHED section of the rules
file.

5) The description of the SOURCE column in /etc/shorewall/rules has been
improved (patch courtesy of Ed Suominen).

6) The 'allow', 'drop' and 'reject' commands no longer produce iptables
errors when executed while Shorewall is not started.

7) The spelling of "maximize-throughput" has been corrected in the code
that implements tcclasses parsing. Patch courtesy of Paul Traina.

8) Shorewall now generates the correct match for devices in
/etc/shorewall/tcdevices that are actually bridge ports.

New Features in Shorewall 3.0.5

1) The facilities available for dealing with the TOS field in
/etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
contain a comma-separates list of the following:

tos=0x<value>[/0x<mask>] (mask defaults to 0xff)
- this lets you define a classifier
for the given <value>/<mask> combination
of the IP packet's TOS/Precedence/DiffSrv
octet (aka the TOS byte). Please note,
classifiers override all mark settings,
so if you define a classifer for a class,
all traffic having that mark will go in it
regardless of any mark set on the packet
by a firewall/mangle filter.

NOTE: multiple tos= statements may be
applied per class and per interface, but
a given value/mask pair is valid for only
ONE class per interface.

tos-<tosname> - aliases for the following TOS octet
value and mask encodings. TOS encodings
of the "TOS byte" have been deprecated in
favor of diffserve classes, but programs
like ssh, rlogin, and ftp still use them.

tos-minimize-delay 0x10/0x10
tos-maximize-throughput 0x08/0x08
tos-maximize-reliability 0x04/0x04
tos-minimize-cost 0x02/0x02
tos-normal-service 0x00/0x1e

tcp-ack - defined causes an tc filter to
be created that puts all tcp ack
packets on that interface that have
an size of <=64 Bytes to go in this
class. This is useful for speeding up
downloads. Please note that the size
of the ack packets is limited to 64
bytes as some applications (p2p for
example) use to make every packet an
ack packet which would cause them
all into here. We want only packets
WITHOUT payload to match, so the size
limit.

NOTE: This option is only valid for
ONE class per interface.

Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
these were tested using a mask of 0xff (example: tos-minimize-delay was
equivalent to 0x10/0xff). Now each bit is tested individually.

This enhancement is courtesy of Paul Traina.
- -
-2006-01-05 Shorewall 3.0.4
-
-
Problems Corrected in 3.0.4

1)  The shorewall.conf file is once again "console friendly". Patch is
    courtesy of Tuomo Soini.

2)  A potential security hole has been closed. Previously, Shorewall ACCEPTed
    all traffic from a bridge port that was sent back out on the same port. If
    the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
    xenbr0:vif+), this could lead to traffic being passed in variance with the
    supplied policies and rules.

3)  Previously, an intra-zone policy of NONE would cause a startup error. That
    problem has been corrected.

4)  When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
    add the retained aliases. This means that the following sequence of
    events resulted in missing aliases:

            shorewall start
            shorewall restart
            shorewall save
            reboot
            shorewall -f start (which is the default during boot up)

5)  When a 2.x standard action is invoked with a log level (example
    "AllowPing:info"), logging does not occur.

New Features in 3.0.4

1)  By popular demand, the 'Limit' action described at
    http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
    action. Limit requires 'recent match' support in your kernel and iptables.

2)  DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
    change is reported to improve Java startup time on some distributions.

3)  Shorewall now contains support for wildcard ports. In
    /etc/shorewall/hosts, you may specify the port name with trailing "+" then
    use specific port names in rules.

    Example:

    /etc/shorewall/hosts

        vpn      br0:tap+

    /etc/shorewall/rules

        DROP      vpn:tap0              vpn:tap1          udp    9999

4)  For the benefit of those who run Shorewall on distributions that don't
    autoload kernel modules, /etc/shorewall/modules now contains load commands
    for a wide range of Netfilter modules.
- -
-2005-12-13 Shorewall 3.0.3
-
-
Problems Corrected in 3.0.3

1) The comments in the /etc/shorewall/shorewall.conf and
/etc/shorewall/hosts files have been changed to clarify when
BRIDGING=Yes is required when dealing with bridges.

2) Thanks to Tuomo Soini, formatting of the comments in the tcdevices
and tcclasses files has been cleaned up.

3) Specifying 'trace' on the 'safe-start' and 'safe-restart' command no
longer fails.

4) The output of "shorewall help restore" has been corrected. It previously
printed incorrect syntax for that command.

5) The README.txt file in the tarball was stale and contained incorrect
information. It has been corrected.

6) The shorewall.conf default setting of CLEAR_TC was previously "No". Given
that the default setting of TC_ENABLED is "Internal", the setting of
CLEAR_TC has been changed to the more appropriate value of "Yes".

7) Specifying an interface name in the SOURCE column of /etc/shorewall/tcrules
resulted in a startup error.

8) When the 'install.sh' script is used on Debian, it now creates
/var/log/shorewall-init.log. And if perl is installed on the system then
STARTUP_ENABLED=Yes is specified in shorewall.conf (the user must still
set startup=1 in /etc/default/shorewall).

New Features in 3.0.3
- -1) A "shorewall show macros" command has been added. This command displays - a list of the standard macros along with a brief description of each. - -2) The '-q' option is now supported with 'safe-start' and 'safe-restart'. - -3) The value "-" is now allowed in the ADDRESS/SUBNET column of - /etc/shorewall/blacklist. That value is equivalent to specifying - 0.0.0.0/0 in that column. - -4) The output of "shorewall show tc" and "shorewall show classifiers" is - now included in the output from "shorewall dump". This will aid us in - analyzing traffic shaping problems. - -5) You can now specify 'none' in the COPY column of /etc/shorewall/providers - to signal that you want Shorewall to only copy routes through the interface - listed in the INTERFACE column. - - Note: This works on older versions of Shorewall as well. It is - now documented. - -6) An 'ipdecimal' command has been added to /sbin/shorewall. This command - converts between dot-quad and decimal. - - Example: - - gateway:/etc/openvpn# shorewall ipdecimal 192.168.1.4 - 3232235780 - gateway:/etc/openvpn# shorewall ipdecimal 3232235780 - 192.168.1.4 - gateway:/etc/openvpn# - -7) /etc/init.d/shorewall now supports a 'reload' command which is - synonymous with the 'restart' command.
-
-2005-12-12 Shorewall 2.4.7
-
-Problems Corrected in 2.4.7
-
-1)  When MACLIST_TABLE=mangle and an interface is enabled for DHCP -(the
-    'dhcp' option is specified in /etc/shorewall/interfaces) -then broadcasts
-    on UDP port 67 to address 255.255.255.255 from address -0.0.0.0 were being
-    dropped and logged. While this did not prevent the client -from acquiring
-    an IP address, it could result in lots of log messages.
-
-2)  Entries for openvpn tunnels (including openvpnclient and
-    openvpnserver) that specify a port but no protocol cause -startup
-    errors as follows:
-
-           iptables -v1.3.3: unknown protocol `1194' specified
-           Try -`iptables -h' or 'iptables --help' for more information.
-           ERROR: -Command "/usr/sbin/iptables -A net2fw -p 1194 -s
-           0.0.0.0/0 ---sport 1194 -j ACCEPT" Failed
-
-    The problem may be worked around by specifying the -protocol as well
-    (e.g., "openvpn:udp:3455).
-
-3)  If the previous firewall configuration included a policy other -than
-    ACCEPT in the nat, mangle or raw tables then Shorewall -would not set
-    the policy to ACCEPT. This could result in a ruleset that -rejected or
-    dropped all traffic.
-
-4)  Specifying an interface name in the SOURCE column
-    of /etc/shorewall/tcrules resulted in a startup error.
- -
-2005-12-01 End of Support for Shorewall versions -2.0 and 2.2
-
-
Effective today, versions 2.0 and 2.2 are no longer supported. This -means that if you find a bug in one of these releases, we won't fix it and if -you ask for help with one of these releases, we will not spend much time -trying to solve your issue.
- -
-2005-11-25 Shorewall 3.0.2
-
-
Problems Corrected in 3.0.2

1) A couple of typos in the one-interface sample configuration have
been corrected.

2) The 3.0.1 version of Shorewall was incompatible with old versions of
the Linux kernel (2.4.7 for example). The new code ignores errors
produced when Shorewall 3.x is run on these ancient kernels.

3) Arch Linux installation routines has been improved.

New Features in 3.0.2

1) A new Webmin macro has been added. This macro assumes that Webmin is
running on its default port (10000).
- -
-2005-11-18 Shorewall 3.0.1
- -
Problems Corrected in 3.0.1 
- -1) If the previous firewall configuration included a policy other than - ACCEPT in the nat, mangle or raw tables then Shorewall would not set - the policy to ACCEPT. This could result in a ruleset that rejected or - dropped all traffic. - -2) The Makefile was broken such that 'make' didn't always work correctly. - -3) If the SOURCE or DEST column in a macro body was non-empty and a dash - ("-") appeared in the corresponding column of an invocation of that - macro, then an invalid rule was generated. - -4) The comments in the /etc/shorewall/blacklist file have been updated to - clarify that the PORTS column refers to destination port number/service - names. - -5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the - order of the rules generated was incorrect causing RELATED TCP connections - to not have CLAMPMSS applied. - -New Features in 3.0.1 - -1) To make the macro facility more flexible, Shorewall now examines the - contents of the SOURCE and DEST columns in both the macro body and in - the invocation and tries to create the intended rule. If the value in - the invocation appears to be an address (IP or MAC) or the name of an - ipset, then it is placed after the value in the macro body. Otherwise, - it is placed before the value in the macro body. - - Example 1: - - /etc/shorewall/macro.foo: - - PARAM - 192.168.1.5 tcp http - - /etc/shorewallrules: - - foo/ACCEPT net loc - - Effective rule: - - ACCEPT net loc:192.168.1.5 tcp http - - Example 2: - - /etc/shorewall/macro.bar: - - PARAM net loc tcp http - - /etc/shorewall/rules: - - bar/ACCEPT - 192.168.1.5 - - Effective rule: - - ACCEPT net loc:192.168.1.5 tcp http
- -

-
-11/11/2005 Shorewall 3.0.0
- -
New Features in Shorewall 3.0.0

1) Error and warning messages are made easier to spot by using
capitalization (e.g., ERROR: and WARNING:).

2) A new option 'critical' has been added to
/etc/shorewall/routestopped. This option can be used to enable
communication with a host or set of hosts during the entire
"shorewall [re]start/stop" process. Listing a host with this option
differs from listing it without the option in several ways:

a) The option only affect traffic between the listed host(s) and the
firewall itself.

b) If there are any entries with 'critical', the firewall
will be completely opened briefly during start, restart and stop but
there will be no chance of any packets to/from the listed host(s)
being dropped or rejected.

Possible uses for this option are:

a) Root file system is NFS mounted. You will want to list the NFS server
in the 'critical' option.

b) You are running Shorewall in a Crossbeam environment
(www.crossbeam.com). You will want to list the Crossbeam interface
in this option

3) A new 'macro' feature has been added.

Macros are very similar to actions and can be used in similar
ways. The differences between actions and macros are as follows:

a) An action creates a separate chain with the same name as the
action (when logging is specified on the invocation of an action,
a chain beginning with "%" followed by the name of the action and
possibly followed by a number is created). When a macro is
invoked, it is expanded in-line and no new chain is created.

b) An action may be specified as the default action for a policy;
macros cannot be specified this way.

c) Actions must be listed in either /usr/share/shorewall/actions.std
or in /etc/shorewall/actions. Macros are defined simply by
placing their definition file in the CONFIG_PATH.

d) Actions are defined in a file with a name beginning with
"action." and followed by the name of the action. Macro files are
defined in a file with a name beginning with "macro.".

e) Actions may invoke other actions. Macros may not directly invoke
other macros although they may invoke other macros indirectly
through an action.

f) DNAT[-] and REDIRECT[-] rules may not appear in an action. They
are allowed in a macro with the restriction that the a macro
containing one of these rules may not be invoked from an action.

g) The values specified in the various columns when you invoke a
macro are substituted in the corresponding column in each rule in
the macro. The first three columns get special treatment:

ACTION If you code PARAM as the action in a macro then
when you invoke the macro, you can include the
name of the macro followed by a slash ("/") and
an ACTION (either built-in or user-defined. All
instances of PARAM in the body of the macro will be
replaced with the ACTION.

Any logging applied when the macro is invoked is
applied following the same rules as for actions.

SOURCE and
DEST If the rule in the macro file specifies a value and
the invocation of the rule also specifies a value then
the value in the invocation is appended to the value
in the rule using ":" as a separator.

Example:

/etc/shorewall/macro.SMTP

PARAM - loc tcp 25

/etc/shorewall/rules:

SMTP/DNAT:info net 192.168.1.5

Would be equivalent to the following in the rules file:

DNAT:info net loc:192.168.1.5 tcp 25

Rest Any value in the invocation replaces the value in the
rule in the macro.

One additional restriction applies to the mixing of macros and
actions. Macros that are invoked from actions cannot themselves
invoke other actions.

4) If you have 'make' installed on your firewall, then when you use
the '-f' option to 'shorewall start' (as happens when you reboot),
if your /etc/shorewall/ directory contains files that were modified
after Shorewall was last restarted then Shorewall is started using
the config files rather than using the saved configuration.

5) The 'arp_ignore' option has been added to /etc/shorewall/interfaces
entries. This option sets
/proc/sys/net/ipv4/conf/<interface>/arp_ignore. By default, the
option sets the value to 1. You can also write arp_ignore=<value>
where value is one of the following:

1 - reply only if the target IP address is local address
configured on the incoming interface

2 - reply only if the target IP address is local address
configured on the incoming interface and both with the sender's
IP address are part from same subnet on this interface

3 - do not reply for local addresses configured with scope
host, only resolutions for global and link addresses are
replied

4-7 - reserved

8 - do not reply for all local addresses

WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
PROXY ARP.

6) In /etc/shorewall/rules, "all+" in the SOURCE or DEST column works
like "all" but also includes intrazone traffic. So the rule:

ACCEPT loc all+ tcp 22

would allow SSH traffic from loc->loc whereas

ACCEPT loc all tcp 22

does not.

7) A new FASTACCEPT option has been added to shorewall.conf.

Normally, Shorewall defers accepting ESTABLISHED/RELATED packets
until these packets reach the chain in which the original connection
was accepted. So for packets going from the 'loc' zone to the 'net'
zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
chain.

If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or
RELATED sections of /etc/shorewall/rules.

8) Shorewall now generates an error if the 'norfc1918' option is
specified for an interface with an RFC 1918 address.

9) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules,
/etc/shorewall/tcrules and in action files and Shorewall will
generate the rule that you expect.

Example 1 (/etc/shorewall/rules):

#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 net tcp 80

That rule would allow loc->net HTTP access except for the local
networks 192.168.1.0/24 and 10.0.0.0/8.

Example 2 (/etc/shorewall/rules):

#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:10.0.0.0/24!10.0.0.4,10.0.0.22 \
net tcp 80

That rule would allow loc->net HTTP access from the local
network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22.

10) Tunnel types "openvpnserver" and "openvpnclient" have been added
to reflect the introduction of client and server OpenVPN
configurations in OpenVPN 2.0.

11) The COMMAND variable is now set to 'restore' in restore
scripts. The value of this variable is sometimes of interest to
programmers providing custom /etc/shorewall/tcstart scripts.

12) Previously, if you defined any intra-zone rule(s) then any traffic
not matching the rule(s) was subject to normal policies (which
usually turned out to involve the all->all REJECT policy). Now, the
intra-zone ACCEPT policy will still be in effect in the presence of
intra-zone rules. That policy can still be overridden by an
explicit policy in your /etc/shorewall/policy file.

Example:

/etc/shorewall/rules:

DNAT loc:!192.168.1.4 loc:192.168.1.4:3128 tcp 80

Any other loc->loc traffic will still be accepted. If you want to
also log that other loc->loc traffic at the info log level then
insert this into /etc/shorewall/policy:

#SOURCE DEST POLICY LOG LEVEL
loc loc ACCEPT info

13) Prior to Shorewall 2.5.3, the rules file only controlled packets in
the Netfilter states NEW and INVALID. Beginning with this release,
the rules file can also deal with packets in the ESTABLISHED and
RELATED states.

The /etc/shorewall/rules file may now be divided into
"sections". Each section is introduced by a line that begins with
the keyword SECTION followed by the section name. Sections
are as listed below and must appear in the order shown.

ESTABLISHED

Rules in this section apply to packets in the ESTABLISHED
state.

RELATED

Rules in this section apply to packets in the RELATED state.

NEW

Rules in this section apply to packets in the NEW and INVALID
states.

Rules in the ESTABLISHED and RELATED sections are limited to the
following ACTIONs:

ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.

Macros may be used in these sections provided that they expand to
only these ACTIONs.

At the end of the ESTABLISHED and RELATED sections, there is an
implicit "ALLOW all all all" rule.

RESTRICTION: If you specify FASTACCEPT=Yes in
/etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED
sections must be empty.

14) The value 'ipp2p' is once again allowed in the PROTO column of
the rules file. It is recommended that rules specifying 'ipp2p'
only be included in the ESTABLISHED section of the file.


15) Shorewall actions lack a generalized way to pass parameters to an
extension script associated with an action. To work around this
lack, some users have used the log tag as a parameter. This works
but requires that a log level other than 'none' be specified when
the action is invoked. Beginning with this release, you can invoke
an action with 'none'.

Example:

#ACTION SOURCE DEST
A:none:these,are,parameters $FW net

When /etc/shorewall/A is invoked, the LEVEL variable will be empty
but the TAG variable will contain "these,are,parameters" which
can be easily parsed to isolate "these", "are" and "parameters":

ifs=$IFS
IFS=,
set -- $TAG
IFS=$ifs2

Now, $1 = these, $2 = are and $3 = parameters

16) The "shorewall check" command now checks the /etc/shorewall/masq,
/etc/shorewall/blacklist, /etc/shorewall/proxyarp,
/etc/shorewall/nat and /etc/shorewall/providers files.

17) Arne Bernin's "tc4shorewall" package has been integrated into
Shorewall.

See: http://www.shorewall.net/3.0/traffic_shaping.htm for details.

Thanks, Arne!

18) When /usr/share/shorewall/functions is loaded it now sets
2
SHOREWALL_LIBRARY=Loaded

Application code such as /etc/shorewall/tcstart may test that
variable to determine if the library has been loaded into the
current shell process.

19) The install.sh script now does a much cleaner job of backing up the
current installation. It copies the directories /etc/shorewall,
/usr/share/shorewall and /var/lib/shorewall to a directory of the
same name with "-$VERSION.bkout" appended. The init script and
/sbin/shorewall are backed up to the /usr/share/shorewall and
/var/lib/shorewall directories respectively. This makes it very
simple to remove the backups:

rm -rf /etc/shorewall-*.bkout
rm -rf /usr/share/shorewall-*.bkout
rm -rf /var/lib/shorewall-*.bkout

20) A new '-n' option has been added to the "start", "restart",
"restore", "stop" and "try" commands. This option instructs
Shorewall to not alter the routing in any way.

This option is useful when you have a multi-ISP environment because
it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes.

21) The output of "shorewall dump" now includes a capabilities report
such as the one produced by "shorewall show capabilities".

22) The "plain" zone type has been replaced by "ipv4". The types
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".

23) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
and /etc/shorewall/hosts. See the Migration Considerations for
instructions if you wish to block "new-not-syn" TCP packets.

24) The "shorewall show zones" command now displays the zone type. You
must have restarted Shorewall using this release before this feature
will work correctly.

25) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This is done to ensure that "shorewall refresh" will
work correctly.

26) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p"
keyword in the PROTOCOL column of the relevant files, the following
values may be specified:

ipp2p:tcp Equivalent to ipp2p and matches TCP traffic
only.
ipp2p:udp Matches UDP traffic.
ipp2p:all Matches both UDP and TCP traffic. You may
not specify a SOURCE PORT with this PROTOCOL.

27) Normally MAC verification triggered by the 'maclist' interface and host
options is done out of the INPUT and FORWARD chains of the filter table.
Users have reported that under some circumstances, MAC verification is
failing for forwarded packets when the packets are being forwarded out
of a bridge.

To work around this problem, a MACLIST_TABLE option has been added to
shorewall.conf. The default value is MACLIST_TABLE=filter which results
in the current behavior. If MACLIST_TABLE=mangle then filtering will
take place out of the PREROUTING chain of the mangle table. Because
the REJECT target may not be used in the PREROUTING chain, the settings
MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible.

28) The sample configurations are now packaged with the product. They are
in the Samples directory on the tarball and are in the RPM they are
in the Samples sub-directory of the Shorewall documentation
directory.
- -
-10/31/2005 Shorewall 2.4.6
-
-
Problems Corrected in 2.4.6
- -
    -
  1. "shorewall refresh" would fail if there were entries in - /etc/shorewall/tcrules with non-empty USER/GROUP or TEST columns.
  2. -
  3. An unprintable character in a comment caused /sbin/shorewall to fail - when used with a light-weight shell like 'dash'.
  4. -
  5. When using some flavors of 'ash', certain /sbin/shorewall commands - produced 'ipset: not found' messages.
  6. -
  7. Support for OpenVPN TCP tunnels was released in Shorewall 2.2.0 but the - implementation was incomplete. It has now been completed and is - documented in the /etc/shorewall/tunnels file.
  8. -
  9. The test that Shorewall uses to detect the availability of the owner - match capability has been changed to avoid the generation of ipt_owner - messages under kernel 2.6.14.
  10. -
-New Features in 2.4.6
- -
    -
  1. Normally MAC verification triggered by the 'maclist' interface and host - options is done out of the INPUT and FORWARD chains of the filter table. - Users have reported that under some circulstances, MAC verification is - failing for forwarded packets when the packets are being forwarded out of - a bridge.
    -
    - To work around this problem, a MACLIST_TABLE option has been added to - shorewall.conf. The default value is MACLIST_TABLE=filter which results - in the current behavior. If MACLIST_TABLE=mangle then filtering will take - place out of the PREROUTING chain of the mangle table. Because the REJECT - target may not be used in the PREROUTING chain, the settings - MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible.
  2. -
  3. A "dump" command has been added to /sbin/shorewall for compatibility - with Shorewall 3.0. In 2.4.6, the "dump" command provides the same output - as the "status".
    -
  4. -
-
-Shorewall 2.4.5
-
-Problems Corrected in 2.4.5
- -
    -
  1. In previous versions, when the command is 'start', 'restart' or 'stop' - then OUTPUT traffic to hosts listed in /etc/shorewall/routestopped is not - enabled if ADMINISABSENTMINDED=Yes. That traffic is now enabled - independent of the setting of ADMINISABSENTMINDED.
  2. -
  3. Although it was documented that icmp types could be used in the tcrules - file, the code did not support it. Thanks to Jorge Molina, that problem - is now corrected.
  4. -
  5. In a multi-ISP configuration, fwmark routing rules now have a higher - priority than source IP rules. This allows entries in tcrules to be more - effective in controlling routing.
  6. -
  7. Previously, not all of the mangle chains were flushed during "shorewall - restart".
  8. -
-09/12/2005 Shorewall 2.4.4
-

-Problems Corrected
- -
    -
  1. An incorrect comment in the /etc/shorewall/proxyarp file has been - removed.
  2. -
  3. The message generated when a duplicate policy has been entered is now - more informative. Previously, only the POLICY column contents appeared in - the message. Now the SOURCE, DEST and POLICY column contents are - shown.
  4. -
  5. Shorewall now clears the Netfilter "raw" table during "shorewall - [re]start", "shorewall stop" and "shorewall clear" processing.
  6. -
-New Features
- -
    -
  1. Tunnel types "openvpnserver" and "openvpnclient" have been added to - reflect the introduction of client and server OpenVPN configurations in - OpenVPN 2.0.
  2. -
  3. The COMMAND variable is now set to 'restore' in restore scripts. The - value of this variable is sometimes of interest to programmers providing - custom /etc/shorewall/tcstart scripts.
    -
  4. -
-08/16/2005 Shorewall 2.4.3
-

-Problems Corrected:
- -
    -
  1. Shorewall is no longer dependent on the 'which' utility.
  2. -
  3. The 'shorewall add' command failed if there existed a zone in the - configuration that specified the 'ipsec' option in - /etc/shorewall/hosts.
  4. -
  5. Shorewall is no longer dependent on /bin/echo.
  6. -
  7. A CLASSIFY rule  with $FW in the SOURCE column (tcrules) no longer - results in a "shorewall start" error.
  8. -
  9. You may now use port lists in the DEST PORT and SOURCE PORT columns of - the /etc/shorewall/accounting file.
  10. -
  11. The "shorewall show capabilities" command now accurately reports the - availability of "Packet type match" independent of the setting of PKTTYPE - in shorewall.conf.
  12. -
  13. Thanks to Tuomo Soini, all of the files have been siginificantly - cleaned up in terms of formatting and extra white-space.
    -
  14. -
-New Features:
- -
    -
  1. New Allow.Submission and Allow.NTPbrd actions have been added. Users of - the Allow.NTP action that use NTP broadcasting should switch to use of - Allow.NTPbrd instead.
  2. -
  3. The kernel version string is now included in the output of "shorewall - status".
    -
  4. -
-07/30/2005 Shorewall 2.2.6
-
-
Problems Corrected:
- -
    -
  1. MACLIST_TTL Vulnerability fix.
  2. -
  3. TCP_FLAGS_LOG_LEVEL=ULOG breaks with recent versions of iptables.
  4. -
  5. The bogons file has been updated to reflect recent IANA - allocations.
  6. -
-07/21/2005 Shorewall 2.4.2
-
-
Problems Corrected:
- -
    -
  1. The /etc/shorewall/hosts file now includes information about defining a - zone using one or more ipsets.
  2. -
  3. A vulnerability involving MACLIST_TTL > 0 or - MACLIST_DISPOSITION=ACCEPT has been corrected.
  4. -
  5. It is now possible to specify !<address> in the SUBNET column of - /etc/shorewall/masq. Previously, it was necessary to write - 0.0.0.0/0!<address>.
  6. -
  7. When <network1>!<network2> was specified in the SUBNET - column of /etc/shorewall/masq, IPSEC policies were not correctly applied - to the resulting rules. This usually resulted in IPSEC not working - through the interface specified in the INTERFACES column.
    -
  8. -
-New Features:
- -
    -
  1. A 'loose' provider option has been added. If you wish to be able to use - marking to specify the gateway used by connections originating on the - firewall itself, the specify 'loose' for each provider. It has bee - reported that 'loose' may break the effect of 'track' so beware if you - need 'track' functionality (you shouldn't be originating many connections - from your firewall to the net anyway).
    -
    - To use 'loose', you also need to add two entries in - /etc/shorewall/masq:
    - -
    #INTERFACE           SUBNET          ADDRESS
    - $IF_ISP1 $IP_ISP2 $IP_ISP1
    - $IF_ISP2 $IP_ISP1 $IP_ISP2
    -
    - where:
    - -
            $IF_ISP1        is the interface to ISP 1.
    - $IF_ISP2 is the interface to ISP 2.
    - $IP_ISP1 is the IP address of $IF_ISP1
    - $IP_ISP2 is the IP address of $IF_ISP2 -
    -
  2. -
  3. /sbin/shorewall now issues a warning each time that it finds that - startup is disabled.
  4. -
  5. A new COPY column has been added to the /etc/shorewall/providers file. - Normally, when a table name/number is given in the DUPLICATE column, the - entire table (less default routes) is copied. The COPY column allows you - to limit the routes copied to those that go through an interface listed - in COPY. For example, if you enter eth0 in INTERFACE, "eth1,eth2" in COPY - and 'main' in DUPLICATE then the new table created will contain those - routes through the interfaces eth0, eth1 and eth2.
    -
  6. -
-
- -

07/17/2005 Security -vulnerability in MACLIST processing

- -

Description

- -

A security vulnerability has been discovered which affects all supported -stable versions of Shorewall.  This vulnerability enables a client -accepted by MAC address filtering to bypass any other rule.  If -MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to -"ACCEPT" in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and -MACLIST_DISPOSITION=REJECT), and a client is positively identified through -its MAC address, it bypasses all other policies/rules in place, thus gaining -access to all open services on the firewall.

- -

Fix

- -

Workaround

- -

For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or -MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  For -Shorewall 2.0.x, set MACLIST_DISPOSITION=REJECT in -/etc/shorewall/shorewall.conf.  MACLIST filtering is of limited value on -Internet-connected hosts, and the Shorewall team recommends this approach to -be used if possible.

- -

Upgrade

- -

For Shorewall 2.4.x, a fixed version of the 'firewall' script is available -at: http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and its mirrors, http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall -and http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall.

- -

For Shorewall 2.2.x, a fixed version of the 'firewall' script is available -at: http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and its mirrors, http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall -and http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall.

- -

For Shorewall 2.0.x, a fixed version of the 'firewall' script is available -at: http://shorewall.net/pub/shorewall/errata/2.0.17/firewall -and its mirrors, http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall -and http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall.

- -

Users of any version before 2.0.17 are urged to upgrade to a supported -version of Shorewall (preferably 2.4.1) before using the fixed files.  -Only the most recent version of the 2.0.x and 2.2.x streams will be supported -by the development team, and the 1.x branches are no longer maintained at -all.  Future releases of Shorewall will include this fix.

- -

This information was based on Patrick -Blitz's post to the Full Disclosure mailing list.  Thanks to -Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug.
-

- -

Version Upgrade
-

- -

The vulnerability is corrected in Shorewall 2.4.2 and in Shorewall -2.2.6.
-

-
-07/13/2005 Shorewall 2.4.1
-

-Problems Corrected:
- -
    -
  1. Shell variables may now be used in the zones file.
  2. -
  3. The /usr/share/shorewall/bogons file has been updated to reflect recent - IANA allocations.
  4. -
  5. Shorewall now detects an error where multiple providers specify the - 'track' option on the same interface.
  6. -
  7. The remnants of the GATEWAY column in /etc/shorewall/interfaces have - been removed. This column appeared briefly in one of the Beta versions - and was immediately removed but some vestiges remained.
  8. -
  9. Shorewall now correctly restores a load-balancing default route during - processing of the 'shorewall restore' and 'shorewall -f start' commands. - The latter command is normally executed by the Shorewall init script - during reboot.
  10. -
  11. A log level of "None!" is now allowed on builtin actions such as ACCEPT - and DROP.
  12. -
  13. Previously, LIMIT:BURST parameters in /etc/shorewall/policy were not - correctly applied when the policy was QUEUE.
  14. -
  15. The 'chkconfig' command on FC4 and Mandriva previously created symbolic - links with incorrect names ("S-1shorewall"). The init script has been - changed to prevent this incorrect behavior.
  16. -
  17. DHCP traffic forwarded through a bridge could, under some - configurations, be filtered by the 'maclist' option even though the - 'dhcp' option was specified. This has been corrected.
    -
  18. -
-06/05/2005 Shorewall 2.4.0
-
-Note:
Because of the short time that has elapsed since the release of -Shorewall 2.2.0, Shorewall 2.0 will be supported until 1 December 2005 or -until the release of Shorewall 2.6.0, whichever occurs first.
-
-New Features:
- -
    -
  1. Shorewall 2.4.0 includes support for multiple internet interfaces to - different ISPs.
    -
    - The file /etc/shorewall/providers may be used to define the different - providers. It can actually be used to define alternate routing tables so - uses like transparent proxy can use the file as well.
    -
    - Columns are:
    -
    -        - NAME            - The provider name.
    -
    -        - NUMBER          The provider - number -- a number between 1 and 15
    -
    -        - MARK            A - FWMARK value used in your /etc/shorewall/tcrules file to direct packets - for this provider.
    -
    -        - DUPLICATE       The name of an existing - table to duplicate. May be - 'main' or the name of a previous provider.
    -
    -        - INTERFACE       The name of the network - interface to the provider. - Must be listed in/etc/shorewall/interfaces.
    -
    -        - GATEWAY         The IP address of - the provider's gateway router. If you enter "detect" here then - Shorewall
    -                        - will
    attempt to determine - the gateway IP address automatically.
    -
    -        - OPTIONS         A comma-separated - list selected from the following:
    -
    -                - track   If specified, connections FROM this interface - are to be tracked so that - responses may be
    -                        - routed
    back out this same - interface.
    -
    -                        - You want specify 'track' if internet hosts will be connecting to local servers through
    -                        - this
    provider.
    -
    -                        - Because of limitations in the 'ip' utility and policy routing, you may not use the SAVE - or
    -                        - RESTORE tcrules options or use connection
    marking on any traffic to or from - this
    -                        - interface. For traffic control purposes, you must mark packets in the FORWARD chain - (or
    -                        - better yet, use the CLASSIFY target).

    -
    -                - balance The providers that have 'balance' specified will get outbound traffic load-balanced - among
    -                        - them. By
    default, all - interfaces with 'balance' specified will have the same weight (1).
    -                        - You can change the
    weight of - the route out of the interface by specifiying balance=<weight>
    -                        - where <weight> is
    the - desired route weight.
    -
    -        Example:  You run squid in your - DMZ on IP address 192.168.2.99. Your DMZ interface is eth2
    -
    -        - #NAME   NUMBER  MARK DUPLICATE  INTERFACE - GATEWAY       OPTIONS
    -        - Squid   1       - 1    - -          - eth2      192.168.2.99  -
    -
    - Use of this feature requires that your kernel and iptabls support - CONNMARK target and conntrack match support. It does NOT require the - ROUTE target extension.
    -
    - WARNING: The current version of iptables (1.3.1) is broken with respect - to CONNMARK and iptables-save/iptables-restore. This means that if you - configure multiple ISPs, "shorewall restore" may fail. You must patch - your iptables using the patch at http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
    -
    -
  2. -
  3. Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match - facility in Netfilter. Like all owner match options, 'cmd-owner' may only - be applied to traffic that originates on the firewall.
    -
    - The syntax of the USER/GROUP column in the following files has been - extended:
    -
    -         /etc/shorewall/accounting
    -         /etc/shorewall/rules
    -         /etc/shorewall/tcrules
    -         - /usr/share/shorewall/action.template
    -
    - To specify a command, prefix the command name with "+".
    -
    -    Examples:
    -
    -         - +mozilla-bin            - #The program is named "mozilla-bin"
    -         - joe+mozilla-bin         #The - program is named "mozilla-bin" and
    -                                 - #is being run by user "joe"
    -         - joe:users+mozilla-bin   #The program is named "mozilla-bin" - and
    -                                 - #is being run by user "joe" with
    -                                 - #effective group "users".
    -
    -    Note that this is not a particularly robust feature and I - would never advertise it as a "Personal Firewall" equivalent. Using - symbolic links, it's easy to alias command names to be anything you - want.
    -
    -
  4. -
  5. Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/).
    -
    - In most places where a host or network address may be used, you may also - use the name of an ipset prefaced by "+".
    -
    -         Example: "+Mirrors"
    -
    - The name of the set may be optionally followed by:
    -
    - a) a number from 1 to 6 enclosed in square brackets ([]) -- this number - indicates the maximum number of ipset binding levels that are to be - matched. Depending on the context where the ipset name is used, either - all "src" or all "dst" matches will be used.
    -
    -         Example: "+Mirrors[4]"
    -
    - b) a series of "src" and "dst" options separated by commas and inclosed - in square brackets ([]). These will be passed directly to iptables in the - generated --set clause. See the ipset documentation for details.
    -
    -         Example: - "+Mirrors[src,dst,src]"
    -
    - Note that "+Mirrors[4]" used in the SOURCE column of the rules file is - equivalent to "+Mirrors[src,src,src,src]".
    -
    - To generate a negative match, prefix the "+" with "!" as in - "!+Mirrors".
    -
    - Example 1: Blacklist all hosts in an ipset named "blacklist"
    -
    -            - /etc/shorewall/blacklist
    -
    -            - #ADDRESS/SUBNET         - PROTOCOL        PORT
    -            - +blacklist
    -
    - Example 2: Allow SSH from all hosts in an ipset named "sshok:
    -
    -            - /etc/shorewall/rules
    -
    -            - #ACTION      - SOURCE      DEST     - PROTO    DEST PORT(S)
    -            - ACCEPT       - +sshok      - fw       tcp      - 22
    -
    - Shorewall can automatically capture the contents of your ipsets for you. - If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then - "shorewall save" will save the contents of your ipsets. The file where - the sets are saved is formed by taking the name where the Shorewall - configuration is stored and appending "-ipsets". So if you enter the - command "shorewall save standard" then your Shorewall configuration will - be saved in var/lib/shorewall/standard and your ipset contents will be - saved in /var/lib/shorewall/standard-ipsets. Assuming the default - RESTOREFILE setting, if you just enter "shorewall save" then your - Shorewall configuration will be saved in /var/lib/shorewall/restore and - your ipset contents will be saved in - /var/lib/shorewall/restore-ipsets.
    -
    - Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" and - "shorewall restore" commands will restore the ipset contents - corresponding to the Shorewall configuration restored provided that the - saved Shorewall configuration specified exists.
    -
    - For example, "shorewall restore standard" would restore the ipset - contents from /var/lib/shorewall/standard-ipsets provided that - /var/lib/shorewall/standard exists and is executable and that - /var/lib/shorewall/standard-ipsets exists and is executable.
    -
    - Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" - command will purge the saved ipset information (if any) associated with - the saved shorewall configuration being removed.
    -
    - You can also associate ipset contents with Shorewall configuration - directories using the following command:
    -
    -        ipset -S > <config - directory>/ipsets
    -
    - Example:
    -
    -        ipset -S > - /etc/shorewall/ipsets
    -
    - When you start or restart Shorewall (including using the 'try' command) - from the configuration directory, your ipsets will be configured from the - saved ipsets file. Once again, this behavior is independent of the - setting of SAVE_IPSETS.
    -
    - Ipsets are well suited for large blacklists. You can maintain your - blacklist using the 'ipset' utility without ever having to restart or - refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be sure to - "shorewall save" after altering the blacklist ipset(s).
    -
    - Example /etc/shorewall/blacklist:
    -
    -    - #ADDRESS/SUBNET         - PROTOCOL        PORT
    -    - +Blacklist[src,dst]
    -    - +Blacklistnets[src,dst]
    -
    - Create the blacklist ipsets using:
    -
    -           ipset -N Blacklist - iphash
    -           ipset -N - Blacklistnets nethash
    -
    - Add entries
    -
    -        ipset -A Blacklist - 206.124.146.177
    -        ipset -A Blacklistnets - 206.124.146.0/24
    -
    - To allow entries for individual ports
    -
    -        ipset -N SMTP portmap --from 1 --to - 31
    -        ipset -A SMTP 25
    -
    -        ipset -A Blacklist - 206.124.146.177
    -        ipset -B Blacklist 206.124.146.177 - -b SMTP
    -
    - Now only port 25 will be blocked from 206.124.146.177.
    -
    -
  6. -
  7. Shorewall 2.4.0 can now configure routing if your kernel and iptables - support the ROUTE target extension. This extension is available in - Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since the Netfilter team - have no intention of ever releasing the ROUTE target extension to - kernel.org.
    -
    - Routing is configured using the /etc/shorewall/routes file. Columns in - the file are as follows:
    -
    -       - SOURCE            - Source of the packet. May be any of the following:
    -
    -
    -                         - - A host or network address
    -                         - - A network interface name.
    -                         - - The name of an ipset prefaced with "+"
    -                         - - $FW (for packets originating on the firewall)
    -                         - - A MAC address in Shorewall format
    -                         - - A range of IP addresses (assuming that your kernel and iptables support range - match)
    -                         - - A network interface name followed by ":" and an address or address - range.
    -
    -         - DEST            - Destination of the packet. May be any of the following:
    -
    -                         - - A host or network address
    -                         - - A network interface name (determined from
    -                           - routing table(s))
    -                         - - The name of an ipset prefaced with "+"
    -                         - - A network interface name followed by ":"
    -                           - and an address or address range.
    -
    -         - PROTO           - Protocol - Must be "tcp", "udp", "icmp", "ipp2p", a number, or "all". "ipp2p" - requires
    -                         - ipp2p match support in your kernel and
    iptables.
    -
    -         - PORT(S)         Destination - Ports. A comma-separated list of Port names (from /etc/services), port
    -                         - numbers
    or port ranges; if - the protocol is "icmp", thiscolumn is interpreted as the
    -                         - destination
    icmp-type(s).
    -
    -                         - If the protocol is ipp2p, this column is interpreted as an ipp2p option without - the
    -                         - leading "--" (example "bit" for bit-torrent).
    If no PORT is given, "ipp2p" is - assumed.
    -
    -                         - This column is ignored if PROTOCOL = all but must be entered if any of the - following
    -                         - field
    is supplied. In that - case, it is suggested that this field contain "-"
    -
    -         - SOURCE PORT(S)  (Optional) Source port(s). If omitted, any source port is acceptable. Specified - as a
    -                         - comma-separated list of port names, port
    numbers or port ranges.
    -
    -         - TEST            - Defines a test on the existing packet or connection mark.
    -
    -                         - The rule will match only if the test returns true. Tests have the format
    -                         - [!]<value>[/<mask>][:C]

    -
    -                         - Where:
    -
    -                                 - !       Inverts the test (not equal) - <value> Value of the packet - or
    -                                         - connection mark.

    -
    -                                 - <mask>  A mask to be applied to the mark before testing
    -                                 - :C      Designates a connection mark. If omitted, the packet mark's value
    -                                         - is tested.

    -
    -         - INTERFACE       The interface that the - packet is to be routed out - of. If you do not specify this
    -                         - field then
    you must place - "-" in this column and enter an IP address in the GATEWAY
    -                         - column.

    -
    -         - GATEWAY         The gateway that - the packet is to be forewarded through.
    -
    -
  8. -
  9. Normally when Shorewall is stopped, starting or restarting then - connections are allowed from hosts listed in /etc/shorewall/routestopped - to the firewall and to other hosts listed in - /etc/shorewall/routestopped.
    -
    - A new 'source' option is added for entries in that file which will cause - Shorewall to allow traffic from the host listed in the entry to ANY other - host. When 'source' is specified in an entry, it is unnecessary to also - specify 'routeback'.
    -
    - Similarly, a new 'dest' option is added which will cause Shorewall to - allow traffic to the host listed in the entry from ANY other host. When - 'source' is specified in an entry, it is unnecessary to also specify - 'routeback'.
    -
    -
  10. -
  11. This change was implemented by Lorenzo Martignoni. It provides two new - commands: "safe-start" and "safe-restart".
    -
    - safe-start starts Shorewall then - prompts you to ask you if everything looks ok. If you answer "no" or if - you don't answer within 60 seconds, a "shorewall clear" is executed.
    -
    - safe-restart saves your current - configuration to /var/lib/shorewall/safe-restart then issues a "shorewall - restart"; It then prompts you to ask if you if you want to accept the new - configuration. If you answer "no" or if you don't answer within 60 - seconds, the configuration is restored to its prior state.
    -
    - These new commands require either that your /bin/sh supports the "-t" - option to the 'read' command or that you have /bin/bash installed.
    -
  12. -
-05/20/2005  Shorewall CVS Repository -has Moved to Sourceforge
-
-
The CVS repository may now be accessed at http://sourceforge.net/cvs/?group_id=22587.
-
-05/20/2005 Shorewall 2.2.5
-
-
This will be my last 2.2 release. It contains a couple of small bug -fixes that I hadn't yet released.
-
--Tom
-
-Problems Corrected:
- -
    -
  1. Previously, if PKTTYPE=No in shorewall.conf then pkttype match would - still be used if the kernel supported it.
  2. -
  3. A typo in the 'tunnel' script has been corrected (Thanks to Patrik - Varmecký).
  4. -
  5. A warning is now generated if an invalid short zone name is used in - /etc/shorewall/zones.
    -
  6. -
-05/18/2005 Tom stepping away from Shorewall -development and support
-

-It is with regret that I announce that my involvement in Shorewall -development and support is officially ending.
-
-Unlike the originators of other successful open source projects, I have not -been able to attract a core of people who believe in Shorewall and who are -willing to make sacrifices to ensure it's success. That is my weakness and I -accept it. But is means that I have been left with trying to develop, -document, and support Shorewall almost single-handedly. I cannot do it any -more.
-
-I will clean up what I have for a 2.3 release and place it on the server as -my last Shorewall release -- Shorewall 2.4.0.
-
-Discussions aimed at continuing Shorewall development under new leadership -are continuing.
-
-Shorewall will always be a part of my life that I look back on with -fondness.
-
-Regards,
-
--Tom
- - -

05/02/2005 Shorewall 2.2.4
-

- -

Problems Corrected:
-

-
    -
  1. The error message:
    -
    -        Error: No appropriate chain for zone - <z1> to zone <z2>
    -
    - has been changed to one that is more self-explanatory:
    -
    -        Error: No policy defined for zone - <z1> to zone <z2>
  2. -
  3. When only an interface name appeared in the HOST(S) column of an - /etc/shorewall/hosts file entry, a misleading iptables error message - resulted. Now the following message is generated:
    -
    -        Error: Invalid HOST(S) column - contents: <column contents>
  4. -
-New Features:
- -
    -
  1. Support has been added for UPnP using linux-igd  (http://linux-idg.sourceforge.net). - UPnP is required by a number of popular applications including MSN - IM.
  2. -
- -
-WARNING:
- - -
-From a security architecture viewpoint, UPnP is a disaster. It assumes -that:
- -
    -
  1. All local systems and their users are completely trustworthy.
  2. -
  3. No local system is infected with any worm or trojan.
  4. -
-
- -
-If either of these assumptions are not true then UPnP can be used to totally -defeat your firewall and to allow incoming connections to arbitrary local -systems on any port whatsoever.
-In short: USE UPnP AT YOUR OWN -RISK.
-
- -
-
-
-
- -
-WARNING:
- - -
-The linux-igd project appears to be inactive and the web site does not -display correctly on any open source browser that I've tried.
-
-Building and installing linux-igd is not for the faint of heart. You must -download the source from CVS and be prepared to do quite a bit of fiddling -with the include files from libupnp (which is required to build and/or run -linux-igd).
-
-
-
- -
-Configuring linux-igd:
- - -
-In /etc/upnpd.conf, you will want:
-
-                -insert_forward_rules = yes
-                -prerouting_chain_name = UPnP
-                -forward_chain_name = forwardUPnP
-
-
-
- -
-Shorewall Configuration:
- - -
-In /etc/shorewall/interfaces, you need the 'upnp' option on your external -interface.
-
-If your fw->loc policy is not ACCEPT then you need this rule:
-
-             -allowoutUPnP       -fw      loc
-
-Note: To use 'allowoutUPnP', your iptables and kernel must support the 'owner -match' feature (see the output of "shorewall check").
-
-If your loc->fw policy is not ACCEPT then you need this rule:
-
-             -allowinUPnP        -loc     fw
-
-You MUST have this rule:
-
-             -forwardUPnP        -net     loc
-
-
-
- -
-   You must also ensure that you have a route to 224.0.0.0/4 on you -internal (local) interface.
-
-
    -
  1. A new 'started' extension script has been added.  The difference - between this extension script and /etc/shorewall/start is that this one - is invoked after delayed loading of the blacklist - (DELAYBLACKLISTLOAD=Yes) and after the 'shorewall' chain has been created - (thus signaling that the firewall is completely up.
    -
    - /etc/shorewall/started should not change the firewall configuration - directly but may do so indirectly by running /sbin/shorewall with the - 'nolock' option.
    -
    -
  2. -
  3. By default, shorewall is started with the "-f" (fast) option when your - system boots. You can override that setting by setting the OPTIONS - variable in /etc/sysconfig/shorewall (SUSE/Redhat) or - /etc/default/shorewall (Debian/Bering). If neither file exists, feel free - to create one or the other.
    -
    - Example: If you want Shorewall to always use the config files even if - there is a saved configuration, then specify:
    -
    -       OPTIONS=""
    -
    -
  4. -
  5. Shorewall now has support for the SAME target. This change affects the - /etc/shorewall/masq and /etc/shorewall/rules file.
    -
    - SAME is useful when you specify multiple target IP addresses (in the - ADDRESSES column of /etc/shorewall/masq or in the DEST column of - /etc/shorewall/rules).
    -
    - If you use normal SNAT then multiple connections from a given local host - to hosts on the internet can be assigned different source IP addresses. - This confuses some applications that use multiple connections. To correct - this problem, prefix the list of address ranges in the ADDRESS column - with "SAME:"
    -
    -           - Example:   SAME:206.124.146.176-206.124.146.180
    -
    - If you want each internal system to use the same IP address from the list - regardless of which internet host it is talking to then prefix the ranges - with "SAME:nodst:".
    -
    -           - Example:   SAME:nodst:206.124.146.176-206.124.146.180
    -
    - Note that it is not possible to map port numbers when using SAME.
    -
    - In the rules file, when multiple connections from an internet host match - a SAME rule then all of the connections will be sent to the same internal - server. SAME rules are very similar to DNAT rules with the keyword SAME - replacing DNAT. As in the masq file, changing the port number is not - supported.
    -
    -
  6. -
  7. A "shorewall show capabilities" command has been added to report the - capabilities of your kernel and iptables.
    -
    -    Example:
    -
    -       gateway:~# shorewall show capabilities
    -       Loading - /usr/share/shorewall/functions...
    -       Processing /etc/shorewall/params ...
    -       Processing - /etc/shorewall/shorewall.conf...
    -       Loading Modules...
    -       Shorewall has detected the following - iptables/netfilter capabilities:
    -              - NAT: Available
    -              - Packet Mangling: Available
    -              - Multi-port Match: Available
    -              - Extended Multi-port Match: Available
    -              - Connection Tracking Match: Available
    -              - Packet Type Match: Not available
    -              - Policy Match: Available
    -              - Physdev Match: Available
    -              - IP range Match: Available
    -              - Recent Match: Available
    -              - Owner Match: Available
    -       gateway:~#
    -
    -
  8. -
  9. A "-v" option has been added to /sbin/shorewall. Currently, this option - only affects the "show log" command (e.g., "shorewall -v show log") and - the "monitor" command. In these commands, it causes the MAC address in - the log message (if any) to be displayed. As previously, when "-v" is - omitted, the MAC address is suppressed.
    -
    -
  10. -
  11. In /etc/shorewall/rules, a value of 'none' in either the SOURCE or DEST - columns now causes the rule to be ignored. This is most useful when used - with shell variables:
    -
    - Example:
    -
    -         /etc/shorewall/rules:
    -
    -                 - AllowFTP    - $FTP_CLIENTS        fw
    -
    -         When FTP_CLIENTS is set to - 'none', the above rule is ignored.  Otherwise, the rule is evaluated - and generates Netfilter rules.
    -
    -
  12. -
  13. The installer now detects that it is running on a Slackware system and - adjusts the DEST and INIT variables accordingly.
    -
  14. -
- -

05/01/2005 Tom spoke at LinuxFest NW 2005 --- Bellingham Technical College, Bellingham Washington
-

-Tom's presentation was entitled "Shorewall and Native IPSEC" and is available -for download here (PDF -Format).
-
-04/07/2005 Shorewall 2.2.3
-

-Problems Corrected:
-

-
    -
  1. If a zone is defined in /etc/shorewall/hosts using - <interface>:!<network> in the HOSTS column then startup - errors occur on "shorewall [re]start".
  2. -
  3. Previously, if "shorewall status" was run on a system whose kernel - lacked advanced routing support (CONFIG_IP_ADVANCED_ROUTER),  then - no routing information was displayed.
  4. -
-New Features:
- -
    -
  1. A new extension script "continue" has been added. This script is - invoked after Shorewall has set the built-in filter chains policy to - DROP, deleted any existing Netfilter rules and user chains and has - enabled existing connections. It is useful for enabling certain - communication while Shorewall is being [re]started. Be sure to delete any - rules that you add here in your /etc/shorewall/start file.
  2. -
  3. There has been ongoing confusion about how the - /etc/shorewall/routestopped file works. People understand how it works - with the 'shorewall stop' command but when they read that 'shorewall - restart' is logically equivalent to 'shorewall stop' followed by - 'shorewall start' then they erroneously conclude that - /etc/shorewall/routestopped can be used to enable new connections during - 'shorewall restart'. Up to now, it cannot -- that file is not processed - during either 'shorewall start' or 'shorewall restart'.
    -
    - Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped will - be processed TWICE during 'shorewall start' and during 'shorewall - restart'. It will be processed early in the command execution to add - rules allowing new connections while the command is running and it will - be processed again when the command is complete to remove the rules added - earlier.
    -
    - The result of this change will be that during most of [re]start, new - connections will be allowed in accordance with the contents of - /etc/shorewall/routestopped.
  4. -
  5. The performance of configurations with a large numbers of entries in - /etc/shorewall/maclist can be improved by setting the new MACLIST_TTL - variable in /etc/shorewall/shorewall.conf.
    -
    - If your iptables and kernel support the "Recent Match" (see the output of - "shorewall check" near the top), you can cache the results of a 'maclist' - file lookup and thus reduce the overhead associated with MAC - Verification.
    -
    - When a new connection arrives from a 'maclist' interface, the packet - passes through then list of entries for that interface in - /etc/shorewall/maclist. If there is a match then the source IP address is - added to the 'Recent' set for that interface. Subsequent connection - attempts from that IP address occuring within $MACLIST_TTL seconds will - be accepted without having to scan all of the entries. After $MACLIST_TTL - from the first accepted connection request from an IP address, the next - connection request from that IP address will be checked against the - entire list.
    -
    - If MACLIST_TTL is not specified or is specified as empty (e.g, - MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not be - cached.
  6. -
  7. You can now specify QUEUE as a policy and you can designate a common - action for QUEUE policies in /etc/shorewall/actions. This is useful for - sending packets to something like Snort Inline.
    -
  8. -
-03/31/2005 Shorewall 2.0.17
-
-
Problems Corrected:
- -
    -
  1. Invoking the 'rejNotSyn' action results in an error at startup.
  2. -
  3. The UDP and TCP port numbers in /usr/share/shorewall/action.AllowPCA - were reversed.
  4. -
  5. If a zone is defined in /etc/shorewall/hosts using <interface>:!<network> in the HOSTS column then - startup errors occur on "shorewall [re]start".
    -
  6. -
-03/12/2005 Shorewall 2.2.2
-

-Problems Corrected:
- -
    -
  1. The SOURCE column in the /etc/shorewall/tcrules file now correctly - allows IP ranges (assuming that your iptables and kernel support - ranges).
    -
  2. -
  3. If A is a user-defined action and you have file /etc/shorewall/A then - when that file is invoked by Shorewall during [re]start, the $TAG value - may be incorrect.
  4. -
  5. Previously, if an iptables command generating a logging rule failed, - the Shorewall [re]start was still successful. This error is now - considered fatal and Shorewall will be either restored from the last save - (if any) or it will be stopped.
  6. -
  7. The port numbers for UDP and TCP were previously reversed in the - /usr/share/shorewall/action.AllowPCA file.
  8. -
  9. Previously, the 'install.sh' script did not update the - /usr/share/shorewall/action.* files.
  10. -
  11. Previously, when an interface name appeared in the DEST column of - /etc/shorewall/tcrules, the name was not validated against the set of - defined interfaces and bridge ports.
    -
  12. -
-New Features:
- -
    -
  1. The SOURCE column in the /etc/shorewall/tcrules file now allows $FW to - be optionally followed by ":" and a host/network address or address - range.
  2. -
  3. Shorewall now clears the output device only if it is a terminal. This - avoids ugly control sequences being placed in files when /sbin/shorewall - output is redirected.
  4. -
  5. The output from 'arp -na' has been added to the 'shorewall status' - display.
  6. -
  7. The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges to - appear in port lists handled by "multiport match". If Shorewall detects - this capability, it will use "multiport match" for port lists containing - port ranges. Be cautioned that each port range counts for TWO ports and a - port list handled with "multiport match" can still specify a maximum of - 15 ports.
    -
    - As always, if a port list in /etc/shorewall/rules is incompatible with - "multiport match", a separate iptables rule will be generated for each - element in the list.
  8. -
  9. Traditionally, the RETURN target in the 'rfc1918' file has caused - 'norfc1918' processing to cease for a packet if the packet's source IP - address matches the rule. Thus, if you have:
    -
    -    - SUBNETS          - TARGET
    -    - 192.168.1.0/24   RETURN
    -
    - then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though - you also have:
    -
    -    - SUBNETS          - TARGET
    -    - 10.0.0.0/8       logdrop
    -
    - Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to - be logged and dropped since while the packet's source matches the RETURN - rule, the packet's destination matches the 'logdrop' rule.
    -
    - If not specified or specified as empty (e.g., RFC1918_STRICT="") then - RFC1918_STRICT=No is assumed.
    -
    - WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables - support 'Connection Tracking' match.
    -
  10. -
- -

02/15/2005 Shorewall 2.2.1
-
-
This release rolls up the fixes for bugs found in the first 2-3 weeks -of deployment of Shorewall 2.2.
-

-
    -
  1. The /etc/shorewall/policy file contained a misleading comment and both - that file and the /etc/shorewall/zones file lacked examples.
  2. -
  3. Shorewall previously used root's default umask which could cause files - in /var/lib/shorewall to be world-readable. Shorewall now uses umask - 0177.
  4. -
  5. In log messages produced by logging a built-in action, the packet - disposition was displayed incorrectly.
    -
    -    Example:
    -
    -             - rejNotSyn:ULOG      all     - all             - tcp
    -
    -    produces the log message:
    -
    -             Feb 12 - 23:57:08 server Shorewall:rejNotSyn:ULOG: ...
    -
    -    rather than
    -
    -             Feb 12 - 23:57:08 server Shorewall:rejNotSyn:REJECT: ...
    -
    -
  6. -
  7. The comments regarding built-in actions in - /usr/share/shorewall/actions.std have been corrected.
  8. -
  9. The /etc/shorewall/policy file in the LRP package was missing the - 'all->all' policy.
    -
  10. -
-02/05/2005 End of Support for Shorewall -1.4
-
-
Effective today, support for Shorewall 1.4 has been discontinued. See -the link at the top of this article for  upgrade information.
-
-02/01/2005 Shorewall 2.0.16
-

-This release back-ports the DROPINVALID shorewall.conf option from 2.2.0.
- -
    -
  1. Recent 2.6 kernels include code that evaluates TCP packets based on TCP - Window analysis. This can cause packets that were previously classified - as NEW or ESTABLISHED to be classified as INVALID.
    -
    - The new kernel code can be disabled by including this command in your - /etc/shorewall/init file:
    -
    - echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
    -
    - Additional kernel logging about INVALID TCP packets may be obtained by - adding this command to /etc/shorewall/init:
    -
    - echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
    -
    - Traditionally, Shorewall has dropped INVALID TCP packets early. The new - DROPINVALID option allows INVALID packets to be passed through the normal - rules chains by setting DROPINVALID=No.
    -
    - If not specified or if specified as empty (e.g., DROPINVALID="") then - DROPINVALID=Yes is assumed.
  2. -
- -

02/01/2005 Shorewall 2.2.0
-
-
New Features:
-

-
    -
  1. ICMP packets that are in the INVALID state are now dropped by the - Reject and Drop default actions. They do so using the new 'dropInvalid' - builtin action. An 'allowInvalid' builtin action is also provided which - accepts packets in that state.
  2. -
  3. The /etc/shorewall/masq file INTERFACE column now allows additional - options.
    -
    - Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT rules - defined in the /etc/shorewall/nat file. If you preceed the interface name - with a plus sign ("+") then the rule will be evaluated before one-to-one - NAT.
    -
    - Examples:
    -
    - +eth0
    - +eth1:192.0.2.32/27
    -
    - Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an entry by - following the interface name by ":" but no digit.
    -
    - Examples:
    -
    - eth0:
    - eth1::192.0.2.32/27
    - +eth3:
    -
    -
  4. -
  5. Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows - you to override the setting of ADD_IP_ALIASES=Yes by following the - interface name with ":" but no digit.
  6. -
  7. All configuration files in the Shorewall distribution with the - exception of shorewall.conf are now empty. In particular, the - /etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos files - now have no active entries. Hopefully this will stop the questions on the - support and development lists regarding why the default entries are the - way they are.
  8. -
  9. Previously, including a log level (and optionally a log tag) on a rule - that specified a user-defined (or Shorewall-defined) action would log all - traffic passed to the action. Beginning with this release, specifying a - log level in a rule that specifies a user- or Shorewall-defined action - will cause each rule in the action to be logged with the specified level - (and tag).
    -
    - The extent to which logging of action rules occurs is goverend by the - following:
  10. -
    • -
    • When you invoke an action and specify a log level, only those rules - in the action that have no log level will be changed to log at the - level specified at the action invocation.
      -
      - Example:
      -
      - /etc/shorewall/action.foo:
      -
      - ACCEPT    -    -    - tcp    22
      - bar:info
      -
      - /etc/shorewall/rules:
      -
      - foo:debug    fw    net
      -
      - Logging in the invoked 'foo' action will be:
      -
      - ACCEPT:debug    -    - -    tcp    22
      - bar:info
      -
      -
    • -
    • If you follow the log level with "!" then logging will be at that - level for all rules recursively invoked by the action
      -
      - Example: /etc/shorewall/action.foo:
      -
      - Update: I've been informed by Mandrake Development that this - problem has been corrected in Mandrake 10.0 Final (the problem still - exists in the 10.0 Community release).
      - ACCEPT    -    -    - tcp    22
      - bar:info
      -
      - /etc/shorewall/rules:
      -
      - foo:debug!    fw    net
      -
      - Logging in the invoke 'foo' action will be:
      -
      - ACCEPT:debug    -    - -    tcp    22
      - bar:debug!
      -
      -
    • -
    -
  11. -
- -
-This change has an effect on extension scripts used with user-defined -actions. If you define an action 'acton' and you have an /etc/shorewall/acton -script then when that script is invoked, the following three variables will -be set for use by the script:
-
- - -
-$CHAIN = the name of the chain where your rules are to be placed. When -logging is used on an action invocation, Shorewall creates a chain with a -slightly different name from the action itself.
-$LEVEL = Log level. If empty, no logging was specified.
-$TAG   = Log Tag.
-
-
-Example:
-
-/etc/shorewall/rules:
-   
-acton:info:test
-
-Your /etc/shorewall/acton file will be run with:
-
- - -
-$CHAIN="%acton1
-$LEVEL="info"
-$TAG="test"
-
-
-
- -
    -
  1. The /etc/shorewall/startup_disabled file is no longer created when - Shorewall is first installed. Rather, the variable STARTUP_ENABLED is set - to 'No' in /etc/shorewall/shorewall.conf. In order to get Shorewall to - start, that variable's value must be set to 'Yes'. This change - accomplishes two things:
  2. -
    • -
    • It prevents Shorewall from being started prematurely by the user's - initialization scripts.
    • -
    • It causes /etc/shorewall/shorewall.conf to be modified so that it - won't be replaced by upgrades using RPM.
      -
      -
    • -
    -
  3. -
  4. Support has been added for the 2.6 Kernel IPSEC implementation. To use - this support, you must have installed the IPSEC policy match patch and - the four IPSEC/Netfilter patches from Patch-0-Matic-ng. The policy match - patch affects both your kernel and iptables. There are two ways to - specify that IPSEC is to be used when communicating with a set of hosts; - both methods involve the new /etc/shorewall/ipsec file:
  5. -
    1. -
    2. If encrypted communication is used with all hosts in a zone, then - you can designate the zone as an "ipsec" zone by placing 'Yes" in the - IPSEC ONLY column in /etc/shorewall/ipsec:
      -
      - #ZONE    -     IPSEC    OPTIONS ...
      - #    -         ONLY
      - vpn    -       Yes
      -
      - The hosts in the zone (if any) must be specified in - /etc/shorewall/hosts but you do not need to specify the 'ipsec' - option on the entries in that file (see below). Dynamic zones - involving IPSEC must use that technique.
      -
      - Example:Under 2.4 Kernel FreeS/Wan:
      -
      - /etc/shorewall/zones:
      -
      - net    - Net    The big bad Internet
      - vpn    - VPN    Remote Network
      -
      - /etc/shorewall/interfaces:
      -
      - net    - eth0    ...
      - vpn    - ipsec0    ...
      -
      - Under 2.6 Kernel with this new support:
      -
      - /etc/shorewall/zones:
      -
      - net    - Net    The big bad Internet
      - vpn    - VPN    Remote Network
      -
      - /etc/shorewall/interfaces:
      -
      - net    - eth0    ...
      -
      - /etc/shorewall/hosts:
      -
      - vpn    - eth0:0.0.0.0/0
      -
      - /etc/shorewall/ipsec
      -
      - vpn    Yes
      -
      -
    3. -
    4. If only part of the hosts in a zone require encrypted - communication, you may use of the new 'ipsec' option in - /etc/shorewall/hosts to designate those hosts.
      -
      - Example:
      -
      - Under 2.4 Kernel FreeS/Wan:
      -
      - /etc/shorewall/zones:
      - -
      net    Net    The big bad Internet
      -loc Local Extended local zone
      - /etc/shorewall/interfaces:
      -
      - net    - eth0    ...
      - loc    - eth1    ...
      - loc    - ipsec0    ...
      -
      - Under 2.6 Kernel with this new support:
      -
      - /etc/shorewall/zones:
      -
      - net    -     Net    The big bad - Internet
      - vpn      -   VPN    Remote Network
      -
      - /etc/shorewall/interfaces:
      -
      - net    - eth0    ...
      - loc    - eth1    ...
      -
      - /etc/shorewall/hosts:
      -
      - vpn    - eth0:0.0.0.0/0    ipsec,...
    5. -
    -
  6. -
- -
-Regardless of which technique you choose, you can specify additional SA -options for the zone in the /etc/shorewall/ipsec entry.
-
-The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the input-output, -input and output characteristics of the security associations to be used to -decrypt (input) or encrypt (output) traffic to/from the zone.
-
-The available options are:
-
- -
-
    -
  • reqid[!]=<number> where <number> is specified using - setkey(8) using the 'unique:<number>' option for the SPD level.
  • -
  • spi[!]=<number> where <number> is the SPI of the SA. Since - different SAs are used to encrypt and decrypt traffic, this option should - only be listed in the IN OPTIONS and OUT OPTIONS columns.
  • -
  • proto[!]=ah|esp|ipcomp
  • -
  • mss=<number> (sets the MSS value in TCP SYN packets and is not - related to policy matching)
  • -
  • mode[!]=transport|tunnel
  • -
  • tunnel-src[!]=<address>[/<mask>] (only available with - mode=tunnel)
  • -
  • tunnel-dst[!]=<address>[/<mask>] (only available with - mode=tunnel). Because tunnel source and destination are dependent on the - direction of the traffic, these options should only appear in the IN - OPTIONS and OUT OPTIONS columns.
  • -
  • strict  (if specified, packets must match all policies; policies - are delimited by 'next').
  • -
  • next    (only available with strict)
  • -
-
- -
-Examples:
-
-#ZONE    IPSEC  -OPTIONS        -          IN    -      OUT
-#        -ONLY               -             -OPTIONS     OPTIONS
-vpn      -Yes    mode=tunnel,proto=esp    -spi=1000    spi=1001
-loc      -No     reqid=44,mode=transport
-
-The /etc/shorewall/masq file has a new IPSEC column added. If you specify Yes -or yes in that column then the unencrypted packets will have their source -address changed. Otherwise, the unencrypted packets will not have their -source addresses changed. This column may also contain a comma-separated list -of the options specified above in which case only those packets that will be -encrypted by an SA matching the given options will have their source address -changed.
-
-
    -
  1. To improve interoperability, tunnels of type 'ipsec' no longer enforce - the use of source port 500 for ISAKMP and OpenVPN tunnels no longer - enforce use of the specified port as both the source and destination - ports.
  2. -
  3. A new 'allowBcast' builtin action has been added -- it silently allows - broadcasts and multicasts.
  4. -
  5. The -c option in /sbin/shorewall commands is now deprecated. The - commands where -c was previously allowed now permit you to specify a - configuration directory after the command:
    -
    -       shorewall check   [ - <configuration-directory> ]
    -       shorewall restart [ - <configuration-directory> ]
    -       shorewall start   [ - <configuration-directory> ]
    -
    -
  6. -
  7. Normally, when SNAT or MASQUERADE is applied to a tcp or udp - connection, Netfilter attempts to retain the source port number. If it - has to change to port number to avoid  <source - address>,<source port> conflicts, it tries to do so within port - ranges ( < 512, 512-1023, and > 1023). You may now specify an - explicit range of source ports to be used by following the address or - address range (if any) in the ADDRESS column with ":" and a port range in - the format <low-port>-<high-port>. You must specify either - "tcp" or "udp" in the PROTO column.
    -
    - Examples 1 -- MASQUERADE with tcp source ports 4000-5000:
    -
    -     #INTERFACE - SUBNET          - ADDRESS        PROTO
    -     - eth0       192.168.1.0/24  - :4000-5000     tcp
    -
    - Example 2 -- SNAT with udp source ports 7000-8000:
    -
    -     #INTERFACE - SUBNET          - ADDRESS    -              - PROTO
    -    - eth0       - 10.0.0.0/8      - 192.0.2.44:7000-8000    udp
    -
    -
  8. -
  9. You may now account by user/group ID for outbound traffic from the - firewall itself with entries in /etc/shorewall/accounting. Such - accounting rules must be placed in the OUTPUT chain. See the comments at - the top of /etc/shorewall/accounting for details.
  10. -
  11. Shorewall now verifies that your kernel and iptables have physdev match - support if BRIDGING=Yes in shorewall.conf.
  12. -
  13. Beginning with this release, if your kernel and iptables have iprange - match support (see the output from "shorewall check"), then with the - exception of the /etc/shorewall/netmap file, anywhere that a network - address may appear an IP address range of the form <low - address>-<high address> may also appear.
  14. -
  15. Support has been added for the iptables CLASSIFY target. That target - allows you to classify packets for traffic shaping directly rather than - indirectly through fwmark. Simply enter the <major>:<minor> - classification in the first column of /etc/shorewall/tcrules:
    -
    - Example:
    -
    - #MARK/      - SOURCE       - DEST      PROTO     - PORT(S)
    - #CLASSIFY
    - 1:30    -     -        -     eth0      tcp    -    25
    -
    - Note that when using this form of rule, it is acceptable to include the - name of an interface in the DEST column.
    -
    - Marking using the CLASSIFY target always occurs in the POSTROUTING chain - of the mangle table and is not affected by the setting of - MARK_IN_FORWARD_CHAIN in shorewall.conf.
  16. -
  17. During "shorewall start", IP addresses to be added as a consequence of - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted when - /etc/shorewall/nat and /etc/shorewall/masq are processed then they are - re-added later. This is done to help ensure that the addresses can be - added with the specified labels but can have the undesirable side effect - of causing routes to be quietly deleted. A new RETAIN_ALIASES option has - been added to shorewall.conf; when this option is set to Yes, existing - addresses will not be deleted. Regardless of the setting of - RETAIN_ALIASES, addresses added during "shorewall start" are still - deleted at a subsequent "shorewall stop" or "shorewall restart".
  18. -
  19. Users with a large black list (from /etc/shorewall/blacklist) may want - to set the new DELAYBLACKLISTLOAD option in shorewall.conf. When - DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before - loading the blacklist rules. While this may allow connections from - blacklisted hosts to slip by during construction of the blacklist, it can - substantially reduce the time that all new connections are disabled - during "shorewall [re]start".
  20. -
  21. Using the default LOGFORMAT, chain names longer than 11 characters - (such as in user-defined actions) may result in log prefix truncation. A - new shorewall.conf action  LOGTAGONLY has been added to deal with - this problem. When LOGTAGONLY=Yes, logging rules that specify a log tag - will substitute the tag for the chain name in the log prefix.
    -
    - Example -- file /etc/shorewall/action.thisisaverylogactionname:
    -
    -     Rule:
    -
    -          DROP:info:ftp    - 0.0.0.0/0    0.0.0.0/0    - tcp        21
    -    
    -     Log prefix with LOGTAGONLY=No:
    -
    -          Shorewall:thisisaverylongacti
    -
    -     Log prefix with LOGTAGONLY=Yes:
    -
    -          Shorewall:ftp:DROP
    -
    -
  22. -
  23. Shorewall now resets the 'accept_source_route' flag for all interfaces. - If you wish to accept source routing on an interface, you must specify - the new 'sourceroute' interface option in /etc/shorewall/interfaces.
  24. -
  25. The default Drop and Reject actions now invoke the new standard action - 'AllowICMPs'. This new action accepts critical ICMP types:
    -    
    -     Type 3 code 4 (fragmentation needed)
    -     Type 11       (TTL - exceeded)
    -
    -
  26. -
  27. Explicit control over the kernel's Martian logging is now provided - using the new 'logmartians' interface option. If you include - 'logmartians' in the interface option list then logging of Martian - packets on will be enabled on the specified interface. If you wish to - globally enable martian logging, you can set LOG_MARTIANS=Yes in - shorewall.conf.
  28. -
  29. You may now cause Shorewall to use the '--set-mss' option of the TCPMSS - target. In other words, you can cause Shorewall to set the MSS field of - SYN packets passing through the firewall to the value you specify. This - feature extends the existing CLAMPMSS option in - /etc/shorewall/shorewall.conf by allowing that option to have a numeric - value as well as the values "Yes" and "No".
    -
    - Example:
    -
    -     CLAMPMSS=1400
    -
    -
  30. -
  31. Shorewall now includes support for the ipp2p match facility. This is a - departure from my usual policy in that the ipp2p match facility is - included in Patch-O-Matic-NG and is unlikely to ever be included in the - kernel.org source tree. Questions about how to install the patch or how - to build your kernel and/or iptables should not be posted on the - Shorewall mailing lists.
    -
    - In the following files, the "PROTO" or "PROTOCOL" column may contain - "ipp2p":
    -
    -        /etc/shorewall/rules
    -        /etc/shorewall/tcrules
    -        /etc/shorewall/accounting
    -
    - When the PROTO or PROTOCOL column contains "ipp2p" then the DEST PORT(S) - or PORT(S) column may contain a recognized ipp2p option; for a list of - the options and their meaning, at a root prompt:
    -
    -     iptables -m ipp2p --help
    -
    - You must not include the leading "--" on the option; Shorewall will - supply those characters for you. If you do not include an option then - "ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").
  32. -
  33. Shorewall now has support for the CONNMARK target from iptables. See - the /etc/shorewall/tcrules file for details.
  34. -
  35. A new debugging option LOGALLNEW has been added to shorewall.conf. When - set to a log level, this option causes Shorewall to generaate a logging - rule as the first rule in each builtin chain.
    -
    -     - The table name is used as the chain name in the log - prefix.
    -     - The chain name is used as the target in the log - prefix.
    -
    - Example: Using the default LOGFORMAT, the log prefix for logging from the - nat table's PREROUTING chain is:
    -
    -      Shorewall:nat:PREROUTING
    -
    - IMPORTANT: There is no rate limiting on these logging rules so use - LOGALLNEW at your own risk; it may cause high CPU and disk utilization - and you may not be able to control your firewall after you enable this - option.
    -
    - DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL BE SENT - TO ANOTHER SYSTEM.
    -
    -
  36. -
  37. The SUBNET column in /etc/shorewall/rfc1918 has been renamed SUBNETS - and it is now possible to specify a list of addresses in that column.
  38. -
  39. The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS).
  40. -
  41. For consistency, the CLIENT PORT(S) column in the tcrules file has been - renamed SOURCE PORT(S).
  42. -
  43. The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown in - the output of "shorewall status".
  44. -
  45. A new IPTABLES option has been added to shorewall.conf. IPTABLES can be - used to designate the iptables executable to be used by Shorewall. If not - specified, the iptables executable determined by the PATH setting is - used.
  46. -
  47. You can now use the "shorewall show zones" command to display the - current contents of the zones. This is particularly useful if you use - dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
    -
    -     Example:
    -
    -       ursa:/etc/shorewall # shorewall show - zones
    -     - Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST - 2004
    -  
    -     loc
    -        - eth0:192.168.1.0/24
    -        - eth1:1.2.3.4
    -     - net      
    -        - eth0:0.0.0.0/0
    -     WiFi
    -        - eth1:0.0.0.0/0
    -     sec
    -        - eth1:0.0.0.0/0
    -  
    -     - ursa:/etc/shorewall #
    -
    -
  48. -
  49. Variable expansion may now be used with the INCLUDE directive.
    -
    -     Example:
    -
    -     /etc/shorewall/params
    -
    -         FILE=/etc/foo/bar
    -
    -         Any other config file:
    -
    -         INCLUDE $FILE
    -
    -
  50. -
  51. The output of "shorewall status" now includes the results of "ip -stat - link ls". This helps diagnose performance problems caused by link - errors.
  52. -
  53. Previously, when rate-limiting was specified in /etc/shorewall/policy - (LIMIT:BURST column), any traffic which exceeded the specified rate was - silently dropped. Now, if a log level is given in the entry (LEVEL - column) then drops are logged at that level at a rate of 5/min with a - burst of 5.
  54. -
  55. Recent 2.6 kernels include code that evaluates TCP packets based on TCP - Window analysis. This can cause packets that were previously classified - as NEW or ESTABLISHED to be classified as INVALID.
    -
    - The new kernel code can be disabled by including this command in your - /etc/shorewall/init file:
    -
    -     echo 1 > - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
    -
    - Additional kernel logging about INVALID TCP packets may be obtained by - adding this command to /etc/shorewall/init:
    -
    -     echo 1 > - /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
    -
    - Traditionally, Shorewall has dropped INVALID TCP packets early. The new - DROPINVALID option allows INVALID packets to be passed through the normal - rules chains by setting DROPINVALID=No.
    -
    - If not specified or if specified as empty (e.g., DROPINVALID="") then - DROPINVALID=Yes is assumed.
    -
    -
  56. -
  57. The "shorewall add" and "shorewall delete" commands now accept a list - of hosts to add or delete.
    -
    - Examples:
    -
    -     shorewall add - eth1:1.2.3.4 eth1:2.3.4.5 z12
    -    shorewall delete - eth1:1.2.3.4 eth1:2.3.4.5 z12
    -
    -     The above commands may also be written:
    -
    -     shorewall add - eth1:1.2.3.4,2.3.4.5 z12
    -    shorewall delete - eth1:1.2.3.4,2.3.4.5 z12
    -   
    -
  58. -
  59. TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel type. - OpenVPN entries in /etc/shorewall/tunnels have this format:
    -
    -     openvpn[:{tcp|udp}][:<port>]    - <zone>        - <gateway>
    -
    - Examples:
    -
    -       openvpn:tcp    -      net    1.2.3.4    - # TCP tunnel on port 1194
    -     - openvpn:3344        net    - 1.2.3.4    # UDP on port 3344
    -     - openvpn:tcp:4455    net    - 1.2.3.4    # TCP on port 4455
    -
    -
  60. -
  61. A new 'ipsecvpn' script is included in the tarball and in the RPM. The - RPM installs the file in the Documentation directory - (/usr/share/doc/packages/shorewall-2.2.0-0RC1).
    -
    - This script is intended for use on Roadwarrior laptops for establishing - an IPSEC SA to/from remote networks. The script has some limitations:
  62. -
- -
-
    -
  • Only one instance of the script may be used at a time.
  • -
  • Only the first SPD accessed will be instantiated at the remote gateway. - So while the script creates SPDs to/from the remote gateway and each - network listed in the NETWORKS setting at the front of the script, only - one of these may be used at a time.
  • -
-
-
    -
  1. The output of "shorewall status" now lists the loaded netfilter kernel - modules.
  2. -
  3. The range of UDP ports opened by the AllowTrcrt action has been - increased to 33434:33524.
  4. -
  5. The IANA has recently registered port 1194 for use by OpenVPN. In - previous versions of Shorewall (and OpenVPN), the default port was 5000 - but has been changed to 1194 to conform to the new OpenVPN default.
  6. -
- -

01/17/2005 - Shorewall 2.2.0 RC5
-
-
Problems Corrected:
-

-
    -
  1. The AllowTrcrt action has been changed to allow up to 30 hops (same as - default for 'traceroute'). Previously, the action was documented as - allowing 20 hops but actually only allowed for 6 hops.
    -
  2. -
  3. Using some lightweight shells, valid entries in /etc/shorewall/ecn - produce startup errors.
  4. -
-New Features:
- -
    -
  1. A new AllowInvalid standard built-in action has been added. This action - accepts packets that are in the INVALID connection-tracking state.
  2. -
-01/16/2005 - New -Shorewall Mirrors
-
-
Thanks to Lorenzo Martignoni and Nick Slikey, there are now Shorewall -mirrors in Milan Italy and in Austin -Texas. Thanks Lorenzo and Nick!
-
-01/12/2005 - Shorewall 2.0.15
-

-Problems Corrected:
- -
    -
  1. The range of ports opened by the AllowTrcrt action has been expanded to - 33434:33524 to allow for a maximum of 30 hops.
  2. -
  3. Code mis-ported from 2.2.0 in release 2.0.14 caused the following error - during "shorewall start" where SYN rate-limiting is present in - /etc/shorewall/policy:
    -  
    -       Bad argument `DROP'
    -       Try `iptables -h' or 'iptables --help' for - more information.
    -
  4. -
-01/06/2005 - -Shorewall 2.2.0 RC4
-

-New Features:
- -
    -
  1. A listing of loaded iptables kernel modules is now included in the - output of "shorewall status".
    -
  2. -
-Problems Corrected.
- -
    -
  1. Several problems associated with processing the IPSEC colummn in - /etc/shorewall/masq have been corrected.
    -
  2. -
-01/03/2005 - Shorewall -2.0.14
-

-New Features:
- -
    -
  1. Previously, when rate-limiting was specified in /etc/shorewall/policy - (LIMIT:BURST column), any traffic which exceeded the specified rate was - silently dropped. Now, if a log level is given in the entry (LEVEL - column) then drops are logged at that level at a rate of 5/min with a - burst of 5.
    -
  2. -
-Problems Corrected:
- -
    -
  1. A typo in the /etc/shorewall/interfaces file has been fixed.
  2. -
  3. "bad variable" error messages occurring during "shorewall stop" and - "shorewall clear" have been eliminated.
  4. -
  5. A misleading typo in /etc/shorewall/tunnels has been corrected. The - TYPE column for an IPIP tunnel should contain "ipip" rather than "ip".
    -
  6. -
-12/31/2004 - -Mandrake-specific RPMs available
-
-
Jack Coates has generously volunteered to provide Shorewall RPMs for -use under Mandrake. You can download Jack's RPMs from http://www.monkeynoodle.org/tmp/
-
-12/31/2004 - -Redhat/Fedora-specific RPMs available
-

-Simon Matter has graciously volunteered to provide RPMs tailored for Redhat -and Fedora. You can download Simon's RPMs from http://www.invoca.ch/pub/packages/shorewall/
-
-Thanks, Simon!
-
-12/30/2004 - -Shorewall 2.2.0 RC3
-

-Problems Corrected:
- -
    -
  1. The following error message could appear during "shorewall stop" or - "shorewall clear":
    -                                                                                                                                                                                                                 
    -               - local: lo:: bad variable name
    -
    -
  2. -
  3. The rate limiting example in /etc/shorewall/rules has been changed to - use the RATE LIMIT column.
  4. -
  5. Entries in /etc/shorewall/masq with the INTERFACE column containing - <ifname>:: (e.g., "eth0::") would generate a progress message but - would not generate an iptables rule.
  6. -
  7. A misleading typo in /etc/shorewall/tunnels has been corrected.
    -
  8. -
- -


-

- -

12/24/2004 - Shorewall 2.2.0 RC2
-
-
New Features:
-

-
    -
  1. By popular demand, the default port for Open VPN tunnels is now 1194 - (the IANA-reserved port number for Open VPN).
  2. -
-12/19/2004 - -Shorewall 2.2.0 RC1
-
-
Problems Corrected:
- -
    -
  1. The syntax of the add and delete command has been clarified in the help - summary produced by /sbin/shorewall.
  2. -
-New Features:
- -
    -
  1. TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel type. - OpenVPN entries in /etc/shorewall/tunnels have this format:
    -
    -     openvpn[:{tcp|udp}][:<port>]    - <zone>        <gateway>
    -
    - Examples:
    - -
        openvpn:tcp         net    1.2.3.4    # TCP tunnel on port 5000
    - openvpn:3344 net 1.2.3.4 # UDP on port 3344
    - openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455
    -
  2. -
  3. A new 'ipsecvpn' script is included in the tarball and in the RPM. The - RPM installs the file in the Documentation directory - (/usr/share/doc/packages/shorewall-2.2.0-0RC1).
    -
    - This script is intended for use on Roadwarrior laptops for establishing - an IPSEC SA to/from remote networks. The script has some limitations:
    -
    -     - Only one instance of the script may be used at a - time.
    -     - Only the first SPD accessed will be instantiated at - the remote gateway. So while the script creates SPDs to/from the remote - gateway and each network listed in the NETWORKS setting at the front of - the script, only one of these may be used at a time.
    -
  4. -
-12/11/2004 - -Shorewall 2.2.0 Beta 8
-
-
Problems Corrected:
- -
    -
  1. A typo in the /etc/shorewall/interfaces file has been corrected.
  2. -
  3. Previously, the "add" and "delete" commands were generating incorrect - policy matches when policy match support was available.
  4. -
-New Features:
- -
    -
  1. Recent 2.6 kernels include code that evaluates TCP packets based on TCP - Window analysis. This can cause packets that were previously classified - as NEW or ESTABLISHED to be classified as INVALID.
    -
    - The new kernel code can be disabled by including this command in your - /etc/shorewall/init file:
    -
    -     echo 1 > - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
    -
    - Additional kernel logging about INVALID TCP packets may be obtained by - adding this command to /etc/shorewall/init:
    -
    -     echo 1 > - /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
    -
    - Traditionally, Shorewall has dropped INVALID TCP packets early. The new - DROPINVALID option allows INVALID packets to be passed through the normal - rules chains by setting DROPINVALID=No.
    -
    - If not specified or if specified as empty (e.g., DROPINVALID="") then - DROPINVALID=Yes is assumed.
    -
    -
  2. -
  3. The "shorewall add" and "shorewall delete" commands now accept a list - of hosts to add or delete.
    -
    - Examples:
    -
    -     shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12
    -     shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12
    -
    - The above commands may also be written:
    -
    -     shorewall add eth1:1.2.3.4,2.3.4.5 z12
    -     shorewall delete eth1:1.2.3.4,2.3.4.5 z12
    -   
    -
  4. -
-12/04/2004 - -Shorewall 2.2.0 Beta 7
-

-Problems Corrected:
- -
    -
  1. The "shorewall add" and "shorewall delete" commands now work in a - bridged environment. The syntax is:
    -  
    -            shorewall - add <interface>[:<port>]:<address> <zone>
    -            shorewall - delete <interface>[:<port>]:<address> <zone>
    -  
    -    Examples:
    -  
    -            shorewall - add br0:eth2:192.168.1.3 OK
    -            shorewall - delete br0:eth2:192.168.1.3 OK
    -
    -
  2. -
  3. Previously, "shorewall save" created an out-of-sequence restore script. - The commands saved in the user's /etc/shorewall/start script were - executed prior to the Netfilter configuration being restored. This has - been corrected so that "shorewall save" now places those commands at the - end of the script.
    -
    - To accomplish this change, the "restore base" file - (/var/lib/shorewall/restore-base) has been split into two files:
    -  
    - /var/lib/shorewall/restore-base -- commands to be executed before - Netfilter the configuration is restored.
    -  
    - /var/lib/shorewall/restore-tail -- commands to be executed after the - Netfilter configuration is restored.
    -
    -
  4. -
  5. Previously, traffic from the firewall to a dynamic zone member host did - not need to match the interface specified when the host was added to the - zone. For example, if eth0:1.2.3.4 is added to dynamic zone Z then - traffic out of any firewall interface to 1.2.3.4 will obey the fw->Z - policies and rules. This has been corrected.
  6. -
  7. Shorewall uses the temporary chain 'fooX1234' to probe iptables for - detrmining which features are supported. Previously, if that chain - happened to exist when Shorewall was run, capabilities were - mis-detected.
  8. -
-New Features:
- -
    -
  1. You can now use the "shorewall show zones" command to display the - current contents of the zones. This is particularly useful if you use - dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
    -  
    -     Example:
    -  
    -         ursa:/etc/shorewall # - shorewall show zones
    -         Shorewall-2.2.0-Beta7 Zones at - ursa - Sat Nov 27 11:18:25 PST 2004
    -  
    -         loc
    -            - eth0:192.168.1.0/24
    -            - eth1:1.2.3.4
    -         net
    -            - eth0:0.0.0.0/0
    -         WiFi
    -            - eth1:0.0.0.0/0
    -         sec
    -            - eth1:0.0.0.0/0
    -  
    -         ursa:/etc/shorewall #
    -
    -
  2. -
  3. Variable expansion may now be used with the INCLUDE directive.
    -  
    -     Example:
    -  
    -         /etc/shorewall/params
    -  
    -             - FILE=/etc/foo/bar
    -  
    -         Any other config file:
    -  
    -             - INCLUDE $FILE
    -
    -
  4. -
  5. The output of "shorewall status" now includes the results of "ip -stat - link ls". This helps diagnose performance problems caused by link - errors.
  6. -
  7. Previously, when rate-limiting was specified in /etc/shorewall/policy - (LIMIT:BURST column), any traffic which exceeded the specified rate was - silently dropped. Now, if a log
    - level is given in the entry (LEVEL column) then drops are logged at that - level at a rate of 5/min with a burst of 5.
    -
  8. -
-12/02/2004 - Shorewall -2.0.13
-
-
Problems Corrected:
- -
    -
  1. A typo in /usr/share/shorewall/firewall caused the "shorewall add" to - issue an error message:
    - -
    /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found
    -
  2. -
-12/01/2004 - Shorewall -2.0.12
-

-Problems Corrected:
- -
    -
  1. A typo in shorewall.conf (NETNOTSYN) has been corrected.
  2. -
  3. The "shorewall add" and "shorewall delete" commands now work in a - bridged environment. The syntax is:
    -  
    -       shorewall add - <interface>[:<bridge port>][:<address>] <zone>
    -       shorewall delete - <interface>[:<bridge port>][:<address>] <zone>
    -  
    - Examples:
    -  
    -       shorewall add br0:eth2:192.168.1.3 OK
    -       shorewall delete br0:eth2:192.168.1.3 - OK
    -
    -
  4. -
  5. Previously, "shorewall save" created an out-of-sequence restore script. - The commands saved in the user's /etc/shorewall/start script were - executed prior to the Netfilter configuration being restored. This has - been corrected so that "shorewall save" now places those commands at the - end of the script.
    -  
    - To accomplish this change, the "restore base" file - (/var/lib/shorewall/restore-base) has been split into two files:
    -  
    -    /var/lib/shorewall/restore-base -- commands to be executed - before the Netfilter configuration is restored.
    -  
    -    /var/lib/shorewall/restore-tail -- commands to be executed - after the Netfilter configuration is restored.
    -
    -
  6. -
  7. Previously, traffic from the firewall to a dynamic zone member host did - not need to match the interface specified when the host was added to the - zone. For example, if eth0:1.2.3.4 is added to dynamic zone Z then - traffic out of any firewall interface to 1.2.3.4 will obey the fw->Z - policies and rules. This has been corrected.
  8. -
-New Features:
- -
    -
  1. Variable expansion may now be used with the INCLUDE directive.
    -  
    - Example:
    -  
    -         /etc/shorewall/params
    -  
    -             - FILE=/etc/foo/bar
    -  
    -         Any other config file:
    -  
    -             - INCLUDE $FILE
    -
  2. -
-11/26/2004 - -Shorewall 2.2.0 Beta 6
-
-
Beta 5 was more or less DOA. Here's Beta 6.
-
-Problems Corrected:
- -
    -
  1. Fixed a number of problems associated with not having an IPTABLES value - assigned in shorewall.conf
  2. -
  3. Corrected a 'duplicate chain' error on "shorewall add" when the 'mss' - option is present in /etc/shorewall/ipsec.
    -
  4. -
-11/26/2004 - -Shorewall 2.2.0 Beta 5
-

-Problems corrected:
- -
    -
  1. A typo in shorewall.conf (NETNOTSYN) has been corrected.
  2. -
-New Features:
- -
    -
  1. For consistency, the CLIENT PORT(S) column in the tcrules file has been - renamed SOURCE PORT(S).
  2. -
  3. The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown in - the output of "shorewall status".
  4. -
  5. A new IPTABLES option has been added to shorewall.conf. IPTABLES can be - used to designate the iptables executable to be used by Shorewall. If not - specified, the iptables executable determined by the PATH setting is - used.
    -
  6. -
-11/23/2004 - Shorewall -2.0.11
-

-Problems corrected:
- -
    -
  1. The INSTALL file now include special instructions for Slackware - users.
  2. -
  3. The bogons file has been updated.
  4. -
  5. Service names are replaced by port numbers in /etc/shorewall/tos.
  6. -
  7. A typo in the install.sh file that caused an error during a new install - has been corrected.
  8. -
-New Features:
- -
    -
  1. The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
    -
  2. -
-11/19/2004 - -Shorewall 2.2.0 Beta 4
-

-Problems Corrected:
- -
    -
  1. A cut and paste error resulted in some nonsense in the description of - the IPSEC column in /etc/shorewall/masq.
  2. -
  3. A typo in /etc/shorewall/rules has been corrected.
  4. -
  5. The bogons file has been updated.
  6. -
  7. The "shorewall add" command previously reported success but did nothing - -- now it works.
  8. -
-New Features:
- -
    -
  1. The AllowNNTP action now allows NNTP over SSL/TLS (NNTPS).
    -
  2. -
-11/09/2004 - -Shorewall 2.2.0 Beta 3
-

-Problems Corrected:
- -
    -
  1. Missing '#' in the rfc1918 file has been corrected.
  2. -
  3. The INSTALL file now includes special instructions for Slackware - users.
  4. -
-New Features:
- -
    -
  1. In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may now - appear in the DEST column as in:
    - -
            #MARK/      SOURCE       DEST      PROTO     PORT(S)
    - #CLASSIFY
    - 1:30 - eth0 tcp 25
    -
  2. -
-11/02/2004 - -Shorewall 2.2.0 Beta 2
-
-
Problems Corrected:
- -
    -
  1. The "shorewall check" command results in the (harmless) error - message:
    -  
    -         /usr/share/shorewall/firewall: - line 2753:
    -            - check_dupliate_zones: command not found
    -
    -
  2. -
  3. The AllowNTP standard action now allows outgoing responses to - broadcasts.
  4. -
  5. A clarification has been added to the hosts file's description of the - 'ipsec' option pointing out that the option is redundent if the zone - named in the ZONE column has been designated an IPSEC zone in the - /etc/shorewall/ipsec file.
  6. -
-New Features:
- -
    -
  1. The SUBNET column in /etc/shorewall/rfc1918 has been renamed SUBNETS - and it is now possible to specify a list of addresses in that column.
    -
  2. -
-10/25/2004 - Shorewall -2.0.10
-

-Problems Corrected:
- -
    -
  1. The GATEWAY column was previously ignored in 'pptpserver' entries in - /etc/shorewall/tunnels.
  2. -
  3. When log rule numbers are included in the LOGFORMAT, duplicate rule - numbers could previously be generated.
  4. -
  5. The /etc/shorewall/tcrules file now includes a note to the effect that - rule evaluation continues after a match.
  6. -
  7. The error message produced if Shorewall couldn't obtain the routes - through an interface named in the SUBNET column of /etc/shorewall/masq - was less than helpful since it didn't include the interface name.
    -
  8. -
-New Features:
- -
    -
  1. The "shorewall status" command has been enhanced to include the values - of key /proc settings:
    -
    - Example from a two-interface firewall:
    -
    - /proc
    -
    -    /proc/sys/net/ipv4/ip_forward = 1
    -    /proc/sys/net/ipv4/conf/all/proxy_arp = 0
    -    /proc/sys/net/ipv4/conf/all/arp_filter = 0
    -    /proc/sys/net/ipv4/conf/all/rp_filter = 0
    -    /proc/sys/net/ipv4/conf/default/proxy_arp = 0
    -    /proc/sys/net/ipv4/conf/default/arp_filter = 0
    -    /proc/sys/net/ipv4/conf/default/rp_filter = 0
    -    /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
    -    /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
    -    /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
    -    /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
    -    /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
    -    /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
    -    /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
    -    /proc/sys/net/ipv4/conf/lo/arp_filter = 0
    -    /proc/sys/net/ipv4/conf/lo/rp_filter = 0
    -
  2. -
-
-10/24/2004 - -Shorewall 2.2.0 Beta1
-
-
The first beta in the 2.2 series is now available. Download location -is:
-
- - - - -

The features available in this release and the migration considerations -are covered in the release -notes. Highlights include:
-

-
    -
  1. The behavior produced by specifying a log level in an action invocation - is now much more rational. Previously, all packets sent to the action - were logged; now each rule within the invoked action behaves as if - logging had been specified on it.
  2. -
  3. Support for the 2.6 Kernel's native IPSEC implementation is now - available.
  4. -
  5. Support for ipp2p is included.
  6. -
  7. Support for the iptables CONNMARK facility is now included in - Shorewall.
  8. -
  9. A new LOGALLNEW option facilitates problem analysis.
  10. -
  11. Users with a large static blacklist can now defer loading the blacklist - until after the rest of the ruleset has been enabled. Doing so can - decrease substantially the amount of time that connections are disabled - during shorewall [re]start.
  12. -
  13. Support for the iptables 'iprange match' feature has been enabled. - Users whose kernel and iptables contain this feature can use ip address - ranges in most places in their Shorewall configuration where a CIDR - netowrk can be used.
  14. -
  15. Accepting of source routing and martian logging may now be - enabled/disabled on each interface.
  16. -
  17. Shorewall now supports the CLASSIFY iptable target.
  18. -
- -

9/23/2004 - Shorewall -2.0.9
-

-Problems Corrected:
-

-
    -
  1. Previously, an empty PROTO column or a value of "all" in that column - would cause errors when processing the /etc/shorewall/tcrules file.
  2. -
-New Features:
- -
    -
  1. The "shorewall status" command now includes the output of "brctl show" - if the bridge tools are installed.
    -
  2. -
- -

9/20/2004 – Change in -Shorewall Support

- -

Friends,

- -

The demands that my job and my personal life are currently -placing on me are such that supporing Shorewall to the extent that I have -been doing is just not possible any more.

- -

I will continue to be active on the development list and will -continue to develop Shorewall if at all possible.

- -

I will also continue to read the user's list and will help with -problems that interest me. But I am no longer going to hop on every problem -as soon as I see it.

- -

This change means that I'm going to have to depend on you folks -to help each other; I'm confident that we can make this work.

- -

8/22/2004 - Shorewall 2.0.8
-

-Problems Corrected:

-
    -
  1. Entries in the USER/GROUP column of an action file (made from - action.template) may be ignored or cause odd errors.

    -
  2. -
- -

7/29/2004 - Shorewall 2.0.7
-
-
Problems Corrected:

-
    -
  1. The PKTTYPE option introduced in version - 2.0.6 is now used when generating rules to REJECT packets. Broadcast - packets are silently dropped rather than being rejected with an ICMP - (which is a protocol violation) and users whose kernels have broken - packet type match support are likely to see messages reporting this - violation. Setting PKTTYPE=No should cause these messages to cease.

    -
  2. -
  3. Multiple interfaces with the 'blacklist' - option no longer result in an error message at startup.

    -
  4. -
  5. The following has been added to /etc/shorewall/bogons:
    -
    -        0.0.0.0   RETURN
    -
    - This prevents the 'nobogons' option from logging DHCP 'DISCOVER' - broadcasts.

    -
  6. -
- -

New Features:

-
    -
  1. To improve supportability, the "shorewall status" command now - includes IP and Route configuration information.
    -
    -    Example:
    -
    -    IP Configuration
    -
    -    1: lo: <LOOPBACK,UP> mtu 16436 - qdisc noqueue
    -       link/loopback - 00:00:00:00:00:00 brd 00:00:00:00:00:00
    -       inet 127.0.0.1/8 - brd 127.255.255.255 scope host lo
    -       inet6 ::1/128 scope - host
    -    2: eth0: - <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen - 1000
    -       link/ether - 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
    -       inet6 - fe80::2a0:c9ff:fe15:3978/64 scope link
    -    3: eth1: - <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen - 1000
    -       link/ether - 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
    -       inet6 - fe80::2a0:c9ff:fea7:d7bf/64 scope link
    -    5: sit0@NONE: <NOARP> mtu 1480 - qdisc noop
    -       link/sit 0.0.0.0 - brd 0.0.0.0
    -    6: eth2: - <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen - 1000
    -       link/ether - 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
    -       inet6 - fe80::240:d0ff:fe07:3a1b/64 scope link
    -    7: br0: - <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc - noqueue
    -       link/ether - 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
    -       inet 192.168.1.3/24 - brd 192.168.1.255 scope global br0
    -       inet6 - fe80::240:d0ff:fe07:3a1b/64 scope link
    -
    -    Routing Rules
    -
    -    0:      from - all lookup local
    -    32765:  from all - fwmark       ca lookup www.out
    -    32766:  from all lookup - main
    -    32767:  from all lookup - default
    -
    -    Table local:
    -
    -    broadcast 192.168.1.0 dev br0  - proto kernel  scope link  src 192.168.1.3
    -    broadcast 127.255.255.255 dev - lo  proto kernel  scope link  src 127.0.0.1
    -    local 192.168.1.3 dev br0  proto - kernel  scope host  src 192.168.1.3
    -    broadcast 192.168.1.255 dev br0  - proto kernel  scope link  src 192.168.1.3
    -    broadcast 127.0.0.0 dev lo  - proto kernel  scope link  src 127.0.0.1
    -    local 127.0.0.1 dev lo  proto - kernel  scope host  src 127.0.0.1
    -    local 127.0.0.0/8 dev lo  proto - kernel  scope host  src 127.0.0.1
    -
    -    Table www.out:
    -
    -    default via 192.168.1.3 dev - br0
    -
    -    Table main:
    -
    -    192.168.1.0/24 dev br0  proto - kernel  scope link  src 192.168.1.3
    -    default via 192.168.1.254 dev - br0
    -
    -    Table default:

    -
  2. -
- -

7/16/2004 - Shorewall 2.0.6
-
-
Problems Corrected:

-
    -
  • Some users have reported the packet type - match option in iptables/Netfilter failing to match certain broadcast - packets. The result is that the firewall log shows a lot of broadcast - packets.
    -
    - Other users have complained of the following message when starting - Shorewall:
    -
    -             - modprobe: cant locate module ipt_pkttype
    -
    - Users experiencing either of these problems can use PKTTYPE=No in - shorewall.conf to cause Shorewall to use IP address filtering of - broadcasts rather than packet type.

    -
  • -
  • The shorewall.conf and zones file are no - longer given execute permission by the installer script.

    -
  • -
  • ICMP packets that are in the INVALID state are now dropped by the - Reject and Drop default actions. They do so using the new 'dropInvalid' - builtin action.

    -
  • -
- -

7/10/2004 - Shorewall 2.0.5
-

-Problems Corrected:

-
    -
  • If DISABLE_IPV6=Yes in shorewall.conf - then harmless error messages referring to $RESTOREBASE are generated - during shorewall stop.

    -
  • -
  • An anachronistic comment concerning a mangle option has been removed - from shorewall.conf.

    -
  • -
- -

7/06/2004 - Shorewall 2.0.4
-

-Problems Corrected:

-
    -
  • Rules with $FW as the source zone and that specify logging can cause - "shorewall start" to fail.

    -
  • -
- -

7/03/2004 - New Shorewall Release Model
-
-
Effective today, Shorewall is adopting a new release model which takes -ideas from the one used in the Linux Kernel and from the release model for -Postfix.

-
    -
  1. Releases continue to have a three-level - identification x.y.z (e.g., 2.0.3).

    -
  2. -
  3. The first two levels (x.y) - designate the Major Release Number (e.g., 2.0)

    -
  4. -
  5. The third level (z) designates - the Minor Release Number.

    -
  6. -
  7. Even numbered major releases (e.g., - 1.4, 2.0, 2.2, ...) are Stable Releases. No new features - are added to stable releases and new minor releases of a stable release - will only contain bug fixes. Installing a new minor release for the major - release that you are currently running involves no migration issues (for - example, if you are running 1.4.10 and I release 1.4.11, your current - configuration is 100% compatible with the new release).

    -
  8. -
  9. Support is available through the Mailing List for the two most - recent Stable Releases.

    -
  10. -
  11. Odd numbered major releases (e.g., 2.1, - 2.3, ...) are Development Releases. Development releases are where - new functionality is introduced. Documentation for new features will be - available but it may not be up to the standards of the stable release - documentation. Sites running Development Releases should be prepared to - play an active role in testing new features. Bug fixes and problem - resolution for the development release take a back seat to support of the - stable releases. Problem reports for the current development release - should be sent to the Shorewall Development - Mailing List.

    -
  12. -
  13. When the level of functionality of the - current development release is judged adaquate, the Beta period for a new - Stable release will begin. Beta releases have identifications of the form - x.y.0-BetaN where x.y is the number of the next Stable - Release and N=1,2,3... . Betas are expected to occur rougly once - per year. Beta releases may contain new functionality not present in the - previous beta release (e.g., 2.2.0-Beta4 may contain functionality not - present in 2.2.0-Beta3). When I'm confident that the current Beta release - is stable, I will release the first Release Candidate. Release - candidates have identifications of the form x.y.0-RCn where - x.y is the number of the next Stable Release and n=1,2,3... - . Release candidates contain no new functionailty -- they only contain - bug fixes. When the stability of the current release candidate is judged - to be sufficient then that release candidate will be released as the new - stable release (e.g., 2.2.0). At that time, the new stable release and - the prior stable release are those that are supported.

    -
  14. -
  15. What does it mean for a major release to - be supported? It means that I will answer questions about the - release and that if a bug is found, I will fix the bug and include the - fix in the next minor release.

    -
  16. -
  17. Between minor releases, bug fixes will continue to be made available - through the Errata page for each major release.

    -
  18. -
- -

The immediate implications of this change are as follows:

-
    -
  1. The functionality of the 2.0 major - release is frozen at the level of minor release 2.0.3.

    -
  2. -
  3. The two major releases currently - supported are 1.4 and 2.0.

    -
  4. -
  5. I will be opening the 2.1 development - release shortly with the release of 2.1.0.

    -
  6. -
  7. Bug-fix releases with identifications of the form x.y.zX - where X=a,b,c,... (e.g., 2.0.3c) will not be seen in the future.

    -
  8. -
- -

7/02/2004 - Shorewall 2.0.3c
-
-
Problems Corrected:

-
    -
  1. Error messages regarding $RESTOREBASE - occur during shorewall stop

    -
  2. -
  3. If CLEAR_TC=Yes in shorewall.conf, shorewall stop - fails without removing the lock file.

    -
  4. -
- -


-6/30/2004 - Shorewall 2.0.3b and Shorewall 1.4.10g
-
-
Problems Corrected:

-
    -
  1. The security vulnerability fix released - in Shorewall 2.0.3a failed under Slackware 9.1.

    -
  2. -
  3. The security vulnerability fix released in Shorewall 2.0.3a failed - if mktemp was not installed.

    -
  4. -
- -

6/28/2004 - Shorewall 2.0.3a and Shorewall -1.4.10f
-
-
Problems Corrected:

-
    -
  1. Javier Fernández-Sanguino - Peña has discovered an exploitable vulnerability in the - way that Shorewall handles temporary files and directories. The - vulnerability can allow a non-root user to cause arbitrary files on the - system to be overwritten. LEAF Bering and Bering uClibc users are - generally not at risk due to the fact that LEAF boxes do not typically - allow logins by non-root users.

    -
  2. -
  3. (2.0.3a only) A non-empty DEST entry in /etc/shorewall/tcrules will - generate an error and Shorewall fails to start.

    -
  4. -
- -

Note:: Slackware users may need the -'functions' file from CVS (STABLE/ project for 1.4.10f and STABLE2/ project -for 2.0.3a) to prevent startup errors with these versions installed. These -updatged files are also available from the Errata (2.0, 1.4).

- -

6/23/2004 - Shorewall 2.0.3
-
-
Problems Corrected:

-
    -
  1. The 'firewall' script is not purging - temporary restore files in /var/lib/shorewall. These files have names of - the form "restore-nnnnn".

    -
  2. -
  3. The /var/lib/shorewall/restore script - did not load the kernel modules specified in /etc/shorewall/modules.

    -
  4. -
  5. Specifying a null common action in - /etc/shorewall/actions (e.g., :REJECT) results in a startup error.

    -
  6. -
  7. If /var/lib/shorewall does not exist, - shorewall start fails.

    -
  8. -
  9. DNAT rules with a dynamic source zone - don't work properly. When used, these rules cause the rule to be checked - against ALL input, not just input from the designated zone.

    -
  10. -
  11. The install.sh script reported - installing some files in /etc/shorewall when the files were actually - installed in /usr/share/shorewall.

    -
  12. -
  13. Shorewall checks netfilter capabilities - before loading kernel modules. Hence if kernel module autoloading isn't - enabled, the capabilities will be misdetected.

    -
  14. -
  15. The 'newnotsyn' option in - /etc/shorewall/hosts has no effect.

    -
  16. -
  17. The file /etc/init.d/shorewall now gets - proper ownership when the RPM is built by a non-root user.

    -
  18. -
  19. Rules that specify bridge ports in both - the SOURCE and DEST columns no longer cause "shorewall start" to fail.

    -
  20. -
  21. Comments in the rules file have been - added to advise users that "all" in the SOURCE or DEST column does not - affect intra-zone traffic.

    -
  22. -
  23. With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now - passed through the blacklisting chains. Without this change, it is not - possible to blacklist hosts that are mounting certain types of ICMP-based - DOS attacks.

    -
  24. -
- -

Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:

-
    -
  1. The 'dropNonSyn' standard builtin action has been replaced with the - 'dropNotSyn' standard builtin action. The old name can still be used but - will generate a warning.

    -
  2. -
- -

New Features:

-
    -
  1. Shorewall now supports multiple saved - configurations.

    -
      -
    1. The default saved configuration - (restore script) in /var/lib/shorewall is now specified using the - RESTOREFILE option in shorewall.conf. If this variable isn't set then - to maintain backward compatibility, 'restore' is assumed.
      -
      - The value of RESTOREFILE must be a simple file name; no slashes ("/") - may be included.

      -
    2. -
    3. The "save" command has been extended - to be able to specify the name of a saved configuration.
      -
      -            - shorewall save [ <file name> ]
      -
      - The current state is saved to /var/lib/shorewall/<file name>. - If no <file name> is given, the configuration is saved to the - file determined by the RESTOREFILE setting.

      -
    4. -
    5. The "restore" command has been - extended to be able to specify the name of a saved configuration:
      -
      -           shorewall - restore [ <file name> ]
      -
      - The firewall state is restored from /var/lib/shorewall/<file - name>. If no <file name> is given, the firewall state is - restored from the file determined by the RESTOREFILE setting.

      -
    6. -
    7. The "forget" command has changed. - Previously, the command unconditionally removed the - /var/lib/shorewall/save file which records the current dynamic - blacklist. The "forget" command now leaves that file alone.
      -
      - Also, the "forget" command has been extended to be able to specify - the name of a saved configuration:
      -
      -               - shorewall forget [ <file name> ]
      -
      - The file /var/lib/shorewall/<file name> is removed. If no - <file name> is given, the file determined by the RESTOREFILE - setting is removed.

      -
    8. -
    9. The "shorewall -f start" command - restores the state from the file determined by the RESTOREFILE - setting.

      -
    10. -
    -
  2. -
  3. "!" is now allowed in accounting - rules.

    -
  4. -
  5. Interface names appearing within the - configuration are now verified. Interface names must match the name of an - entry in /etc/shorewall/interfaces (or if bridging is enabled, they must - match the name of an entry in /etc/shorewall/interfaces or the name of a - bridge port appearing in /etc/shorewall/hosts).

    -
  6. -
  7. A new 'rejNotSyn' built-in standard - action has been added. This action responds to "New not SYN" packets with - an RST.
    -
    - The 'dropNonSyn' action has been superceded by the new 'dropNotSyn' - action. The old name will be accepted until the next major release of - Shorewall but will generate a warning.
    -
    - Several new logging actions involving "New not SYN" packets have been - added:
    -
    -         logNewNotSyn  -- logs the - packet with disposition = LOG
    -         dLogNewNotSyn -- logs the - packet with disposition = DROP
    -         rLogNewNotSyn -- logs the - packet with disposition = REJECT
    -
    - The packets are logged at the log level specified in the LOGNEWNOTSYN - option in shorewall.conf. If than option is empty or not specified, then - 'info' is assumed.
    -
    - Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):

    -
      -
    1. To simulate the behavior of - NEWNOTSYN=No:

      -
        -
      1. Add 'NoNewNotSyn' to - /etc/shorewall/actions.

        -
      2. -
      3. Create /etc/shorewall/action.NoNewNotSyn containing:
        -
        -             - dLogNotSyn
        -             - dropNotSyn

        -
      4. -
      5. Early in your rules file, place:
        -
        -          - NoNewNotSyn   all   - all     tcp

        -
      6. -
      -
    2. -
    3. Drop 'New not SYN' packets from the - net only. Don't log them:

      -
        -
      1. Early in your rules file, place:
        -
        -          - dropNotSyn    - net        all   - tcp

        -
      2. -
      -
    4. -
    -
  8. -
  9. Slackware users no longer have to modify the install.sh script - before installation. Tuomo Soini has provided a change that allows the - INIT and FIREWALL variables to be specified outside the script as in:
    -
    -       DEST=/etc/rc.d INIT=rc.firewall - ./install.sh

    -
  10. -
- -

6/3/2004 - Shorewall 2.0.2f
-

- -

Fixes one problem:
-

-
    -
  1. Versions 2.0.2d and 2.0.2e fail to load kernel modules unless - MODULE_SUFFIX is set in shorewall.conf
    -
  2. -
- -

6/2/2004 - Shorewall 2.0.2e
-

- -

One problem corrected:
-

-
    -
  1. LOG rules within an action generate two Netfilter logging rules.
    -
  2. -
- -

5/28/2004 - Shorewall 2.0.2d
-

-One problem corrected:
-

-
    -
  1. Shorewall was checking capabilities before loading kernel modules. - Consequently, if kernel module autoloading was disabled, the capabilities - were mis-detected.
    -
  2. -
- -

5/21/2004 - Shorewall 2.0.2c

-One problem corrected:
- -
    -
  1.  DNAT rules with a dynamic source zone don't work properly. When - used, these rules cause the rule to be checked against ALL input,  - not just input from the designated zone.
    -
  2. -
- -

5/18/2004 - Shorewall 2.0.2b 

- -

Corrects two problems:

-
    -
  1. Specifying a null common action in /etc/shorewall/actions (e.g., - :REJECT) results in a startup error.
    -
    -
  2. -
  3. If /var/lib/shorewall does not exist, shorewall start fails.
    -
  4. -
- -

5/15/2004 - Shorewall 2.0.2a
-

- -

Corrects two problems:
-

-
    -
  1. Temporary restore files were not being removed from /var/lib/shorewall. - These files have names of the form 'restore-nnnnn'.  You can remove - files that have accumulated with the command:
    -
    -     rm -f /var/lib/shorewall/restore-[0-9]*
    -
    -
  2. -
  3. The restore script did not load kernel modules. The result was that - after a cold load, applications like FTP and IRC DCC didn't work.
    -
    - To correct:
    -
    -     1) Install 2.0.2a
    -     2) "shorewall restart"
    -     3) "shorewall save"
  4. -
- -

5/13/2004 - Shorewall 2.0.2 

- -

Problems Corrected since 2.0.1
-

-
    -
  1. The /etc/init.d/shorewall script installed on Debian by install.sh - failed silently due to a missing file (/usr/share/shorewall/wait4ifup). - That file is not part of the normal Shorewall distribution and is - provided by the Debian maintainer.
  2. -
  3. A meaningless warning message out of the proxyarp file processing has - been eliminated.
  4. -
  5. The "shorewall delete" command now correctly removes all dynamic rules - pertaining to the host(s) being deleted. Thanks to Stefan Engel for this - correction.
  6. -
-Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
- -
    -
  1. Extension Scripts -- In order for extension scripts to work properly - with the new iptables-save/restore integration (see New Feature 1 below), - some change may be required to your extension scripts. If your extension - scripts are executing commands other than iptables then those commands - must also be written to the restore file (a temporary file in - /var/lib/shorewall that is renamed /var/lib/shorewall/restore-base at the - end of the operation).
    -
    - The following functions should be of help:
    -
    - A. save_command() -- saves the passed command to the restore file.
    -
    -     Example:
    -
    -         save_command echo Operation - Complete
    -
    -    That command would simply write "echo Operation Complete" to - the restore file.
    -
    - B. run_and_save_command() -- saves the passed command to the restore file - then executes it. The return value is the exit status of the command.
    -
    -     Example:
    -
    -        run_and_save_command "echo 1 > - /proc/sys/net/ipv4/icmp_echo_ignore_all"
    -
    -     Note that as in this example, when the command - involves file redirection then the entire command must be enclosed in - quotes. This applies to all of the functions described here.
    -
    - C. ensure_and_save_command() -- runs the passed command. If the command - fails, the firewall is restored to it's prior saved state and the - operation is terminated. If the command succeeds, the command is written - to the restore file.
    -
    -
  2. -
  3. Dynamic Zone support -- If you don't need to use the "shorewall add" - and "shorewall delete commands, you should set DYNAMIC_ZONES=No in - /etc/shorewall/shorewall.conf.
  4. -
-New Features:
- -
    -
  1. Shorewall has now been integrated with iptables-save/iptables-restore - to provide very fast start and restart. The elements of this integration - are as follows:
    -
    - a) The 'shorewall save' command now saves the current configuration in - addition to the current dynamic blacklist. If you have dynamic zones, you - will want to issue 'shorewall save' when the zones are empty or the - current contents of the zones will be restored by the 'shorewall restore' - and 'shorewall -f start' commands.
    -
    - b) The 'shorewall restore' command has been added. This command restores - the configuration at the time of the last 'save'.
    -
    - c) The -f (fast) option has been added to 'shorewall start'. When - specified (e.g. 'shorewall -f start'), shorewall will perform a - 'shorewall restore' if there is a saved configuration. If there is no - saved configuration, a normal 'shorewall start' is performed.
    -
    - d) The /etc/init.d/shorewall script now translates the 'start' command - into 'shorewall -f start' so that fast restart is possible.
    -
    - e) When a state-changing command encounters an error and there is current - saved configuration, that configuration will be restored (currently, the - firewall is placed in the 'stopped' state).
    -
    - f) If you have previously saved the running configuration and want - Shorewall to discard it, use the 'shorewall forget' command. WARNING: - iptables 1.2.9 is broken with respect to iptables-save; if your kernel - has connection tracking match support, you must patch iptables 1.2.9 with - the iptables patch availale from the Shorewall errata page.
    -
    -
  2. -
  3. The previous implementation of dynamic zones was difficult to maintain. - I have changed the code to make dynamic zones optional under the control - of the DYNAMIC_ZONES option in /etc/shorewall/shorewall.conf.
    -
    -
  4. -
  5. In earlier Shorewall 2.0 releases, Shorewall searches in order the - following directories for configuration files.
    -
    - a) The directory specified in a 'try' command or specified using the -c - option.
    - b) /etc/shorewall
    - c) /usr/share/shorewall
    -
    - In this release, the CONFIG_PATH option is added to shorewall.conf. - CONFIG_PATH contains a list of directory names separated by colons (":"). - If not set or set to a null value (e.g., CONFIG_PATH="") then - "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now - Shorewall searches for shorewall.conf according to the old rules and for - other configuration files as follows:
    -
    - a) The directory specified in a 'try' command or specified using the -c - option.
    - b) Each directory in $CONFIG_PATH is searched in sequence.
    -
    - In case it is not obvious, your CONFIG_PATH should include - /usr/share/shorewall and your shorewall.conf file must be in the - directory specified via -c or in a try command, in /etc/shorewall or in - /usr/share/shorewall.
    -
    - For distribution packagers, the default CONFIG_PATH is set in - /usr/share/shorewall/configpath. You can customize this file to have a - default that differs from mine.
    -
    -
  6. -
  7. Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column - would only take effect if the ALL INTERFACES column also contained Yes or - yes. Now, the LOCAL columns contents are treated independently of the - contents of the ALL INTERFACES column.
    -
    -
  8. -
  9. The folks at Mandrake have created yet another kernel module naming - convention (module names end in "ko.gz"). As a consequence, beginning - with this release, if MODULE_SUFFIX isn't specified in shorewall.conf, - then the default value is "o gz ko o.gz ko.gz".
    -
    -
  10. -
  11. An updated bogons file is included in this release.
    -
    -
  12. -
  13. In /etc/shorewall/rules and in action files generated from - /usr/share/shorewall/action.template, rules that perform logging can - specify an optional "log tag". A log tag is a string of alphanumeric - characters and is specified by following the log level with ":" and the - log tag.
    -
    - Example:
    -
    -         ACCEPT:info:ftp - net     dmz     - tcp     21
    -
    - The log tag is appended to the log prefix generated by the LOGPREFIX - variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log - prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate - "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum - length of a log prefix supported by iptables is 29 characters; if a - larger prefix is generated, Shorewall will issue a warning message and - will truncate the prefix to 29 characters.
    -
    -
  14. -
  15. A new "-q" option has been added to /sbin/shorewall commands. It causes - the start, restart, check and refresh commands to produce much less - output so that warning messages are more visible (when testing this - change, I discovered a bug where a bogus warning message was being - generated).
    -
    -
  16. -
  17. Shorewall now uses 'modprobe' to load kernel modules if that utility is - available in the PATH; otherwise, 'insmod' is used.
    -
    -
  18. -
  19. It is now possible to restrict entries in the /etc/shorewall/masq file - to particular protocols and destination port(s). Two new columns (PROTO - and PORT(S)) have been added to the file.
    -
    - Example:
    -
    - You want all outgoing SMTP traffic entering the firewall on eth1 to be - sent from eth0 with source IP address 206.124.146.177. You want all other - outgoing traffic from eth1 to be sent from eth0 with source IP address - 206.124.146.176.
    -
    -         eth0    - eth1    206.124.146.177 tcp     25
    -         eth0    - eth1    206.124.146.176
    -
    - THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
    -
    - Assuming that 10.0.0.0/8 is the only host/network connected to eth1, the - progress message at "shorewall start" would be:
    -
    -     Masqueraded Networks and Hosts:
    -        To 0.0.0.0/0 (tcp 25) from - 10.0.0.0/8 through eth0 using 206.124.146.177
    -        To 0.0.0.0/0 (all) from 10.0.0.0/8 - through eth0 using 206.124.146.176
    -
    -
  20. -
  21. Two new actions are available in the /etc/shorewall/rules file.
    -
    -     ACCEPT+    -- Behaves like ACCEPT with - the exception that it exempts matching connections from subsequent - DNAT[-] and REDIRECT[-] rules.
    -     NONAT      -- Exempts - matching connections from subsequent DNAT[-] and REDIRECT[-] rules.
    -
    -
  22. -
  23. A new extension script 'initdone' has been added. This script is - invoked at the same point as the 'common' script was previously and is - useful for users who mis-used that script under Shorewall 1.x (the script - was intended for adding rules to the 'common' chain but many users - treated it as a script for adding rules before Shorewall's).
    -
    -
  24. -
  25. Installing/Upgrading Shorewall on Slackware has been improved. - Slackware users must use the tarball and must modify settings in the - install.sh script before running it as follows:
    -
    -     DEST="/etc/rc.d"
    -     INIT="rc.firewall"
    -
    - Thanks to Alex Wilms for helping with this change.
  26. -
- -

4/17/2004 - Presentation at LinuxFest NW
-

-Today I gave a presentation at LinuxFest NW in Bellingham. The presentation -was entitled "Shorewall and the Enterprise" and described the history -of Shorewall and gave an overview of its features. - -

4/5/2004 - Shorewall 2.0.1
-

-Problems Corrected since 2.0.0
-
- -
    -
  1. Using actions in the manner recommended in the documentation results in - a Warning that the rule is a policy.
  2. -
  3. When a zone on a single interface is defined using - /etc/shorewall/hosts, superfluous rules are generated in the - <zone>_frwd chain.
  4. -
  5. Thanks to Sean Mathews, a long-standing problem with Proxy ARP and - IPSEC has been corrected. Thanks Sean!!!
  6. -
  7. The "shorewall show log" and "shorewall logwatch" commands incorrectly - displayed type 3 ICMP packets.
    -
  8. -
-Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
-
- -
    -
  1. The function of 'norfc1918' is now split between that option and a new - 'nobogons' option.
    -
    - The rfc1918 file released with Shorewall now contains entries for only - those three address ranges reserved by RFC 1918. A 'nobogons' interface - option has been added which handles bogon source addresses (those which - are reserved by the IANA, those reserved for DHCP auto-configuration and - the class C test-net reserved for testing and documentation examples). - This will allow users to perform RFC 1918 filtering without having to - deal with out of date data from IANA. Those who are willing to update - their /usr/share/shorewall/bogons file regularly can specify the - 'nobogons' option in addition to 'norfc1918'.
    -
    - The level at which bogon packets are logged is specified in the new - BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not - specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon - packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are - logged at the 'info' level.
  2. -
-New Features:
-
- -
    -
  1. Support for Bridging Firewalls has been added. For details, see
    -
    - http://shorewall.net/bridge.html
    -
    -
  2. -
  3. Support for NETMAP has been added. NETMAP allows NAT to be defined - between two network:
    -
    -            - a.b.c.1    -> x.y.z.1
    -            - a.b.c.2    -> x.y.z.2
    -            - a.b.c.3    -> x.y.z.3
    -            ...
    -
    -   http://shorewall.net/netmap.htm
    -
    -
  4. -
  5. The /sbin/shorewall program now accepts a "-x" option to cause iptables - to print out the actual packet and byte counts rather than abbreviated - counts such as "13MB".
    -
    - Commands affected by this are:
    -
    -             - shorewall -x show [ <chain>[ <chain> ...] ]
    -             - shorewall -x show tos|mangle
    -             - shorewall -x show nat
    -             - shorewall -x status
    -             - shorewall -x monitor [ <interval> ]
    -
    -
  6. -
  7. Shorewall now traps two common zone definition errors:
    - -
      -
    • Including the firewall zone in a /etc/shorewall/hosts record.
    • -
    • Defining an interface for a zone in both /etc/shorewall/interfaces - and /etc/shorewall/hosts.
      -
      -
    • -
    -
  8. -
  9. In the second case, the following will appear during "shorewall - [re]start" or "shorewall check":
    -
    -    Determining Hosts in Zones...
    -       ...
    -       Error: Invalid zone definition for zone - <name of zone>
    -    Terminated
    -
    -
  10. -
  11. To support bridging, the following options have been added to entries - in /etc/shorewall/hosts:
    -
    -            norfc1918
    -            nobogons
    -            blacklist
    -            tcpflags
    -            nosmurfs
    -            newnotsyn
    -
    - With the exception of 'newnotsyn', these options are only useful when the - entry refers to a bridge port.
    -
    -    Example:
    -
    -    #ZONE   HOST(S)      - OPTIONS
    -    net     br0:eth0     - norfc1918,nobogons,blacklist,tcpflags,nosmurfs
  12. -
- -

3/14/2004 - Shorewall 2.0.0b 

-Corrects two problems:
- -
    -
  1. Thanks to Sean Mathews, the long-standing problem with Proxy ARP and - IPSEC has been eliminated!
  2. -
  3. The default value of the ALL INTERFACES column in /etc/shorewall/nat is - documented as 'No' but the default continued to be 'Yes' as it was in - Shorewall 1.4.
    -
  4. -
- -

3/14/2004 - Shorewall 2.0.0a 

- -

Corrects one problem:
-

-
    -
  • Rules of the form:
    -
    - <action>     - zone1      zone2
    -
    - generated a warning stating that the rule was a policy.
    -
  • -
- -

3/14/2004 - Shorewall 2.0.0
-

- -

Dedicated to Agnes Van Slyke Eastep: March 14, 1910 - February 23, 2004
-

- -

Problems Corrected since 1.4.10
-

-
    -
  1. A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes a - [re]start error.
  2. -
  3. The 'fgrep' utility is no longer required (caused startup problems on - LEAF/Bering).
  4. -
  5. The "shorewall add" command no longer inserts rules before checking of - the blacklist.
  6. -
  7. The 'detectnets' and 'routeback' options may now be used together with - the intended effect.
  8. -
  9. The following syntax previously produced an error:
    -
    - DNAT  z1!z2,z3       z4...
    -
  10. -
- -

Problems Corrected since RC2
-
-

-
    -
  1. CONTINUE rules now work again.
  2. -
  3. A comment in the rules file has been corrected.
    -
  4. -
- -

Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
-

-
    -
  1. The 'dropunclean' and 'logunclean' interface options are no longer - supported. If either option is specified in /etc/shorewall/interfaces, an - threatening message will be generated.
  2. -
  3. The NAT_BEFORE_RULES option has been removed from shorewall.conf. The - behavior of Shorewall is as if NAT_BEFORE_RULES=No had been specified. In - other words, DNAT rules now always take precidence over one-to-one NAT - specifications.
  4. -
  5. The default value for the ALL INTERFACES column in /etc/shorewall/nat - has changed. In Shorewall 1.*, if the column was left empty, a value of - "Yes" was assumed. This has been changed so that a value of "No" is now - assumed.
  6. -
  7. The following files don't exist in Shorewall 2.0:
    - /etc/shorewall/common.def
    - /etc/shorewall/common
    - /etc/shorewall/icmpdef
    - /etc/shorewall/action.template (Moved to /usr/share/shorewall)
    - /etc/shorewall/rfc1918 (Moved to /usr/share/shorewall).
    -
    - The /etc/shorewall/action file now allows an action to be designated as - the "common" action for a particular policy type by following the action - name with ":" and the policy (DROP, REJECT or ACCEPT).
    -
    - The file /usr/share/shorewall/actions.std has been added to define those - actions that are released as part of Shorewall. In that file are two - actions as follows:
    -
    -     Drop:DROP
    -    Reject:REJECT
    -
    - The "Drop" action is the common action for DROP policies while the - "Reject" action is the default action for "REJECT" policies. These - actions will be performed on packets prior to applying the DROP or REJECT - policy respectively. In the first release, the difference between - "Reject" and "Drop" is that "Reject" REJECTs SMB traffic while "Drop" - silently drops such traffic.
    -
    - As described above, Shorewall allows a common action for ACCEPT policies - but does not specify such an action in the default configuration.
    -
    - If for some reason, you don't wish to have a common DROP or REJECT - action, just include :DROP or :REJECT respectively in your - /etc/shorewall/actions file.
    -
    - The file /usr/share/shorewall/actions.std catalogs the standard actions - and is processed prior to /etc/shorewall/actions. This causes a large - number of actions to be defined. The files which define these aactions - are also located in /usr/share/shorewall as is the he action template - file (action.template).
    -
    - These actions may be used in the ACTION column of the rules column. So - for example, to allow FTP from your loc zone to your firewall, you would - place this rule in /etc/shorewall/rules:
    -
    -   #ACTION     - SOURCE       DEST
    -   AllowFTP     - loc               -     fw
    -
    - If you want to redefine any of the Shorewall-defined actions, simply copy - the appropriate action file from /usr/share/shorewall to /etc/shorewall - and modify the copy as desired. Your modified copy will be used rather - than the original one in /usr/share/shorewall.
    -
    - Note: The 'dropBcast' and 'dropNonSyn' actions are built into Shorewall - and may not be changed.
    -
    - Beginning with version 2.0.0-Beta2, Shorewall will only create a chain - for those actions that are actually used.
    -
    -
  8. -
  9. The /etc/shorewall directory no longer contains a 'users' file or a - 'usersets' file. Similar functionality is now available using - user-defined actions.
    -
    - Now, action files created by copying /usr/share/shorewall/action.template - may specify a USER and or GROUP name/id in the final column just like in - the rules file (see below). It is thus possible to create actions that - control traffic from a list of users and/or groups.
    -
    - The last column in /etc/shorewall/rules is now labeled USER/GROUP and may - contain:
    -
    -     [!]<user number>[:]
    -     [!]<user name>[:]
    -     [!]:<group number>
    -     [!]:<group name>
    -     [!]<user number>:<group number>
    -     [!]<user number>:<group name>
    -     [!]<user name>:<group number>
    -     [!]<user name>:<group name>
    -  
    -
  10. -
  11. It is no longer possible to specify rate limiting in the ACTION column - of /etc/shorewall/rules -- you must use the RATE LIMIT column.
    -
    -
  12. -
  13. Depending on which method you use to upgrade, if you have your own - version of /etc/shorewall/rfc1918, you may have to take special action to - restore it after the upgrade. Look for /etc/shorewall/rfc1918*, locate - the proper file and rename it back to /etc/shorewall/rfc1918. The - contents of that file will supercede the contents of - /usr/share/shorewall/rfc1918.
  14. -
- -

New Features:
-

-
    -
  1. The INCLUDE directive now allows absolute file names.
  2. -
  3. A 'nosmurfs' interface option has been added to - /etc/shorewall/interfaces. When specified for an interface, this option - causes smurfs (packets with a broadcast address as their source) to be - dropped and optionally logged (based on the setting of a new - SMURF_LOG_LEVEL option in shorewall.conf).
  4. -
  5. fw->fw traffic may now be controlled by Shorewall. There is no need - to define the loopback interface in /etc/shorewall/interfaces; you simply - add a fw->fw policy and fw->fw rules. If you have neither a - fw->fw policy nor fw->fw rules, all fw->fw traffic is - allowed.
  6. -
  7. There is a new PERSISTENT column in the proxyarp file. A value of "Yes" - in this column means that the route added by Shorewall for this host will - remain after a "shorewall stop" or "shorewall clear".
  8. -
  9. "trace" is now a synonym for "debug" in /sbin/shorewall commands. So to - trace the "start" command, you could enter:
    -
    - shorewall trace start 2> /tmp/trace
    -
    - The trace information would be written to the file /tmp/trace.
    -
    -
  10. -
  11. When defining an ipsec tunnel in /etc/shorewall/tunnels, if you follow - the tunnel type ("ipsec" or "ipsecnet") with ":noah" (e.g., - "ipsec:noah"), then Shorewall will only create rules for ESP (protocol - 50) and will not create rules for AH (protocol 51).
  12. -
  13. A new DISABLE_IPV6 option has been added to shorewall.conf. When this - option is set to "Yes", Shorewall will set the policy for the IPv6 INPUT, - OUTPUT and FORWARD chains to DROP during "shorewall [re]start" and - "shorewall stop". Regardless of the setting of this variable, "shorewall - clear" will silently attempt to set these policies to ACCEPT.
    -
    - If this option is not set in your existing shorewall.conf then a setting - of DISABLE_IPV6=No is assumed in which case, Shorewall will not touch any - IPv6 settings except during "shorewall clear".
  14. -
  15. The CONTINUE target is now available in action definitions. CONTINUE - terminates processing of the current action and returns to the point - where that action was invoked.
  16. -
- -

2/15/2004 - Shorewall 1.4.10c 

- -

Corrects one problem:
-

-Entries in /etc/shorewall/tcrules with an empty USER/GROUP column would cause -a startup error. - -

2/12/2004 - Shorewall 1.4.10b 

- -

Corrects one problem:
-

-
    -
  • In the /etc/shorewall/masq entry “eth0:!10.1.1.150    0.0.0.0/0!10.1.0.0/16   -   10.1.2.16”, the “!10.1.0.0/16” is ignored.
  • -
- -

2/8/2004 - Shorewall 1.4.10a 

- -

Corrects two problems:
-

-
    -
  • A problem which can cause [re]start to fail inexplicably while - processing /etc/shorewall/masq.
  • -
  • Interfaces using the Atheros WiFi card to use the 'maclist' option.
  • -
- -

1/30/2004 - Shorewall 1.4.10

- -

Problems Corrected since version 1.4.9

-
    -
  1. The column descriptions in the action.template file did not match the - column headings. That has been corrected.
  2. -
  3. The presence of IPV6 addresses on devices generated error messages - during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are - specified in /etc/shorewall/shorewall.conf. These messages have been - eliminated.
  4. -
  5. The CONTINUE action in /etc/shorewall/rules now works - correctly. A couple of problems involving rate limiting have been - corrected. These bug fixes courtesy of Steven Jan Springl.
  6. -
  7. Shorewall now tried to avoid sending an ICMP response to broadcasts and - smurfs.
  8. -
  9. Specifying "-" or "all" in the PROTO column of an action no longer - causes a startup error.
  10. -
-Migragion Issues:
-
-    None.
-
-New Features:
- -
    -
  1. The INTERFACE column in the /etc/shorewall/masq file may now specify a - destination list.
    -
    - Example:
    -
    -     #INTERFACE        -     SUBNET        ADDRESS
    -     eth0:192.0.2.3,192.0.2.16/28    eth1
    -
    - If the list begins with "!" then SNAT will occur only if the destination - IP address is NOT included in the list.
    -
    -
  2. -
  3. Output traffic control rules (those with the firewall as the source) - may now be qualified by the effective userid and/or effective group id of - the program generating the output. This feature is courtesy of  - Frédéric LESPEZ.
    -
    - A new USER column has been added to /etc/shorewall/tcrules. It may - contain :
    -
    -       [<user name or number>]:[<group - name or number>]
    -
    - The colon is optionnal when specifying only a user.
    -
    -        Examples : john: / john / :users / - john:users
    -
    -
  4. -
  5. A "detectnets" interface option has been added for entries in - /etc/shorewall/interfaces. This option automatically tailors the - definition of the zone named in the ZONE column to include just  - those hosts that have routes through the interface named in the INTERFACE - column. The named interface must be UP when Shorewall is [re]started.
    -
    -  WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! -   
  6. -
- -

1/27/2004 - Shorewall 1.4.10 RC3

- -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-

- -

Problems Corrected since version 1.4.9

-
    -
  1. The column descriptions in the action.template file did not match the - column headings. That has been corrected.
  2. -
  3. The presence of IPV6 addresses on devices generated error messages - during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are - specified in /etc/shorewall/shorewall.conf. These messages have been - eliminated.
  4. -
  5. The CONTINUE action in /etc/shorewall/rules now works - correctly. A couple of problems involving rate limiting have been - corrected. These bug fixes courtesy of Steven Jan Springl.
  6. -
  7. Shorewall now tried to avoid sending an ICMP response to broadcasts and - smurfs.
    -
  8. -
-Migragion Issues:
-
-    None.
-
-New Features:
- -
    -
  1. The INTERFACE column in the /etc/shorewall/masq file may now specify a - destination list.
    -
    - Example:
    -
    -     #INTERFACE        -     SUBNET        ADDRESS
    -     eth0:192.0.2.3,192.0.2.16/28    eth1
    -
    - If the list begins with "!" then SNAT will occur only if the destination - IP address is NOT included in the list.
    -
    -
  2. -
  3. Output traffic control rules (those with the firewall as the source) - may now be qualified by the effective userid and/or effective group id of - the program generating the output. This feature is courtesy of  - Frédéric LESPEZ.
    -
    - A new USER column has been added to /etc/shorewall/tcrules. It may - contain :
    -
    -       [<user name or number>]:[<group - name or number>]
    -
    - The colon is optionnal when specifying only a user.
    -
    -        Examples : john: / john / :users / - john:users
    -
    -
  4. -
  5. A "detectnets" interface option has been added for entries in - /etc/shorewall/interfaces. This option automatically tailors the - definition of the zone named in the ZONE column to include just  - those hosts that have routes through the interface named in the INTERFACE - column. The named interface must be UP when Shorewall is [re]started.
    -
    -  WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! -   
  6. -
- -

1/24/2004 - Shorewall 1.4.10 RC2 

- -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-

- -

Problems Corrected since version 1.4.9

-
    -
  1. The column descriptions in the action.template file did not match the - column headings. That has been corrected.
  2. -
  3. The presence of IPV6 addresses on devices generated error messages - during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are - specified in /etc/shorewall/shorewall.conf. These messages have been - eliminated.
  4. -
-Migragion Issues:
-
-    None.
-
-New Features:
- -
    -
  1. The INTERFACE column in the /etc/shorewall/masq file may now specify a - destination list.
    -
    - Example:
    -
    -     #INTERFACE        -     SUBNET        ADDRESS
    -     eth0:192.0.2.3,192.0.2.16/28    eth1
    -
    - If the list begins with "!" then SNAT will occur only if the destination - IP address is NOT included in the list.
    -
    -
  2. -
  3. Output traffic control rules (those with the firewall as the source) - may now be qualified by the effective userid and/or effective group id of - the program generating the output. This feature is courtesy of  - Frédéric LESPEZ.
    -
    - A new USER column has been added to /etc/shorewall/tcrules. It may - contain :
    -
    -       [<user name or number>]:[<group - name or number>]
    -
    - The colon is optionnal when specifying only a user.
    -
    -        Examples : john: / john / :users / - john:users
    -
    -
  4. -
  5. A "detectnets" interface option has been added for entries in - /etc/shorewall/interfaces. This option automatically tailors the - definition of the zone named in the ZONE column to include just  - those hosts that have routes through the interface named in the INTERFACE - column. The named interface must be UP when Shorewall is [re]started.
    -
    -  WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
  6. -
- -

1/22/2004 - Shorewall 1.4.10 RC1 

- -

Problems Corrected since version 1.4.9

-
    -
  1. The column descriptions in the action.template file did not match the - column headings. That has been corrected.
  2. -
  3. The presence of IPV6 addresses on devices generated error messages - during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are - specified in /etc/shorewall/shorewall.conf. These messages have been - eliminated.
  4. -
-Migragion Issues:
-
-    None.
-
-New Features:
- -
    -
  1. The INTERFACE column in the /etc/shorewall/masq file may now specify a - destination list.
    -
    - Example:
    -
    -     #INTERFACE        -     SUBNET        ADDRESS
    -     eth0:192.0.2.3,192.0.2.16/28    eth1
    -
    - If the list begins with "!" then SNAT will occur only if the destination - IP address is NOT included in the list.
    -
    -
  2. -
  3. Output traffic control rules (those with the firewall as the source) - may now be qualified by the effective userid and/or effective group id of - the program generating the output. This feature is courtesy of  - Frédéric LESPEZ.
    -
    - A new USER column has been added to /etc/shorewall/tcrules. It may - contain :
    -
    -       [<user name or number>]:[<group - name or number>]
    -
    - The colon is optionnal when specifying only a user.
    -
    -        Examples : john: / john / :users / - john:users   
    -
  4. -
- -

1/13/2004 - Shorewall 1.4.9
-

- -

Problems Corrected since version 1.4.8:
-

-
    -
  1. There has been a low continuing level of confusion over the terms - "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all - instances of "Static NAT" have been replaced with "One-to-one NAT" in the - documentation and configuration files.
  2. -
  3. The description of NEWNOTSYN in shorewall.conf has been reworded for - clarity.
  4. -
  5. Wild-card rules (those involving "all" as SOURCE or DEST) will no - longer produce an error if they attempt to add a rule that would override - a NONE policy. The logic for expanding these wild-card rules now simply - skips those (SOURCE,DEST) pairs that have a NONE policy.
  6. -
  7. DNAT rules that also specified SNAT now work reliably. Previously, - there were cases where the SNAT specification was effectively - ignored.
  8. -
- -

Migration Issues:
-
-    None.
-
-New Features:
-

-
    -
  1. The documentation has been completely rebased to Docbook XML. The - documentation is now released as separate HTML and XML packages.
  2. -
  3. To cut down on the number of "Why are these ports closed rather than - stealthed?" questions, the SMB-related rules in /etc/shorewall/common.def - have been changed from 'reject' to 'DROP'.
  4. -
  5. For easier identification, packets logged under the 'norfc1918' - interface option are now logged out of chains named 'rfc1918'. - Previously, such packets were logged under chains named 'logdrop'.
  6. -
  7. Distributors and developers seem to be regularly inventing new naming - conventions for kernel modules. To avoid the need to change Shorewall - code for each new convention, the MODULE_SUFFIX option has been added to - shorewall.conf. MODULE_SUFFIX may be set to the suffix for module names - in your particular distribution. If MODULE_SUFFIX is not set in - shorewall.conf, Shorewall will use the list "o gz ko o.gz".
    -
    - To see what suffix is used by your distribution:
    -
    - ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    -
    - All of the files listed should have the same suffix (extension). Set - MODULE_SUFFIX to that suffix.
    -
    - Examples:
    -
    -      If all files end in ".kzo" then set - MODULE_SUFFIX="kzo"
    -      If all files end in ".kz.o" then set - MODULE_SUFFIX="kz.o"
  8. -
  9. Support for user defined rule ACTIONS has been implemented through two - new files:
    -
    - /etc/shorewall/actions - used to list the user-defined ACTIONS.
    - /etc/shorewall/action.template - For each user defined <action>, - copy this file to /etc/shorewall/action.<action> and add the - appropriate rules for that <action>. Once an <action> has - been defined, it may be used like any of the builtin ACTIONS (ACCEPT, - DROP, etc.) in /etc/shorewall/rules.
    -
    - Example: You want an action that logs a packet at the 'info' level and - accepts the connection.
    -
    - In /etc/shorewall/actions, you would add:
    -
    -      LogAndAccept
    -
    - You would then copy /etc/shorewall/action.template to - /etc/shorewall/action.LogAndAccept and in that file, you would add the - two rules:
    -         LOG:info
    -         ACCEPT
  10. -
  11. The default value for NEWNOTSYN in shorewall.conf is now "Yes" (non-syn - TCP packets that are not part of an existing connection are filtered - according to the rules and policies rather than being dropped). I have - made this change for two reasons:
    -
    - a) NEWNOTSYN=No tends to result in lots of "stuck" connections since any - timeout during TCP session tear down results in the firewall dropping all - of the retries.
    -
    - b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in lots - of confusing messages when a connection got "stuck". While I could have - changed the default value of LOGNEWNOTSYN to suppress logging, I dislike - defaults that silently throw away packets.
  12. -
  13. The common.def file now contains an entry that silently drops ICMP - packets with a null source address. Ad Koster reported a case where these - were occuring frequently as a result of a broken system on his external - network.
  14. -
- -

12/29/2003 - Shorewall 1.4.9 Beta 2

- - - -

Problems Corrected since version 1.4.8:

-
    -
  1. There has been a low continuing level of confusion over the terms - "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all - instances of "Static NAT" have been replaced with "One-to-one NAT" in the - documentation and configuration files.
  2. -
  3. The description of NEWNOTSYN in shorewall.conf has been reworded for - clarity.
  4. -
  5. Wild-card rules (those involving "all" as SOURCE or DEST) will no - longer produce an error if they attempt to add a rule that would override - a NONE policy. The logic for expanding these wild-card rules now simply - skips those (SOURCE,DEST) pairs that have a NONE policy.
  6. -
  7. DNAT rules that also specified SNAT now work reliably. Previously, - there were cases where the SNAT specification was effectively ignored.
    -
  8. -
- -

Migration Issues:

- -

    None.
-
-New Features:

-
    -
  1. The documentation has been completely rebased to Docbook XML. The - documentation is now released as separate HTML and XML packages.
    -
  2. -
  3. To cut down on the number of "Why are these ports closed rather than - stealthed?" questions, the SMB-related rules in /etc/shorewall/common.def - have been changed from 'reject' to 'DROP'.
  4. -
  5. For easier identification, packets logged under the 'norfc1918' - interface option are now logged out of chains named 'rfc1918'. - Previously, such packets were logged under chains named 'logdrop'.
  6. -
  7. Distributors and developers seem to be regularly inventing new naming - conventions for kernel modules. To avoid the need to change Shorewall - code for each new convention, the MODULE_SUFFIX option has been added to - shorewall.conf. MODULE_SUFFIX may be set to the suffix for module names - in your particular distribution. If MODULE_SUFFIX is not set in - shorewall.conf, Shorewall will use the list "o gz ko o.gz".
    -
    - To see what suffix is used by your distribution:
    -
    - ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    -
    - All of the files listed should have the same suffix (extension). Set - MODULE_SUFFIX to that suffix.
    -
    - Examples:
    -
    -      If all files end in ".kzo" then set - MODULE_SUFFIX="kzo"
    -      If all files end in ".kz.o" then set - MODULE_SUFFIX="kz.o"
  8. -
  9. Support for user defined rule ACTIONS has been implemented through two - new files:
    -
    - /etc/shorewall/actions - used to list the user-defined ACTIONS.
    - /etc/shorewall/action.template - For each user defined <action>, - copy this file to /etc/shorewall/action.<action> and add the - appropriate rules for that <action>. Once an <action> has - been defined, it may be used like any of the builtin ACTIONS (ACCEPT, - DROP, etc.) in /etc/shorewall/rules.
    -
    - Example: You want an action that logs a packet at the 'info' level and - accepts the connection.
    -
    - In /etc/shorewall/actions, you would add:
    -
    -      LogAndAccept
    -
    - You would then copy /etc/shorewall/action.template to - /etc/shorewall/action.LogAndAccept and in that file, you would add the - two rules:
    -         LOG:info
    -         ACCEPT
    -
  10. -
  11. The default value for NEWNOTSYN in shorewall.conf is now "Yes" (non-syn - TCP packets that are not part of an existing connection are filtered - according to the rules and policies rather than being dropped). I have - made this change for two reasons:
    -
    - a) NEWNOTSYN=No tends to result in lots of "stuck" connections since any - timeout during TCP session tear down results in the firewall dropping all - of the retries.
    -
    - b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in lots - of confusing messages when a connection got "stuck". While I could have - changed the default value of LOGNEWNOTSYN to suppress logging, I dislike - defaults that silently throw away packets.
    -
    -
  12. -
- -

12/28/2003 - www.shorewall.net/ftp.shorewall.net Back On-line -
-

- -

Our high-capacity server has been restored to service -- please let us know if you find any -problems.

- -

12/29/2003 - Shorewall 1.4.9 Beta 1

- - - -

Problems Corrected since version 1.4.8:

-
    -
  1. There has been a low continuing level of confusion over the terms - "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all - instances of "Static NAT" have been replaced with "One-to-one NAT" in the - documentation and configuration files.
  2. -
  3. The description of NEWNOTSYN in shorewall.conf has been reworded for - clarity.
  4. -
  5. Wild-card rules (those involving "all" as SOURCE or DEST) will no - longer produce an error if they attempt to add a rule that would override - a NONE policy. The logic for expanding these wild-card rules now simply - skips those (SOURCE,DEST) pairs that have a NONE policy.
  6. -
- -

Migration Issues:

- -

    None.
-
-New Features:

-
    -
  1. To cut down on the number of "Why are these ports closed rather than - stealthed?" questions, the SMB-related rules in /etc/shorewall/common.def - have been changed from 'reject' to 'DROP'.
  2. -
  3. For easier identification, packets logged under the 'norfc1918' - interface option are now logged out of chains named 'rfc1918'. - Previously, such packets were logged under chains named 'logdrop'.
  4. -
  5. Distributors and developers seem to be regularly inventing new naming - conventions for kernel modules. To avoid the need to change Shorewall - code for each new convention, the MODULE_SUFFIX option has been added to - shorewall.conf. MODULE_SUFFIX may be set to the suffix for module names - in your particular distribution. If MODULE_SUFFIX is not set in - shorewall.conf, Shorewall will use the list "o gz ko o.gz".
    -
    - To see what suffix is used by your distribution:
    -
    - ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    -
    - All of the files listed should have the same suffix (extension). Set - MODULE_SUFFIX to that suffix.
    -
    - Examples:
    -
    -      If all files end in ".kzo" then set - MODULE_SUFFIX="kzo"
    -      If all files end in ".kz.o" then set - MODULE_SUFFIX="kz.o"
  6. -
  7. Support for user defined rule ACTIONS has been implemented through two - new files:
    -
    - /etc/shorewall/actions - used to list the user-defined ACTIONS.
    - /etc/shorewall/action.template - For each user defined <action>, - copy this file to /etc/shorewall/action.<action> and add the - appropriate rules for that <action>. Once an <action> has - been defined, it may be used like any of the builtin ACTIONS (ACCEPT, - DROP, etc.) in /etc/shorewall/rules.
    -
    - Example: You want an action that logs a packet at the 'info' level and - accepts the connection.
    -
    - In /etc/shorewall/actions, you would add:
    -
    -      LogAndAccept
    -
    - You would then copy /etc/shorewall/action.template to - /etc/shorewall/action.LogAndAccept and in that file, you would add the - two rules:
    -         LOG:info
    -         ACCEPT
    -
  8. -
  9. The default value for NEWNOTSYN in shorewall.conf is now "Yes" (non-syn - TCP packets that are not part of an existing connection are filtered - according to the rules and policies rather than being dropped). I have - made this change for two reasons:
    -
    - a) NEWNOTSYN=No tends to result in lots of "stuck" connections since any - timeout during TCP session tear down results in the firewall dropping all - of the retries.
    -
    - b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in lots - of confusing messages when a connection got "stuck". While I could have - changed the default value of LOGNEWNOTSYN to suppress logging, I dislike - defaults that silently throw away packets.
  10. -
- -

12/03/2003 - Support Torch Passed

-Effective today, I am reducing my participation in the day-to-day support of -Shorewall. As part of this shift to community-based Shorewall support a new -Shorewall -Newbies mailing list has been established to field questions and problems -from new users. I will not monitor that list personally. I will continue my -active development of Shorewall and will be available via the development -list to handle development issues -- Tom. - -

11/07/2003 - Shorewall 1.4.8
-
-
Problems Corrected since version 1.4.7:
-

-
    -
  1. Tuomo Soini has supplied a correction to a problem that occurs using - some versions of 'ash'. The symptom is that "shorewall start" fails - with:
    -  
    -    local: --limit: bad variable name
    -    iptables v1.2.8: Couldn't load match - `-j':/lib/iptables/libipt_-j.so:
    -    cannot open shared object file: No such file or directory
    -    Try `iptables -h' or 'iptables --help' for more - information.
  2. -
  3. Andres Zhoglo has supplied a correction that avoids trying to use the - multiport match iptables facility on ICMP rules.
    -  
    -    Example of rule that previously caused "shorewall start" to - fail:
    -  
    -            - ACCEPT      loc  $FW  - icmp    0,8,11,12
    -
    -
  4. -
  5. Previously, if the following error message was issued, Shorewall was - left in an inconsistent state.
    -  
    -    Error: Unable to determine the routes through interface - xxx
    -
    -
  6. -
  7. Handling of the LOGUNCLEAN option in shorewall.conf has been - corrected.
  8. -
  9. In Shorewall 1.4.2, an optimization was added. This optimization - involved creating a chain named "<zone>_frwd" for most zones - defined using the /etc/shorewall/hosts file. It has since been discovered - that in many cases these new chains contain redundant rules and that the - "optimization" turns out to be less than optimal. The implementation has - now been corrected.
  10. -
  11. When the MARK value in a tcrules entry is followed by ":F" or ":P", the - ":F" or ":P" was previously only applied to the first Netfilter rule - generated by the entry. It is now applied to all entries.
  12. -
  13. An incorrect comment concerning Debian's use of the SUBSYSLOCK option - has been removed from shorewall.conf.
  14. -
  15. Previously, neither the 'routefilter' interface option nor the - ROUTE_FILTER parameter were working properly. This has been corrected - (thanks to Eric Bowles for his analysis and patch). The definition of the - ROUTE_FILTER option has changed however. Previously, ROUTE_FILTER=Yes was - documented as enabling route filtering on all interfaces (which didn't - work). Beginning with this release, setting ROUTE_FILTER=Yes will enable - route filtering of all interfaces brought up while Shorewall is started. - As a consequence, ROUTE_FILTER=Yes can coexist with the use of the - 'routefilter' option in the interfaces file.
  16. -
  17. If MAC verification was enabled on an interface with a /32 address and - a broadcast address then an error would occur during startup.
  18. -
  19. The NONE policy's intended use is to suppress the generating of rules - that can't possibly be traversed. This means that a policy of NONE is - inappropriate where the source or destination zone is $FW or "all". - Shorewall now generates an error message if such a policy is given in - /etc/shorewall/policy. Previously such a policy caused "shorewall start" - to fail.
  20. -
  21. The 'routeback' option was broken for wildcard interfaces (e.g., - "tun+"). This has been corrected so that 'routeback' now works as - expected in this case.
    -
  22. -
-Migration Issues:
- -
    -
  1. The definition of the ROUTE_FILTER option in shorewall.conf has changed - as described in item 8) above.
    -
  2. -
-New Features:
- -
    -
  1. A new QUEUE action has been introduced for rules. QUEUE allows you to - pass connection requests to a user-space filter such as ftwall - (http://p2pwall.sourceforge.net). The ftwall program allows for effective - filtering of p2p applications such as Kazaa. For example, to use ftwall - to filter P2P clients in the 'loc' zone, you would add the following - rules:
    -
    -    QUEUE   loc    -      net    tcp
    -    QUEUE   loc    -      net    udp
    -    QUEUE   loc    -      fw     udp
    -
    - You would normally want to place those three rules BEFORE any ACCEPT - rules for loc->net udp or tcp.
    -
    - Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), Shorewall - will only pass connection requests (SYN packets) to user space. This is - for compatibility with ftwall.
  2. -
  3. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When this - option is set to "Yes", the blacklists (dynamic and static) are only - consulted for new connection requests. When set to "No" (the default if - the variable is not set), the blacklists are consulted on every - packet.
    -
    - Setting this option to "No" allows blacklisting to stop existing - connections from a newly blacklisted host but is more expensive in terms - of packet processing time. This is especially true if the blacklists - contain a large number of entries.
  4. -
  5. Chain names used in the /etc/shorewall/accounting file may now begin - with a digit ([0-9]) and may contain embedded dashes ("-").
  6. -
- -

10/30/2003 - Shorewall 1.4.8 RC1
-

-Given the small number of new features and the relatively few lines of code -that were changed, there will be no Beta for 1.4.8.
- - -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-
-
Problems Corrected since version 1.4.7:
-

-
    -
  1. Tuomo Soini has supplied a correction to a problem that occurs using - some versions of 'ash'. The symptom is that "shorewall start" fails - with:
    -  
    -    local: --limit: bad variable name
    -    iptables v1.2.8: Couldn't load match - `-j':/lib/iptables/libipt_-j.so:
    -    cannot open shared object file: No such file or directory
    -    Try `iptables -h' or 'iptables --help' for more - information.
  2. -
  3. Andres Zhoglo has supplied a correction that avoids trying to use the - multiport match iptables facility on ICMP rules.
    -  
    -    Example of rule that previously caused "shorewall start" to - fail:
    -  
    -            - ACCEPT      loc  $FW  - icmp    0,8,11,12
    -
    -
  4. -
  5. Previously, if the following error message was issued, Shorewall was - left in an inconsistent state.
    -  
    -    Error: Unable to determine the routes through interface - xxx
    -
    -
  6. -
  7. Handling of the LOGUNCLEAN option in shorewall.conf has been - corrected.
  8. -
  9. In Shorewall 1.4.2, an optimization was added. This optimization - involved creating a chain named "<zone>_frwd" for most zones - defined using the /etc/shorewall/hosts file. It has since been discovered - that in many cases these new chains contain redundant rules and that the - "optimization" turns out to be less than optimal. The implementation has - now been corrected.
  10. -
  11. When the MARK value in a tcrules entry is followed by ":F" or ":P", the - ":F" or ":P" was previously only applied to the first Netfilter rule - generated by the entry. It is now applied to all entries.
  12. -
  13. An incorrect comment concerning Debian's use of the SYBSYSLOCK option - has been removed from shorewall.conf.
  14. -
  15. Previously, neither the 'routefilter' interface option nor the - ROUTE_FILTER parameter were working properly. This has been corrected - (thanks to Eric Bowles for his analysis and patch). The definition of the - ROUTE_FILTER option has changed however. Previously, ROUTE_FILTER=Yes was - documented as enabling route filtering on all interfaces (which didn't - work). Beginning with this release, setting ROUTE_FILTER=Yes will enable - route filtering of all interfaces brought up while Shorewall is started. - As a consequence, ROUTE_FILTER=Yes can coexist with the use of the - 'routefilter' option in the interfaces file.
  16. -
-Migration Issues:
- -
    -
  1. The definition of the ROUTE_FILTER option in shorewall.conf has changed - as described in item 8) above.
    -
  2. -
-New Features:
- -
    -
  1. A new QUEUE action has been introduced for rules. QUEUE allows you to - pass connection requests to a user-space filter such as ftwall - (http://p2pwall.sourceforge.net). The ftwall program allows for effective - filtering of p2p applications such as Kazaa. For example, to use ftwall - to filter P2P clients in the 'loc' zone, you would add the following - rules:
    -
    -    QUEUE   loc    -      net    tcp
    -    QUEUE   loc    -      net    udp
    -    QUEUE   loc    -      fw     udp
    -
    - You would normally want to place those three rules BEFORE any ACCEPT - rules for loc->net udp or tcp.
    -
    - Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), Shorewall - will only pass connection requests (SYN packets) to user space. This is - for compatibility with ftwall.
  2. -
  3. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When this - option is set to "Yes", the blacklists (dynamic and static) are only - consulted for new connection requests. When set to "No" (the default if - the variable is not set), the blacklists are consulted on every - packet.
    -
    - Setting this option to "No" allows blacklisting to stop existing - connections from a newly blacklisted host but is more expensive in terms - of packet processing time. This is especially true if the blacklists - contain a large number of entries.
  4. -
  5. Chain names used in the /etc/shorewall/accounting file may now begin - with a digit ([0-9]) and may contain embedded dashes ("-").
    -
  6. -
- -

10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag awards -Shorewall 1.4.7c -released.

-
    -
  1. The saga with "<zone>_frwd" chains continues. The 1.4.7c script - produces a ruleset that should work for everyone even if it is not quite - optimal. My apologies for this ongoing mess.
    -
  2. -
- -

10/24/2003 - Shorewall 1.4.7b

-This is a bugfx rollup of the 1.4.7a fixes plus:
- -
    -
  1. The fix for problem 5 in 1.4.7a was wrong with the result that - "<zone>_frwd" chains might contain too few rules. That wrong code - is corrected in this release.
    -
  2. -
- -

10/21/2003 - Shorewall 1.4.7a
-

- -

This is a bugfix rollup of the following problem corrections:
-

-
    -
  1. Tuomo Soini has supplied a correction to a problem that occurs using - some versions of 'ash'. The symptom is that "shorewall start" fails - with:
    -  
    -    local: --limit: bad variable name
    -    iptables v1.2.8: Couldn't load match - `-j':/lib/iptables/libipt_-j.so:
    -    cannot open shared object file: No such file or directory
    -    Try `iptables -h' or 'iptables --help' for more - information.
    -
    -
  2. -
  3. Andres Zhoglo has supplied a correction that avoids trying to use the - multiport match iptables facility on ICMP rules.
    -  
    -    Example of rule that previously caused "shorewall start" to - fail:
    -  
    -            - ACCEPT      loc  $FW  - icmp    0,8,11,12
    -
    -
  4. -
  5. Previously, if the following error message was issued, Shorewall was - left in an inconsistent state.
    -  
    -    Error: Unable to determine the routes through interface - xxx
    -
    -
  6. -
  7. Handling of the LOGUNCLEAN option in shorewall.conf has been - corrected.
  8. -
  9. In Shorewall 1.4.2, an optimization was added. This optimization - involved creating a chain named "<zone>_frwd" for most zones - defined using the /etc/shorewall/hosts file. It has since been discovered - that in many cases these new chains contain redundant rules and that the - "optimization" turns out to be less than optimal. The implementation has - now been corrected.
  10. -
  11. When the MARK value in a tcrules entry is followed by ":F" or ":P", the - ":F" or ":P" was previously only applied to the first Netfilter rule - generated by the entry. It is now applied to all entries.
    -
  12. -
- -

10/06/2003 - Shorewall 1.4.7
-

-Problems Corrected since version 1.4.6 (Those in bold font were corrected -since 1.4.7 RC2).
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9. Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
  10. -
  11. Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
  12. -
  13. The 'shorewall reject' and 'shorewall drop' commands now - delete any existing rules for the subject IP address before adding a new - DROP or REJECT rule. Previously, there could be many rules for the same - IP address in the dynamic chain so that multiple 'allow' commands were - required to re-enable traffic to/from the address.
  14. -
  15. When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in - /etc/shorewall/masq resulted in a startup error:
    -  
    -    eth0 eth1     - 206.124.146.20-206.124.146.24
    -
    -
  16. -
  17. Shorewall previously choked over IPV6 addresses configured on - interfaces in contexts where Shorewall needed to detect something about - the interface (such as when "detect" appears in the BROADCAST column of - the /etc/shorewall/interfaces file).
  18. -
  19. Shorewall will now load module files that are formed from the module - name by appending ".o.gz".
  20. -
  21. When Shorewall adds a route to a proxy ARP host and such a route - already exists, two routes resulted previously. This has been corrected - so that the existing route is replaced if it already exists.
  22. -
  23. The rfc1918 file has been updated to reflect recent allocations.
  24. -
  25. The documentation of the USER SET column in the rules file has been - corrected.
  26. -
  27. If there is no policy defined for the zones specified in a rule, the - firewall script previously encountered a shell syntax error:
    -                                                                                                                                                                                    
    -         [: NONE: unexpected - operator
    -                                                                                                                                                                                    
    - Now, the absence of a policy generates an error message and the firewall - is stopped:
    -                                                                                                                                                                                    
    -         No policy defined from zone - <source> to zone <dest>
    -
    -
  28. -
  29. Previously, if neither /etc/shorewall/common nor - /etc/shorewall/common.def existed, Shorewall would fail to start and - would not remove the lock file. Failure to remove the lock file resulted - in the following during subsequent attempts to start:
    -                                                                                                                                                                                    
    -     Loading /usr/share/shorewall/functions...
    -     Processing /etc/shorewall/params ...
    -     Processing /etc/shorewall/shorewall.conf...
    -     Giving up on lock file /var/lib/shorewall/lock
    -     Shorewall Not Started
    -
    - Shorewall now reports a fatal error if neither of these two files exist - and correctly removes the lock fille.
  30. -
  31. The order of processing the various options has been changed such that - blacklist entries now take precedence over the 'dhcp' interface setting.
  32. -
  33. The log message generated from the 'logunclean' interface option has - been changed to reflect a disposition of LOG rather than DROP.
  34. -
  35. When a user name and/or a group name - was specified in the USER SET column and the destination zone was - qualified with a IP address, the user and/or group name was not being - used to qualify the rule.
    -  
    -     Example:
    -  
    -     ACCEPT fw  net:192.0.2.12 tcp 23 - - - - vladimir:
    -
    -
  36. -
  37. The /etc/shorewall/masq file has had - the spurious "/" character at the front removed.
    -
    -
  38. -
-Migration Issues:
- -
    -
  1. Shorewall IP Traffic Accounting has changed since snapshot 20030813 -- - see the Accounting Page for details.
  2. -
  3. The Uset Set capability introduced in SnapShot 20030821 has changed -- - see the User Set page for details.
  4. -
  5. The per-interface Dynamic Blacklisting facility introduced in the first - post-1.4.6 Snapshot has been removed. The facility had too many - idiosyncrasies for dial-up users to be a viable part of Shorewall.
    -
  6. -
-New Features:
- -
    -
  1. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  2. -
  3. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  4. -
  5. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  6. -
  7. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  8. -
  9. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  10. -
  11. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  12. -
  13. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  14. -
  15. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit,
    -
    - a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -   where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -
    - b) A new RATE LIMIT column has been added to the /etc/shorewall/rules - file. You may specify the rate limit there in the format:
    -
    -       - <rate>/<interval>[:<burst>]
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  16. -
  17. Multiple chains may now be displayed in one "shorewall show" command - (e.g., shorewall show INPUT FORWARD OUTPUT).
  18. -
  19. Output rules (those with $FW as the SOURCE) may now be limited to a set - of local users and/or groups. See http://shorewall.net/UserSets.html for - details.
  20. -
- -

10/02/2003 - Shorewall 1.4.7 RC2
-

- -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-

-Problems Corrected since version 1.4.6 (Those in bold font were corrected -since 1.4.7 RC 1).
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9. Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
  10. -
  11. Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
  12. -
  13. The 'shorewall reject' and 'shorewall drop' commands now - delete any existing rules for the subject IP address before adding a new - DROP or REJECT rule. Previously, there could be many rules for the same - IP address in the dynamic chain so that multiple 'allow' commands were - required to re-enable traffic to/from the address.
  14. -
  15. When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in - /etc/shorewall/masq resulted in a startup error:
    -  
    -    eth0 eth1     - 206.124.146.20-206.124.146.24
    -
    -
  16. -
  17. Shorewall previously choked over IPV6 addresses configured on - interfaces in contexts where Shorewall needed to detect something about - the interface (such as when "detect" appears in the BROADCAST column of - the /etc/shorewall/interfaces file).
  18. -
  19. Shorewall will now load module files that are formed from the module - name by appending ".o.gz".
  20. -
  21. When Shorewall adds a route to a proxy ARP host and such a route - already exists, two routes resulted previously. This has been corrected - so that the existing route is replaced if it already exists.
  22. -
  23. The rfc1918 file has been updated to reflect recent allocations.
  24. -
  25. The documentation of the USER SET - column in the rules file has been corrected.
  26. -
  27. If there is no policy defined for the - zones specified in a rule, the firewall script previously encountered a - shell syntax error:
    -                                                                                                                                                                                    
    -         [: NONE: unexpected - operator
    -                                                                                                                                                                                    
    - Now, the absence of a policy generates an error message and the firewall - is stopped:
    -                                                                                                                                                                                    
    -         No policy defined from zone - <source> to zone <dest>
    -
    -
  28. -
  29. Previously, if neither - /etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall - would fail to start and would not remove the lock file. Failure to remove - the lock file resulted in the following during subsequent attempts to - start:
    -                                                                                                                                                                                    
    -     Loading /usr/share/shorewall/functions...
    -     Processing /etc/shorewall/params ...
    -     Processing /etc/shorewall/shorewall.conf...
    -     Giving up on lock file /var/lib/shorewall/lock
    -     Shorewall Not Started
    -
    - Shorewall now reports a fatal error if neither of these two files exist - and correctly removes the lock fille.
  30. -
  31. The order of processing the various - options has been changed such that blacklist entries now take precedence - over the 'dhcp' interface setting.
  32. -
  33. The log message generated from the - 'logunclean' interface option has been changed to reflect a disposition - of LOG rather than DROP.
  34. -
  35. The RFC1918 file has been updated to - reflect recent IANA allocations.
    -
  36. -
-Migration Issues:
- -
    -
  1. Shorewall IP Traffic Accounting has changed since snapshot 20030813 -- - see the Accounting Page for details.
  2. -
  3. The Uset Set capability introduced in SnapShot 20030821 has changed -- - see the User Set page for details.
  4. -
  5. The per-interface Dynamic Blacklisting facility introduced in the first - post-1.4.6 Snapshot has been removed. The facility had too many - idiosyncrasies for dial-up users to be a viable part of Shorewall.
    -
  6. -
-New Features:
- -
    -
  1. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  2. -
  3. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  4. -
  5. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  6. -
  7. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  8. -
  9. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  10. -
  11. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  12. -
  13. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  14. -
  15. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit,
    -
    - a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -   where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -
    - b) A new RATE LIMIT column has been added to the /etc/shorewall/rules - file. You may specify the rate limit there in the format:
    -
    -       - <rate>/<interval>[:<burst>]
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  16. -
  17. Multiple chains may now be displayed in one "shorewall show" command - (e.g., shorewall show INPUT FORWARD OUTPUT).
  18. -
  19. Output rules (those with $FW as the SOURCE) may now be limited to a set - of local users and/or groups. See http://shorewall.net/UserSets.html for - details.
  20. -
- -

9/18/2003 - Shorewall 1.4.7 RC 1
-

- -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-

-Problems Corrected since version 1.4.6 (Those in bold font were corrected -since 1.4.7 Beta 1).
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9. Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
  10. -
  11. Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
  12. -
  13. The 'shorewall reject' and 'shorewall drop' commands now - delete any existing rules for the subject IP address before adding a new - DROP or REJECT rule. Previously, there could be many rules for the same - IP address in the dynamic chain so that multiple 'allow' commands were - required to re-enable traffic to/from the address.
  14. -
  15. When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in - /etc/shorewall/masq resulted in a startup error:
    -  
    -    eth0 eth1     - 206.124.146.20-206.124.146.24
    -
    -
  16. -
  17. Shorewall previously choked over IPV6 addresses configured on - interfaces in contexts where Shorewall needed to detect something about - the interface (such as when "detect" appears in the BROADCAST column of - the /etc/shorewall/interfaces file).
  18. -
  19. Shorewall will now load module files that are formed from the module - name by appending ".o.gz".
  20. -
  21. When Shorewall adds a route to a proxy ARP - host and such a route already exists, two routes resulted previously. - This has been corrected so that the existing route is replaced if it - already exists.
  22. -
  23. The rfc1918 file has been updated to - reflect recent allocations.
    -
  24. -
-Migration Issues:
- -
    -
  1. Shorewall IP Traffic Accounting has changed since snapshot 20030813 -- - see the Accounting Page for details.
  2. -
  3. The Uset Set capability introduced in SnapShot 20030821 has changed -- - see the User Set page for details.
  4. -
  5. The per-interface Dynamic Blacklisting facility introduced in the first - post-1.4.6 Snapshot has been removed. The facility had too many - idiosyncrasies for dial-up users to be a viable part of Shorewall.
    -
  6. -
-New Features:
- -
    -
  1. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  2. -
  3. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  4. -
  5. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  6. -
  7. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  8. -
  9. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  10. -
  11. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  12. -
  13. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  14. -
  15. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit,
    -
    - a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -   where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -
    - b) A new RATE LIMIT column has been added to the /etc/shorewall/rules - file. You may specify the rate limit there in the format:
    -
    -       - <rate>/<interval>[:<burst>]
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  16. -
  17. Multiple chains may now be displayed in one "shorewall show" command - (e.g., shorewall show INPUT FORWARD OUTPUT).
  18. -
  19. Output rules (those with $FW as the SOURCE) may now be limited to a set - of local users and/or groups. See http://shorewall.net/UserSets.html for - details.
  20. -
- -

9/15/2003 - Shorewall 1.4.7 Beta 2
-

- -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-

-Problems Corrected since version 1.4.6 (Those in bold font were corrected -since 1.4.7 Beta 1).
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9. Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
  10. -
  11. Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
  12. -
  13. The 'shorewall reject' and - 'shorewall drop' commands now delete any existing rules for the subject - IP address before adding a new DROP or REJECT rule. Previously, there - could be many rules for the same IP address in the dynamic chain so that - multiple 'allow' commands were required to re-enable traffic to/from the - address.
  14. -
  15. When ADD_SNAT_ALIASES=Yes in shorewall.conf, - the following entry in /etc/shorewall/masq resulted in a startup - error:
    -  
    -    eth0 eth1     - 206.124.146.20-206.124.146.24
    -
    -
  16. -
  17. Shorewall previously choked over IPV6 - addresses configured on interfaces in contexts where Shorewall needed to - detect something about the interface (such as when "detect" appears in - the BROADCAST column of the /etc/shorewall/interfaces file).
  18. -
  19. Shorewall will now load module files - that are formed from the module name by appending ".o.gz".
    -
  20. -
-Migration Issues:
- -
    -
  1. Shorewall IP Traffic Accounting has changed since snapshot 20030813 -- - see the Accounting Page for details.
  2. -
  3. The Uset Set capability introduced in SnapShot 20030821 has changed -- - see the User Set page for details.
  4. -
  5. The per-interface Dynamic Blacklisting facility introduced in the first - post-1.4.6 Snapshot has been removed. The facility had too many - idiosyncrasies for dial-up users to be a viable part of Shorewall.
    -
  6. -
-New Features:
- -
    -
  1. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  2. -
  3. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  4. -
  5. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  6. -
  7. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  8. -
  9. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  10. -
  11. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  12. -
  13. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  14. -
  15. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit,
    -
    - a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -   where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -
    - b) A new RATE LIMIT column has been added to the /etc/shorewall/rules - file. You may specify the rate limit there in the format:
    -
    -       - <rate>/<interval>[:<burst>]
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  16. -
  17. Multiple chains may now be displayed in one "shorewall show" command - (e.g., shorewall show INPUT FORWARD OUTPUT).
  18. -
  19. Output rules (those with $FW as the SOURCE) may now be limited to a set - of local users and/or groups. See http://shorewall.net/UserSets.html for - details.
  20. -
- -

8/27/2003 - Shorewall Mirror in Australia

- -

Thanks to Dave Kempe and Solutions First (http://www.solutionsfirst.com.au), there is now a -Shorewall Mirror in Australia:

- - - -

8/26/2003 - French Version of the Shorewall Setup Guide 

-Thanks to Fabien Demassieux, there is now a French translation of the Shorewall Setup -Guide. Merci Beacoup, Fabien! - -

8/25/2003 - Shorewall 1.4.7 Beta 1
-

- -

http://shorewall.net/pub/shorewall/Beta
-ftp://shorewall.net/pub/shorewall/Beta
-

-Problems Corrected since version 1.4.6
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9. Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
  10. -
  11. Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
    -
    -
  12. -
-Migration Issues:
- -
    -
  1. Shorewall IP Traffic Accounting has changed since snapshot 20030813 -- - see the Accounting Page for details.
  2. -
  3. The Uset Set capability introduced in SnapShot 20030821 has changed -- - see the User Set page for details.
  4. -
  5. The per-interface Dynamic Blacklisting facility introduced in the first - post-1.4.6 Snapshot has been removed. The facility had too many - idiosyncrasies for dial-up users to be a viable part of Shorewall.
    -
  6. -
-New Features:
- -
    -
  1. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  2. -
  3. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  4. -
  5. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  6. -
  7. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  8. -
  9. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  10. -
  11. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  12. -
  13. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  14. -
  15. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit,
    -
    - a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -   where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -
    - b) A new RATE LIMIT column has been added to the /etc/shorewall/rules - file. You may specify the rate limit there in the format:
    -
    -       - <rate>/<interval>[:<burst>]
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  16. -
  17. Multiple chains may now be displayed in one "shorewall show" command - (e.g., shorewall show INPUT FORWARD OUTPUT).
  18. -
  19. Output rules (those with $FW as the SOURCE) may now be limited to a set - of local users and/or groups. See http://shorewall.net/UserSets.html for - details.
    -
  20. -
- -

8/23/2003 - Snapshot 1.4.6_20030823

- -
-

http://shorewall.net/pub/shorewall/Snapshots/
- ftp://shorewall.net/pub/shorewall/Snapshots/

-
-Problems Corrected since version 1.4.6
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9. Interface-specific dynamic blacklisting chains are now displayed by - "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
  10. -
  11. Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
    -
    -
  12. -
-Migration Issues:
- -
    -
  1. Once you have installed this version of Shorewall, you must restart - Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' - commands.
  2. -
  3. To maintain strict compatibility with previous versions, current uses - of "shorewall drop" and "shorewall reject" should be replaced with - "shorewall dropall" and "shorewall rejectall"
  4. -
  5. Shorewall IP Traffic Accounting has changed since snapshot 20030813 -- - see the Accounting Page for details.
  6. -
  7. The Uset Set capability introduced in SnapShot 20030821 has changed -- - see the User Set page for details.
  8. -
-New Features:
- -
    -
  1. Shorewall now creates a dynamic blacklisting chain for each interface - defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands - use the routing table to determine which of these chains is to be used - for blacklisting the specified IP address(es).
    -
    - Two new commands ('dropall' and 'rejectall') have been introduced that do - what 'drop' and 'reject' used to do; namely, when an address is - blacklisted using these new commands, it will be blacklisted on all of - your firewall's interfaces.
  2. -
  3. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  4. -
  5. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  6. -
  7. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  8. -
  9. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  10. -
  11. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  12. -
  13. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  14. -
  15. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  16. -
  17. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit,
    -
    - a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -   where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -
    - b) A new RATE LIMIT column has been added to the /etc/shorewall/rules - file. You may specify the rate limit there in the format:
    -
    -       - <rate>/<interval>[:<burst>]
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  18. -
  19. Multiple chains may now be displayed in one "shorewall show" command - (e.g., shorewall show INPUT FORWARD OUTPUT).
  20. -
  21. Output rules (those with $FW as the SOURCE) may now be limited to a set - of local users and/or groups. See http://shorewall.net/UserSets.html for - details.
    -
  22. -
- -

8/13/2003 - Snapshot 1.4.6_20030813 

- -
-

http://shorewall.net/pub/shorewall/Snapshots/
- ftp://shorewall.net/pub/shorewall/Snapshots/

-
-Problems Corrected since version 1.4.6
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
  8. -
  9.  Interface-specific dynamic blacklisting chains are now displayed - by "shorewall monitor" on the "Dynamic Chains" page (previously named - "Dynamic Chain").
    -
    -
  10. -
-Migration Issues:
- -
    -
  1. Once you have installed this version of Shorewall, you must restart - Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' - commands.
  2. -
  3. To maintain strict compatibility with previous versions, current uses - of "shorewall drop" and "shorewall reject" should be replaced with - "shorewall dropall" and "shorewall rejectall"
  4. -
-New Features:
- -
    -
  1. Shorewall now creates a dynamic blacklisting chain for each interface - defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands - use the routing table to determine which of these chains is to be used - for blacklisting the specified IP address(es).
    -
    - Two new commands ('dropall' and 'rejectall') have been introduced that do - what 'drop' and 'reject' used to do; namely, when an address is - blacklisted using these new commands, it will be blacklisted on all of - your firewall's interfaces.
  2. -
  3. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  4. -
  5. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  6. -
  7. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  8. -
  9. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
  10. -
  11. The ADDRESS column in /etc/shorewall/masq may now include a - comma-separated list of addresses and/or address ranges. Netfilter will - use all listed addresses/ranges in round-robin fashion. \
  12. -
  13. An /etc/shorewall/accounting file has been added to allow for traffic - accounting.  See the accounting - documentation for a description of this facility.
  14. -
  15. Bridge interfaces (br[0-9]) may now be used in - /etc/shorewall/maclist.
  16. -
  17. ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in - /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT - rules, rate limiting occurs in the nat table DNAT rule; the corresponding - ACCEPT rule in the filter table is not rate limited. If you want to limit - the filter table rule, you will need o create two rules; a DNAT- rule and - an ACCEPT rule which can be rate-limited separately.
    -  
    - Warning: When rate limiting is - specified on a rule with "all" in the SOURCE or DEST fields, the limit - will apply to each pair of zones individually rather than as a single - limit for all pairs of covered by the rule.
    -  
    - To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG - with
    -  
    -       < - <rate>/<interval>[:<burst>] >
    -  
    -    where
    -  
    -       <rate> is the sustained rate per - <interval>
    -       <interval> is "sec" or "min"
    -       <burst> is the largest burst - accepted within an <interval>. If not given, the default of 5 is - assumed.
    -  
    - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to specify - logging of a rate-limited rule, the ":" and log level comes after the - ">" (e.g., ACCEPT<2/sec:4>:info ).
    -  
    - Let's take an example:
    -  
    -          - ACCEPT<2/sec:4>        - net     dmz     - tcp     80
    -    
    - The first time this rule is reached, the packet will be accepted; in - fact, since the burst is 4, the first four packets will be accepted. - After this, it will be 500ms (1 second divided by the rate
    - of 2) before a packet will be accepted from this rule, regardless of how - many packets reach it. Also, every 500ms which passes without matching a - packet, one of the bursts will be regained; if no packets hit the rule - for 2 second, the burst will be fully recharged; back where we - started.
    -
  18. -
- -

8/9/2003 - Snapshot 1.4.6_20030809 

- -
-

http://shorewall.net/pub/shorewall/Snapshots/
- ftp://shorewall.net/pub/shorewall/Snapshots/

-
-Problems Corrected since version 1.4.6
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -    
    - The firewall script has been modified to eliminate the error messages
    -
  8. -
-Migration Issues:
- -
    -
  1. Once you have installed this version of Shorewall, you must restart - Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' - commands.
  2. -
  3. To maintain strict compatibility with previous versions, current uses - of "shorewall drop" and "shorewall reject" should be replaced with - "shorewall dropall" and "shorewall rejectall"
  4. -
-New Features:
- -
    -
  1. Shorewall now creates a dynamic blacklisting chain for each interface - defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands - use the routing table to determine which of these chains is to be used - for blacklisting the specified IP address(es).
    -
    - Two new commands ('dropall' and 'rejectall') have been introduced that do - what 'drop' and 'reject' used to do; namely, when an address is - blacklisted using these new commands, it will be blacklisted on all of - your firewall's interfaces.
  2. -
  3. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  4. -
  5. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  6. -
  7. Given the wide range of VPN software, I can never hope to add specific - support for all of it. I have therefore decided to add "generic" tunnel - support.
    -  
    - Generic tunnels work pretty much like any of the other tunnel types. You - usually add a zone to represent the systems at the other end of the - tunnel and you add the appropriate rules/policies to
    - implement your security policy regarding traffic to/from those - systems.
    -  
    - In the /etc/shorewall/tunnels file, you can have entries of the form:
    -
    - generic:<protocol>[:<port>]  <zone>  <ip - address>    <gateway zones>
    -  
    - where:
    -  
    -        <protocol> is the protocol - used by the tunnel
    -        <port>  if the protocol - is 'udp' or 'tcp' then this is the destination port number used by the - tunnel.
    -        <zone>  is the zone of - the remote tunnel gateway
    -        <ip address> is the IP address - of the remote tunnel gateway.
    -        <gateway zone>   - Optional. A comma-separated list of zone names. If specified, the remote - gateway is to be considered part of these zones.
  8. -
  9. An 'arp_filter' option has been added to the /etc/shorewall/interfaces - file. This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the - result that this interface will only answer ARP 'who-has' requests from - hosts that are routed out through that interface. Setting this option - facilitates testing of your firewall where multiple firewall interfaces - are connected to the same HUB/Switch (all interfaces connected to the - single HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly recommended - against.
    -
  10. -
- -

8/5/2003 - Shorewall-1.4.6b 
-

-Problems Corrected since version 1.4.6:
- -
    -
  1. Previously, if TC_ENABLED is set to yes in shorewall.conf then - Shorewall would fail to start with the error "ERROR:  Traffic - Control requires Mangle"; that problem has been corrected.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -   
    - The firewall script has been modified to eliminate the error - messages.
  8. -
- -

8/5/2003 - Shorewall-1.4.6b
-

-Problems Corrected since version 1.4.6:
- -
    -
  1. Previously, if TC_ENABLED is set to yes in shorewall.conf then - Shorewall would fail to start with the error "ERROR:  Traffic - Control requires Mangle"; that problem has been corrected.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
  4. -
  5. The "shorewall stop" command is now disabled when - /etc/shorewall/startup_disabled exists. This prevents people from - shooting themselves in the foot prior to having configured Shorewall.
  6. -
  7. A change introduced in version 1.4.6 caused error messages during - "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being - added to a PPP interface; the addresses were successfully added in spite - of the messages.
    -   
    - The firewall script has been modified to eliminate the error messages.
    -
  8. -
- -

7/31/2003 - Snapshot 1.4.6_20030731

- -
-

http://shorewall.net/pub/shorewall/Snapshots/
- ftp://shorewall.net/pub/shorewall/Snapshots/

-
- -

Problems Corrected since version 1.4.6:
-

-
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
    -
  4. -
- -

Migration Issues:
-

-
    -
  1. Once you have installed this version of Shorewall, you must restart - Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' - commands.
  2. -
  3. To maintain strict compatibility with previous versions, current uses - of "shorewall drop" and "shorewall reject" should be replaced with - "shorewall dropall" and "shorewall rejectall"
  4. -
- -

New Features:
-

-
    -
  1. Shorewall now creates a dynamic blacklisting chain for each interface - defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands - use the routing table to determine which of these chains is to be used - for blacklisting the specified IP address(es).
    -
    - Two new commands ('dropall' and 'rejectall') have been introduced that do - what 'drop' and 'reject' used to do; namely, when an address is - blacklisted using these new commands, it will be blacklisted on all of - your firewall's interfaces.
  2. -
  3. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
  4. -
  5. A new option "ADMINISABSENTMINDED" has been added to - /etc/shorewall/shorewall.conf. This option has a default value of "No" - for existing users which causes Shorewall's 'stopped' state  to - continue as it has been; namely, in the stopped state only traffic - to/from hosts listed in /etc/shorewall/routestopped is accepted.
    -
    - With ADMINISABSENTMINDED=Yes (the default for new installs), in addition - to traffic to/from the hosts listed in /etc/shorewall/routestopped, - Shorewall will allow:
    -
    -    a) All traffic originating from the firewall itself; and
    -    b) All traffic that is part of or related to an - already-existing connection.
    -
    -  In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" - entered through an ssh session will not kill the session.
    -
    -  Note though that even with ADMINISABSENTMINDED=Yes, it is still - possible for people to shoot themselves in the foot.
    -
    -  Example:
    -
    -  /etc/shorewall/nat:
    -
    -      206.124.146.178    - eth0:0    192.168.1.5   
    -
    -  /etc/shorewall/rules:
    -
    -    ACCEPT    net    - loc:192.168.1.5    tcp    22
    -    ACCEPT    loc    - fw        tcp    22
    -
    - From a remote system, I ssh to 206.124.146.178 which establishes an SSH - connection with local system 192.168.1.5. I then create a second SSH - connection from that computer to the firewall and confidently type - "shorewall stop". As part of its stop processing, Shorewall removes - eth0:0 which kills my SSH connection to 192.168.1.5!!!
  6. -
- -

7/27/2003 - Snapshot 1.4.6_20030727

- -
-

http://shorewall.net/pub/shorewall/Snapshots/
- ftp://shorewall.net/pub/shorewall/Snapshots/

-
-Problems Corrected since version 1.4.6
- -
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
    -
  4. -
-Migration Issues:
- -
    -
  1. Once you have installed this version of Shorewall, you must restart - Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' - commands.
  2. -
  3. To maintain strict compatibility with previous versions, current uses - of "shorewall drop" and "shorewall reject" should be replaced with - "shorewall dropall" and "shorewall rejectall"
  4. -
-New Features:
- -
    -
  1. Shorewall now creates a dynamic blacklisting chain for each interface - defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands - use the routing table to determine which of these chains is to be used - for blacklisting the specified IP address(es).
    -
    - Two new commands ('dropall' and 'rejectall') have been introduced that do - what 'drop' and 'reject' used to do; namely, when an address is - blacklisted using these new commands, it will be blacklisted on all of - your firewall's interfaces.
  2. -
  3. Thanks to Steve Herber, the 'help' command can now give - command-specific help (e.g., shorewall help <command>).
    -
  4. -
- -

7/26/2003 - Snapshot 1.4.6_20030726

- -
-

http://shorewall.net/pub/shorewall/Snapshots/
- ftp://shorewall.net/pub/shorewall/Snapshots/

-
- -

Problems Corrected since version 1.4.6:
-

-
    -
  1. Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was being - tested before it was set.
  2. -
  3. Corrected handling of MAC addresses in the SOURCE column of the tcrules - file. Previously, these addresses resulted in an invalid iptables - command.
    -
  4. -
- -

Migration Issues:
-

-
    -
  1. Once you have installed this version of Shorewall, you must restart - Shorewall before you may use the 'drop', 'reject', 'allow' or 'save' - commands.
  2. -
  3. To maintain strict compatibility with previous versions, current uses - of "shorewall drop" and "shorewall reject" should be replaced with - "shorewall dropall" and "shorewall rejectall"
  4. -
- -

New Features:
-

-Shorewall now creates a dynamic blacklisting chain for each interface defined -in /etc/shorewall/interfaces. The 'drop' and 'reject' commands use the -routing table to determine which of these chains is to be used for -blacklisting the specified IP address(es).
-
-Two new commands ('dropall' and 'rejectall') have been introduced that do -what 'drop' and 'reject' used to do; namely, when an address is blacklisted -using these new commands, it will be blacklisted on all of your firewall's -interfaces. - -

7/22/2003 - Shorewall-1.4.6a
-

-Problems Corrected:
- -
    -
  1. Previously, if TC_ENABLED is set to yes in shorewall.conf then - Shorewall would fail to start with the error "ERROR:  Traffic - Control requires Mangle"; that problem has been corrected.
  2. -
- -

7/20/2003 - Shorewall-1.4.6
-

- -

Problems Corrected:
-

-
    -
  1. A problem seen on RH7.3 systems where Shorewall encountered start - errors when started using the "service" mechanism has been worked - around.
    -
    -
  2. -
  3. Where a list of IP addresses appears in the DEST column of a DNAT[-] - rule, Shorewall incorrectly created multiple DNAT rules in the nat table - (one for each element in the list). Shorewall now correctly creates a - single DNAT rule with multiple "--to-destination" clauses.
    -
    -
  4. -
  5. Corrected a problem in Beta 1 where DNS names containing a "-" were - mis-handled when they appeared in the DEST column of a rule.
    -
    -
  6. -
  7. A number of problems with rule parsing have been corrected. Corrections - involve the handling of "z1!z2" in the SOURCE column as well as lists in - the ORIGINAL DESTINATION column.
    -
    -
  8. -
  9. The message "Adding rules for DHCP" is now suppressed if there are no - DHCP rules to add.
    -
  10. -
- -

Migration Issues:
-

-
    -
  1. In earlier versions, an undocumented feature allowed entries in the - host file as follows:
    -
    -     z    - eth1:192.168.1.0/24,eth2:192.168.2.0/24
    -
    - This capability was never documented and has been removed in 1.4.6 to - allow entries of the following format:
    -
    -     z   eth1:192.168.1.0/24,192.168.2.0/24
    -
    -
  2. -
  3. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed - from /etc/shorewall/shorewall.conf. These capabilities are now - automatically detected by Shorewall (see below).
    -
  4. -
- -

New Features:
-

-
    -
  1. A 'newnotsyn' interface option has been added. This option may be - specified in /etc/shorewall/interfaces and overrides the setting - NEWNOTSYN=No for packets arriving on the associated interface.
    -
    -
  2. -
  3. The means for specifying a range of IP addresses in /etc/shorewall/masq - to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for - address ranges.
    -
    -
  4. -
  5. Shorewall can now add IP addresses to subnets other than the first one - on an interface.
    -
    -
  6. -
  7. DNAT[-] rules may now be used to load balance (round-robin) over a set - of servers. Servers may be specified in a range of addresses given as - <first address>-<last address>.
    -
    - Example:
    -
    -     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
    -
    -
  8. -
  9. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options - have been removed and have been replaced by code that detects whether - these capabilities are present in the current kernel. The output of the - start, restart and check commands have been enhanced to report the - outcome:
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    - Verifying Configuration...
    -
    -
  10. -
  11. Support for the Connection Tracking Match Extension has been added. - This extension is available in recent kernel/iptables releases and allows - for rules which match against elements in netfilter's connection tracking - table. Shorewall automatically detects the availability of this extension - and reports its availability in the output of the start, restart and - check commands.
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    -    Connection Tracking Match: Available
    - Verifying Configuration...
    -
    - If this extension is available, the ruleset generated by Shorewall is - changed in the following ways:
  12. -
    • -
    • To handle 'norfc1918' filtering, Shorewall will not create chains - in the mangle table but will rather do all 'norfc1918' filtering in - the filter table (rfc1918 chain).
    • -
    • Recall that Shorewall DNAT rules generate two netfilter rules; one - in the nat table and one in the filter table. If the Connection - Tracking Match Extension is available, the rule in the filter table - is extended to check that the original destination address was the - same as specified (or defaulted to) in the DNAT rule.
      -
      -
    • -
    -
  13. -
  14. The shell used to interpret the firewall script - (/usr/share/shorewall/firewall) may now be specified using the - SHOREWALL_SHELL parameter in shorewall.conf.
    -
    -
  15. -
  16. An 'ipcalc' command has been added to /sbin/shorewall.
    -
    -       ipcalc [ <address> <netmask> | - <address>/<vlsm> ]
    -
    - Examples:
    -
    -       [root@wookie root]# shorewall ipcalc - 192.168.1.0/24
    -          CIDR=192.168.1.0/24
    -          NETMASK=255.255.255.0
    -          NETWORK=192.168.1.0
    -          - BROADCAST=192.168.1.255
    -       [root@wookie root]#
    -
    -       [root@wookie root]# shorewall ipcalc - 192.168.1.0 255.255.255.0
    -          CIDR=192.168.1.0/24
    -          NETMASK=255.255.255.0
    -          NETWORK=192.168.1.0
    -          - BROADCAST=192.168.1.255
    -       [root@wookie root]#
    -
    - Warning:
    -
    - If your shell only supports 32-bit signed arithmatic (ash or dash), then - the ipcalc command produces incorrect information for IP addresses - 128.0.0.0-1 and for /1 networks. Bash should produce correct information - for all valid IP addresses.
    -
    -
  17. -
  18. An 'iprange' command has been added to /sbin/shorewall.
    -
    -       iprange <address>-<address>
    -
    - This command decomposes a range of IP addressses into a list of network - and host addresses. The command can be useful if you need to construct an - efficient set of rules that accept connections from a range of network - addresses.
    -
    - Note: If your shell only supports 32-bit signed arithmetic (ash or dash) - then the range may not span 128.0.0.0.
    -
    - Example:
    -
    -       [root@gateway root]# shorewall iprange - 192.168.1.4-192.168.12.9
    -       192.168.1.4/30
    -       192.168.1.8/29
    -       192.168.1.16/28
    -       192.168.1.32/27
    -       192.168.1.64/26
    -       192.168.1.128/25
    -       192.168.2.0/23
    -       192.168.4.0/22
    -       192.168.8.0/22
    -       192.168.12.0/29
    -       192.168.12.8/31
    -       [root@gateway root]#
    -
    -
  19. -
  20. A list of host/net addresses is now allowed in an entry in - /etc/shorewall/hosts.
    -
    - Example:
    -
    -     foo    - eth1:192.168.1.0/24,192.168.2.0/24
    -
    -
  21. -
  22. The "shorewall check" command now includes the chain name when printing - the applicable policy for each pair of zones.
    -  
    -     Example:
    -  
    -         Policy for dmz to net is - REJECT using chain all2all
    -  
    - This means that the policy for connections from the dmz to the internet - is REJECT and the applicable entry in the /etc/shorewall/policy was the - all->all policy.
    -
    -
  23. -
  24. Support for the 2.6 Kernel series has been added.
    -
  25. -
- -

7/15/2003 - New Mirror in Brazil
-

-Thanks to the folks at securityopensource.org.br, there is now a Shorewall -mirror in Brazil. - -

7/15/2003 - Shorewall-1.4.6 RC 1
-

- -

Problems Corrected:
-

-
    -
  1. A problem seen on RH7.3 systems where Shorewall encountered start - errors when started using the "service" mechanism has been worked - around.
    -
    -
  2. -
  3. Where a list of IP addresses appears in the DEST column of a DNAT[-] - rule, Shorewall incorrectly created multiple DNAT rules in the nat table - (one for each element in the list). Shorewall now correctly creates a - single DNAT rule with multiple "--to-destination" clauses.
    -
    -
  4. -
  5. Corrected a problem in Beta 1 where DNS names containing a "-" were - mis-handled when they appeared in the DEST column of a rule.
    -
    -
  6. -
  7. A number of problems with rule parsing have been corrected. Corrections - involve the handling of "z1!z2" in the SOURCE column as well as lists in - the ORIGINAL DESTINATION column.
    -
  8. -
- -

Migration Issues:
-

-
    -
  1. In earlier versions, an undocumented feature allowed entries in the - host file as follows:
    -
    -     z    - eth1:192.168.1.0/24,eth2:192.168.2.0/24
    -
    - This capability was never documented and has been removed in 1.4.6 to - allow entries of the following format:
    -
    -     z   eth1:192.168.1.0/24,192.168.2.0/24
    -
    -
  2. -
  3. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed - from /etc/shorewall/shorewall.conf. These capabilities are now - automatically detected by Shorewall (see below).
    -
  4. -
- -

New Features:
-

-
    -
  1. A 'newnotsyn' interface option has been added. This option may be - specified in /etc/shorewall/interfaces and overrides the setting - NEWNOTSYN=No for packets arriving on the associated interface.
    -
    -
  2. -
  3. The means for specifying a range of IP addresses in /etc/shorewall/masq - to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for - address ranges.
    -
    -
  4. -
  5. Shorewall can now add IP addresses to subnets other than the first one - on an interface.
    -
    -
  6. -
  7. DNAT[-] rules may now be used to load balance (round-robin) over a set - of servers. Servers may be specified in a range of addresses given as - <first address>-<last address>.
    -
    - Example:
    -
    -     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
    -
    -
  8. -
  9. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options - have been removed and have been replaced by code that detects whether - these capabilities are present in the current kernel. The output of the - start, restart and check commands have been enhanced to report the - outcome:
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    - Verifying Configuration...
    -
    -
  10. -
  11. Support for the Connection Tracking Match Extension has been added. - This extension is available in recent kernel/iptables releases and allows - for rules which match against elements in netfilter's connection tracking - table. Shorewall automatically detects the availability of this extension - and reports its availability in the output of the start, restart and - check commands.
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    -    Connection Tracking Match: Available
    - Verifying Configuration...
    -
    - If this extension is available, the ruleset generated by Shorewall is - changed in the following ways:
  12. -
    • -
    • To handle 'norfc1918' filtering, Shorewall will not create chains - in the mangle table but will rather do all 'norfc1918' filtering in - the filter table (rfc1918 chain).
    • -
    • Recall that Shorewall DNAT rules generate two netfilter rules; one - in the nat table and one in the filter table. If the Connection - Tracking Match Extension is available, the rule in the filter table - is extended to check that the original destination address was the - same as specified (or defaulted to) in the DNAT rule.
      -
      -
    • -
    -
  13. -
  14. The shell used to interpret the firewall script - (/usr/share/shorewall/firewall) may now be specified using the - SHOREWALL_SHELL parameter in shorewall.conf.
    -
    -
  15. -
  16. An 'ipcalc' command has been added to /sbin/shorewall.
    -
    -       ipcalc [ <address> <netmask> | - <address>/<vlsm> ]
    -
    - Examples:
    -
    -       [root@wookie root]# shorewall ipcalc - 192.168.1.0/24
    -          CIDR=192.168.1.0/24
    -          NETMASK=255.255.255.0
    -          NETWORK=192.168.1.0
    -          - BROADCAST=192.168.1.255
    -       [root@wookie root]#
    -
    -       [root@wookie root]# shorewall ipcalc - 192.168.1.0 255.255.255.0
    -          CIDR=192.168.1.0/24
    -          NETMASK=255.255.255.0
    -          NETWORK=192.168.1.0
    -          - BROADCAST=192.168.1.255
    -       [root@wookie root]#
    -
    - Warning:
    -
    - If your shell only supports 32-bit signed arithmatic (ash or dash), then - the ipcalc command produces incorrect information for IP addresses - 128.0.0.0-1 and for /1 networks. Bash should produce correct information - for all valid IP addresses.
    -
    -
  17. -
  18. An 'iprange' command has been added to /sbin/shorewall.
    -
    -       iprange <address>-<address>
    -
    - This command decomposes a range of IP addressses into a list of network - and host addresses. The command can be useful if you need to construct an - efficient set of rules that accept connections from a range of network - addresses.
    -
    - Note: If your shell only supports 32-bit signed arithmetic (ash or dash) - then the range may not span 128.0.0.0.
    -
    - Example:
    -
    -       [root@gateway root]# shorewall iprange - 192.168.1.4-192.168.12.9
    -       192.168.1.4/30
    -       192.168.1.8/29
    -       192.168.1.16/28
    -       192.168.1.32/27
    -       192.168.1.64/26
    -       192.168.1.128/25
    -       192.168.2.0/23
    -       192.168.4.0/22
    -       192.168.8.0/22
    -       192.168.12.0/29
    -       192.168.12.8/31
    -       [root@gateway root]#
    -
    -
  19. -
  20. A list of host/net addresses is now allowed in an entry in - /etc/shorewall/hosts.
    -
    - Example:
    -
    -     foo    - eth1:192.168.1.0/24,192.168.2.0/24
  21. -
- -

7/7/2003 - Shorewall-1.4.6 Beta 2

- -

Problems Corrected:
-

-
    -
  1. A problem seen on RH7.3 systems where Shorewall encountered start - errors when started using the "service" mechanism has been worked - around.
    -
    -
  2. -
  3. Where a list of IP addresses appears in the DEST column of a DNAT[-] - rule, Shorewall incorrectly created multiple DNAT rules in the nat table - (one for each element in the list). Shorewall now correctly creates a - single DNAT rule with multiple "--to-destination" clauses.
    -
    -
  4. -
  5. Corrected a problem in Beta 1 where DNS names containing a "-" were - mis-handled when they appeared in the DEST column of a rule.
    -
  6. -
- -

Migration Issues:
-

-
    -
  1. In earlier versions, an undocumented feature allowed entries in the - host file as follows:
    -
    -     z    - eth1:192.168.1.0/24,eth2:192.168.2.0/24
    -
    - This capability was never documented and has been removed in 1.4.6 to - allow entries of the following format:
    -
    -     z   eth1:192.168.1.0/24,192.168.2.0/24
    -
    -
  2. -
  3. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed - from /etc/shorewall/shorewall.conf. These capabilities are now - automatically detected by Shorewall (see below).
    -
  4. -
- -

New Features:
-

-
    -
  1. A 'newnotsyn' interface option has been added. This option may be - specified in /etc/shorewall/interfaces and overrides the setting - NEWNOTSYN=No for packets arriving on the associated interface.
    -
    -
  2. -
  3. The means for specifying a range of IP addresses in /etc/shorewall/masq - to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for - address ranges.
    -
    -
  4. -
  5. Shorewall can now add IP addresses to subnets other than the first one - on an interface.
    -
    -
  6. -
  7. DNAT[-] rules may now be used to load balance (round-robin) over a set - of servers. Servers may be specified in a range of addresses given as - <first address>-<last address>.
    -
    - Example:
    -
    -     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
    -
    -
  8. -
  9. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options - have been removed and have been replaced by code that detects whether - these capabilities are present in the current kernel. The output of the - start, restart and check commands have been enhanced to report the - outcome:
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    - Verifying Configuration...
    -
    -
  10. -
  11. Support for the Connection Tracking Match Extension has been added. - This extension is available in recent kernel/iptables releases and allows - for rules which match against elements in netfilter's connection tracking - table. Shorewall automatically detects the availability of this extension - and reports its availability in the output of the start, restart and - check commands.
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    -    Connection Tracking Match: Available
    - Verifying Configuration...
    -
    - If this extension is available, the ruleset generated by Shorewall is - changed in the following ways:
  12. -
    • -
    • To handle 'norfc1918' filtering, Shorewall will not create chains - in the mangle table but will rather do all 'norfc1918' filtering in - the filter table (rfc1918 chain).
    • -
    • Recall that Shorewall DNAT rules generate two netfilter rules; one - in the nat table and one in the filter table. If the Connection - Tracking Match Extension is available, the rule in the filter table - is extended to check that the original destination address was the - same as specified (or defaulted to) in the DNAT rule.
      -
      -
    • -
    -
  13. -
  14. The shell used to interpret the firewall script - (/usr/share/shorewall/firewall) may now be specified using the - SHOREWALL_SHELL parameter in shorewall.conf.
    -
    -
  15. -
  16. An 'ipcalc' command has been added to /sbin/shorewall.
    -
    -       ipcalc [ <address> <netmask> | - <address>/<vlsm> ]
    -
    - Examples:
    -
    -       [root@wookie root]# shorewall ipcalc - 192.168.1.0/24
    -          CIDR=192.168.1.0/24
    -          NETMASK=255.255.255.0
    -          NETWORK=192.168.1.0
    -          - BROADCAST=192.168.1.255
    -       [root@wookie root]#
    -
    -       [root@wookie root]# shorewall ipcalc - 192.168.1.0 255.255.255.0
    -          CIDR=192.168.1.0/24
    -          NETMASK=255.255.255.0
    -          NETWORK=192.168.1.0
    -          - BROADCAST=192.168.1.255
    -       [root@wookie root]#
    -
    - Warning:
    -
    - If your shell only supports 32-bit signed arithmatic (ash or dash), then - the ipcalc command produces incorrect information for IP addresses - 128.0.0.0-1 and for /1 networks. Bash should produce correct information - for all valid IP addresses.
    -
    -
  17. -
  18. An 'iprange' command has been added to /sbin/shorewall.
    -
    -       iprange <address>-<address>
    -
    - This command decomposes a range of IP addressses into a list of network - and host addresses. The command can be useful if you need to construct an - efficient set of rules that accept connections from a range of network - addresses.
    -
    - Note: If your shell only supports 32-bit signed arithmetic (ash or dash) - then the range may not span 128.0.0.0.
    -
    - Example:
    -
    -       [root@gateway root]# shorewall iprange - 192.168.1.4-192.168.12.9
    -       192.168.1.4/30
    -       192.168.1.8/29
    -       192.168.1.16/28
    -       192.168.1.32/27
    -       192.168.1.64/26
    -       192.168.1.128/25
    -       192.168.2.0/23
    -       192.168.4.0/22
    -       192.168.8.0/22
    -       192.168.12.0/29
    -       192.168.12.8/31
    -       [root@gateway root]#
    -
    -
  19. -
  20. A list of host/net addresses is now allowed in an entry in - /etc/shorewall/hosts.
    -
    - Example:
    -
    -     foo    - eth1:192.168.1.0/24,192.168.2.0/24
    -
    -
  21. -
- -

7/4/2003 - Shorewall-1.4.6 Beta 1

- -

Problems Corrected:
-

-
    -
  1. A problem seen on RH7.3 systems where Shorewall encountered start - errors when started using the "service" mechanism has been worked - around.
    -
    -
  2. -
  3. Where a list of IP addresses appears in the DEST column of a DNAT[-] - rule, Shorewall incorrectly created multiple DNAT rules in the nat table - (one for each element in the list). Shorewall now correctly creates a - single DNAT rule with multiple "--to-destination" clauses.
    -
  4. -
- -

New Features:
-

-
    -
  1. A 'newnotsyn' interface option has been added. This option may be - specified in /etc/shorewall/interfaces and overrides the setting - NEWNOTSYN=No for packets arriving on the associated interface.
    -
    -
  2. -
  3. The means for specifying a range of IP addresses in /etc/shorewall/masq - to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for - address ranges.
    -
    -
  4. -
  5. Shorewall can now add IP addresses to subnets other than the first one - on an interface.
    -
    -
  6. -
  7. DNAT[-] rules may now be used to load balance (round-robin) over a set - of servers. Up to 256 servers may be specified in a range of addresses - given as <first address>-<last address>.
    -
    - Example:
    -
    -     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
    -
    - Note that this capability has previously been available using a - combination of a DNAT- rule and one or more ACCEPT rules. That technique - is still preferable for load-balancing over a large number of servers - (> 16) since specifying a range in the DNAT rule causes one filter - table ACCEPT rule to be generated for each IP address in the range.
    -
    -
  8. -
  9. The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options - have been removed and have been replaced by code that detects whether - these capabilities are present in the current kernel. The output of the - start, restart and check commands have been enhanced to report the - outcome:
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    - Verifying Configuration...
    -
    -
  10. -
  11. Support for the Connection Tracking Match Extension has been added. - This extension is available in recent kernel/iptables releases and allows - for rules which match against elements in netfilter's connection tracking - table. Shorewall automatically detects the availability of this extension - and reports its availability in the output of the start, restart and - check commands.
    -
    - Shorewall has detected the following iptables/netfilter capabilities:
    -    NAT: Available
    -    Packet Mangling: Available
    -    Multi-port Match: Available
    -    Connection Tracking Match: Available
    - Verifying Configuration...
    -
    - If this extension is available, the ruleset generated by Shorewall is - changed in the following ways:
  12. -
    • -
    • To handle 'norfc1918' filtering, Shorewall will not create chains - in the mangle table but will rather do all 'norfc1918' filtering in - the filter table (rfc1918 chain).
    • -
    • Recall that Shorewall DNAT rules generate two netfilter rules; one - in the nat table and one in the filter table. If the Connection - Tracking Match Extension is available, the rule in the filter table - is extended to check that the original destination address was the - same as specified (or defaulted to) in the DNAT rule.
      -
      -
    • -
    -
  13. -
  14. The shell used to interpret the firewall script - (/usr/share/shorewall/firewall) may now be specified using the - SHOREWALL_SHELL parameter in shorewall.conf.
    -
  15. -
- -

6/17/2003 - Shorewall-1.4.5

- -

Problems Corrected:
-

-
    -
  1. The command "shorewall debug try <directory>" now correctly - traces the attempt.
  2. -
  3. The INCLUDE directive now works properly in the zones file; previously, - INCLUDE in that file was ignored.
  4. -
  5. /etc/shorewall/routestopped records with an empty second column are no - longer ignored.
    -
  6. -
- -

New Features:
-

-
    -
  1. The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now - contain a list of addresses. If the list begins with "!' then the rule - will take effect only if the original destination address in the - connection request does not match any of the addresses listed.
  2. -
- -

6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8

- -

The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and -iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems -have been encountered with this set of software. The Shorewall version is -1.4.4b plus the accumulated changes for 1.4.5.
-

- -

6/8/2003 - Updated Samples

- -

Thanks to Francesca Smith, the samples have been updated to Shorewall -version 1.4.4.

- -

5/29/2003 - Shorewall-1.4.4b

- -

Groan -- This version corrects a problem whereby the --log-level was not -being set when logging via syslog. The most commonly reported symptom was -that Shorewall messages were being written to the console even though console -logging was correctly configured per FAQ 16.
-

- -

5/27/2003 - Shorewall-1.4.4a

-The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out that -the code in 1.4.4 restricts the length of short zone names to 4 characters. -I've produced version 1.4.4a that restores the previous 5-character limit by -conditionally omitting the log rule number when the LOGFORMAT doesn't contain -'%d'.
- - -

5/23/2003 - Shorewall-1.4.4

-I apologize for the rapid-fire releases but since there is a potential -configuration change required to go from 1.4.3a to 1.4.4, I decided to make -it a full release rather than just a bug-fix release.
-
-    Problems corrected:
- - -
- None.
-
-    New Features:
-
-
    -
  1. A REDIRECT- rule target has been added. This target behaves for - REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter nat - table REDIRECT rule is added but not the companion filter table ACCEPT - rule.
    -
    -
  2. -
  3. The LOGMARKER variable has been renamed LOGFORMAT and has been changed - to a 'printf' formatting template which accepts three arguments (the - chain name, logging rule number and the disposition). To use LOGFORMAT - with fireparse (http://www.fireparse.com), set it - as:
    -  
    -        LOGFORMAT="fp=%s:%d a=%s "
    -  
    - CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT - string (up to but not including the first '%') to find log messages in - the 'show log', 'status' and 'hits' commands. This part should not be - omitted (the LOGFORMAT should not begin with "%") and the leading part - should be sufficiently unique for /sbin/shorewall to identify Shorewall - messages.
    -
    -
  4. -
  5. When logging is specified on a DNAT[-] or REDIRECT[-] rule, the logging - now takes place in the nat table rather than in the filter table. This - way, only those connections that actually undergo DNAT or redirection - will be logged.
    -
  6. -
- -

5/20/2003 - Shorewall-1.4.3a
-

-This version primarily corrects the documentation included in the .tgz and in -the .rpm. In addition:
- -
    -
  1. (This change is in 1.4.3 but is not documented) If you are running - iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject - replies as follows:
    -    a) tcp - RST
    -    b) udp - ICMP port unreachable
    -    c) icmp - ICMP host unreachable
    -    d) Otherwise - ICMP host prohibited
    - If you are running earlier software, Shorewall will follow it's - traditional convention:
    -    a) tcp - RST
    -    b) Otherwise - ICMP port unreachable
  2. -
  3. UDP port 135 is now silently dropped in the common.def chain. Remember - that this chain is traversed just before a DROP or REJECT policy is - enforced.
    -
  4. -
- -

5/18/2003 - Shorewall 1.4.3
-

-    Problems Corrected:
-
-
    -
  1. There were several cases where Shorewall would fail to remove a - temporary directory from /tmp. These cases have been corrected.
  2. -
  3. The rules for allowing all traffic via the loopback interface have been - moved to before the rule that drops status=INVALID packets. This insures - that all loopback traffic is allowed even if Netfilter connection - tracking is confused.
  4. -
-    New Features:
-
-
    -
  1.  IPV6-IPV4 (6to4) tunnels are now supported in the - /etc/shorewall/tunnels file.
  2. -
  3. You may now change the leading portion of the --log-prefix - used by Shorewall using the LOGMARKER variable in shorewall.conf. By - default, "Shorewall:" is used.
    -
  4. -
- -

5/10/2003 - Shorewall Mirror in Asia
-

- -

Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
-

- -

5/8/2003 - Shorewall Mirror in Chile

-Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile. - -

4/21/2003 - Samples updated for Shorewall version 1.4.2

- -

Thanks to Francesca Smith, the sample configurations are now upgraded to -Shorewall version 1.4.2.

- -

4/9/2003 - Shorewall 1.4.2
-

- -

    Problems Corrected:

- -
-
    -
  1. TCP connection requests rejected out of the common chain are - now properly rejected with TCP RST; previously, some of these requests - were rejected with an ICMP port-unreachable response.
  2. -
  3. 'traceroute -I' from behind the firewall previously timed out on the - first hop (e.g., to the firewall). This has been worked around.
  4. -
-
- -

    New Features:

-
    -
  1. Where an entry in the/etc/shorewall/hosts file specifies a particular - host or network, Shorewall now creates an intermediate chain for handling - input from the related zone. This can substantially reduce the number of - rules traversed by connections requests from such zones.
    -
    -
  2. -
  3. Any file may include an INCLUDE directive. An INCLUDE directive - consists of the word INCLUDE followed by a file name and causes the - contents of the named file to be logically included into the file - containing the INCLUDE. File names given in an INCLUDE directive are - assumed to reside in /etc/shorewall or in an alternate configuration - directory if one has been specified for the command.
    -  
    -    Examples:
    -    shorewall/params.mgmt:
    -    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
    -    TIME_SERVERS=4.4.4.4
    -    BACKUP_SERVERS=5.5.5.5
    -    ----- end params.mgmt -----
    -  
    -  
    -    shorewall/params:
    -    # Shorewall 1.3 /etc/shorewall/params
    -    [..]
    -    #######################################
    -  
    -    INCLUDE params.mgmt   
    -  
    -    # params unique to this host here
    -    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT - REMOVE
    -    ----- end params -----
    -  
    -  
    -    shorewall/rules.mgmt:
    -    ACCEPT - net:$MGMT_SERVERS          - $FW    tcp    22
    -    ACCEPT - $FW          - net:$TIME_SERVERS    udp    123
    -    ACCEPT - $FW          - net:$BACKUP_SERVERS  tcp    22
    -    ----- end rules.mgmt -----
    -  
    -    shorewall/rules:
    -    # Shorewall version 1.3 - Rules File
    -    [..]
    -    #######################################
    -  
    -    INCLUDE rules.mgmt    
    -  
    -    # rules unique to this host here
    -    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT - REMOVE
    -    ----- end rules -----
    -  
    - INCLUDE's may be nested to a level of 3 -- further nested INCLUDE - directives are ignored with a warning message.
    -
    -
  4. -
  5. Routing traffic from an interface back out that interface continues to - be a problem. While I firmly believe that this should never happen, - people continue to want to do it. To limit the damage that such nonsense - produces, I have added a new 'routeback' option in - /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in - /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in - other words, 'routeback' can't be used as an option for a multi-zone - interface. The 'routeback' option CAN be specified however on individual - group entries in /etc/shorewall/hosts.
    -  
    - The 'routeback' option is similar to the old 'multi' option with two - exceptions:
    -  
    -    a) The option pertains to a particular - zone,interface,address tuple.
    -  
    -    b) The option only created infrastructure to pass traffic - from (zone,interface,address) tuples back to themselves (the 'multi' - option affected all (zone,interface,address) tuples associated with the - given 'interface').
    -  
    - See the 'Upgrade Issues' for information - about how this new option may affect your configuration.
    -
  6. -
- -

3/24/2003 - Shorewall 1.4.1

- -

This release follows up on 1.4.0. It corrects a problem introduced in -1.4.0 and removes additional warts.
-
-Problems Corrected:
-

-
    -
  1. When Shorewall 1.4.0 is run under the ash shell (such as on - Bering/LEAF), it can attempt to add ECN disabling rules even if the - /etc/shorewall/ecn file is empty. That problem has been corrected so that - ECN disabling rules are only added if there are entries in - /etc/shorewall/ecn.
  2. -
-New Features:
- - -
- Note: In the list that follows, the term group refers to a - particular network or subnetwork (which may be 0.0.0.0/0 or it may be a - host address) accessed through a particular interface. Examples:
- - -
- eth0:0.0.0.0/0
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
- You can use the "shorewall check" command to see the groups associated with - each of your zones.
-
-
    -
  1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than one - group then if there is no explicit Z to Z policy and there are no rules - governing traffic from Z to Z then Shorewall will permit all traffic - between the groups in the zone.
  2. -
  3. Beginning with Shorewall 1.4.1, Shorewall will never create rules to - handle traffic from a group to itself.
  4. -
  5. A NONE policy is introduced in 1.4.1. When a policy of NONE is - specified from Z1 to Z2:
  6. -
-
    -
  • There may be no rules created that govern connections from Z1 to - Z2.
  • -
  • Shorewall will not create any infrastructure to handle traffic from Z1 - to Z2.
  • -
-See the upgrade issues for a discussion of -how these changes may affect your configuration. - -

3/17/2003 - Shorewall 1.4.0

-Shorewall 1.4 represents the next step in the evolution of Shorewall. The -main thrust of the initial release is simply to remove the cruft that has -accumulated in Shorewall over time.
-
-IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip' -utility).
-
-Function from 1.3 that has been omitted from this version include:
- -
    -
  1. The MERGE_HOSTS variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
    -
    -
  2. -
  3. Interface names of the form <device>:<integer> in - /etc/shorewall/interfaces now generate an error.
    -
    -
  4. -
  5. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will - specification of the 'noping' or 'filterping' interface options.
    -
    -
  6. -
  7. The 'routestopped' option in the /etc/shorewall/interfaces and - /etc/shorewall/hosts files is no longer supported and will generate an - error at startup if specified.
    -
    -
  8. -
  9. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer - accepted.
    -
    -
  10. -
  11. The ALLOWRELATED variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
    -
    -
  12. -
  13. The icmp.def file has been removed.
    -
  14. -
-Changes for 1.4 include:
- -
    -
  1. The /etc/shorewall/shorewall.conf file has been completely reorganized - into logical sections.
    -
    -
  2. -
  3. LOG is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
  4. -
  5. The firewall script and version file are now installed in - /usr/share/shorewall.
    -
    -
  6. -
  7. Late arriving DNS replies are now silently dropped in the common chain - by default.
    -
    -
  8. -
  9. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no - longer unconditionally accepts outbound ICMP packets. So if you want to - 'ping' from the firewall, you will need the appropriate rule or - policy.
    -
    -
  10. -
  11. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
  12. -
  13. 802.11b devices with names of the form wlan<n> now support the - 'maclist' option.
    -
    -
  14. -
  15. Explicit Congestion Notification (ECN - RFC 3168) may now be turned off - on a host or network basis using the new /etc/shorewall/ecn file. To use - this facility:
    -
    -    a) You must be running kernel 2.4.20
    -    b) You must have applied the patch in
    -    http://www.shorewall/net/pub/shorewall/ecn/patch.
    -    c) You must have iptables 1.2.7a installed.
    -
    -
  16. -
  17. The /etc/shorewall/params file is now processed first so that variables - may be used in the /etc/shorewall/shorewall.conf file.
    -
    -
  18. -
  19. Shorewall now gives a more helpful diagnostic when the - 'ipchains' compatibility kernel module is loaded and a 'shorewall start' - command is issued.
    -
    -
  20. -
  21. The SHARED_DIR variable has been removed from shorewall.conf. This - variable was for use by package maintainers and was not documented for - general use.
    -
    -
  22. -
  23. Shorewall now ignores 'default' routes when detecting masq'd - networks.
  24. -
- -

3/10/2003 - Shoreall 1.3.14a

- -

A roleup of the following bug fixes and other updates:

-
    -
  • There is an updated rfc1918 file that reflects the resent allocation of - 222.0.0.0/8 and 223.0.0.0/8.
  • -
-
    -
  • The documentation for the routestopped file claimed that a - comma-separated list could appear in the second column while the code - only supported a single host or network address.
  • -
  • Log messages produced by 'logunclean' and 'dropunclean' were not - rate-limited.
  • -
  • 802.11b devices with names of the form wlan<n> don't - support the 'maclist' interface option.
  • -
  • Log messages generated by RFC 1918 filtering are not rate limited.
  • -
  • The firewall fails to start in the case where you have "eth0 eth1" in - /etc/shorewall/masq and the default route is through eth1
  • -
- -

2/8/2003 - Shoreawall 1.3.14

- -

New features include

-
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. When set - to Yes, Shorewall ping handling is as it has always been (see - http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and - policies just like any other connection request. The FORWARDPING=Yes - option in shorewall.conf and the 'noping' and 'filterping' options in - /etc/shorewall/interfaces will all generate an error.
    -
    -
  2. -
  3. It is now possible to direct Shorewall to create a "label" such - as  "eth0:0" for IP addresses that it creates under - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying - the label instead of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
  4. -
  5. Support for OpenVPN Tunnels.
    -
    -
  6. -
  7. Support for VLAN devices with names of the form $DEV.$VID (e.g., - eth0.0)
    -
    -
  8. -
  9. In /etc/shorewall/tcrules, the MARK value may be optionally followed by - ":" and either 'F' or 'P' to designate that the marking will occur in the - FORWARD or PREROUTING chains respectively. If this additional - specification is omitted, the chain used to mark packets will be - determined by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
    -
    -
  10. -
  11. When an interface name is entered in the SUBNET column of the - /etc/shorewall/masq file, Shorewall previously masqueraded traffic from - only the first subnet defined on that interface. It did not masquerade - traffic from:
    -  
    -    a) The subnets associated with other addresses on the - interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface name in the - SUBNET column, shorewall will use the firewall's routing table to - construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    - -
       [root@gateway test]# cat /etc/shorewall/masq
    - #INTERFACE SUBNET ADDRESS
    - eth0 eth2 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
       [root@gateway test]# ip route show dev eth2
    - 192.168.1.0/24 scope link
    - 192.168.10.0/24 proto kernel scope link src 192.168.10.254
    -
    -
       [root@gateway test]# shorewall start
    - ...
    - Masqueraded Subnets and Hosts:
    - To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
    - To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
    - Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple local subnets - connected to an interface that is specified in the SUBNET column of an - /etc/shorewall/masq entry, your /etc/shorewall/masq file will need - changing. In most cases, you will simply be able to remove redundant - entries. In some cases though, you might want to change from using the - interface name to listing specific subnetworks if the change described - above will cause masquerading to occur on subnetworks that you don't wish - to masquerade.
    -  
    - Example 2 -- Suppose that your current config is as follows:
    -   
    - -
       [root@gateway test]# cat /etc/shorewall/masq
    - #INTERFACE SUBNET ADDRESS
    - eth0 eth2 206.124.146.176
    - eth0 192.168.10.0/24 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
       [root@gateway test]# ip route show dev eth2
    - 192.168.1.0/24 scope link
    - 192.168.10.0/24 proto kernel scope link src 192.168.10.254
    - [root@gateway test]#
    -  
    -    In this case, the second entry in /etc/shorewall/masq is no - longer required.
    -  
    - Example 3 -- What if your current configuration is like this?
    -  
    - -
       [root@gateway test]# cat /etc/shorewall/masq
    - #INTERFACE SUBNET ADDRESS
    - eth0 eth2 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
       [root@gateway test]# ip route show dev eth2
    - 192.168.1.0/24 scope link
    - 192.168.10.0/24 proto kernel scope link src 192.168.10.254
    - [root@gateway test]#
    -  
    -    In this case, you would want to change the entry in  - /etc/shorewall/masq to:
    - -
       #INTERFACE              SUBNET                  ADDRESS
    - eth0 192.168.1.0/24 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
  12. -
- -


-2/5/2003 - Shorewall Support included in Webmin 1.060

- -

Webmin version 1.060 now has Shorewall support included as standard. See -http://www.webmin.com.
-
-2/4/2003 - Shorewall 1.3.14-RC1

- -

Includes the Beta 2 content plus support for OpenVPN tunnels.

- -

1/28/2003 - Shorewall 1.3.14-Beta2

- -

Includes the Beta 1 content plus restores VLAN device names of the form -$dev.$vid (e.g., eth0.1)

- -

1/25/2003 - Shorewall 1.3.14-Beta1
-

- -

The Beta includes the following changes:
-

-
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. When set - to Yes, Shorewall ping handling is as it has always been (see - http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and - policies just like any other connection request. The FORWARDPING=Yes - option in shorewall.conf and the 'noping' and 'filterping' options in - /etc/shorewall/interfaces will all generate an error.
    -
    -
  2. -
  3. It is now possible to direct Shorewall to create a "label" such - as  "eth0:0" for IP addresses that it creates under - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying - the label instead of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
  4. -
  5. When an interface name is entered in the SUBNET column of the - /etc/shorewall/masq file, Shorewall previously masqueraded traffic from - only the first subnet defined on that interface. It did not masquerade - traffic from:
    -  
    -    a) The subnets associated with other addresses on the - interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface name in the - SUBNET column, shorewall will use the firewall's routing table to - construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    - -
       [root@gateway test]# cat /etc/shorewall/masq
    - #INTERFACE SUBNET ADDRESS
    - eth0 eth2 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
       [root@gateway test]# ip route show dev eth2
    - 192.168.1.0/24 scope link
    - 192.168.10.0/24 proto kernel scope link src 192.168.10.254
    -
    -
       [root@gateway test]# shorewall start
    - ...
    - Masqueraded Subnets and Hosts:
    - To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
    - To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
    - Processing /etc/shorewall/tos...
    -  
    - When upgrading to Shorewall 1.3.14, if you have multiple local subnets - connected to an interface that is specified in the SUBNET column of an - /etc/shorewall/masq entry, your /etc/shorewall/masq file will need - changing. In most cases, you will simply be able to remove redundant - entries. In some cases though, you might want to change from using the - interface name to listing specific subnetworks if the change described - above will cause masquerading to occur on subnetworks that you don't wish - to masquerade.
    -  
    - Example 2 -- Suppose that your current config is as follows:
    -   
    - -
       [root@gateway test]# cat /etc/shorewall/masq
    - #INTERFACE SUBNET ADDRESS
    - eth0 eth2 206.124.146.176
    - eth0 192.168.10.0/24 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
       [root@gateway test]# ip route show dev eth2
    - 192.168.1.0/24 scope link
    - 192.168.10.0/24 proto kernel scope link src 192.168.10.254
    - [root@gateway test]#
    -  
    -    In this case, the second entry in /etc/shorewall/masq is no - longer required.
    -  
    - Example 3 -- What if your current configuration is like this?
    -  
    - -
       [root@gateway test]# cat /etc/shorewall/masq
    - #INTERFACE SUBNET ADDRESS
    - eth0 eth2 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
       [root@gateway test]# ip route show dev eth2
    - 192.168.1.0/24 scope link
    - 192.168.10.0/24 proto kernel scope link src 192.168.10.254
    - [root@gateway test]#
    -  
    -    In this case, you would want to change the entry in  - /etc/shorewall/masq to:
    - -
       #INTERFACE              SUBNET                  ADDRESS
    - eth0 192.168.1.0/24 206.124.146.176
    - #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
  6. -
- -

1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 -documenation. the PDF may be downloaded from

-    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-    http://slovakia.shorewall.net/pub/shorewall/pdf/ - -

1/17/2003 - shorewall.net has MOVED 

- -

Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and -ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A big -thanks to Alex for making this happen.
-

- -

1/13/2003 - Shorewall 1.3.13
-

- -

Just includes a few things that I had on the burner:
-

-
    -
  1. A new 'DNAT-' action has been added for entries in the - /etc/shorewall/rules file. DNAT- is intended for advanced users who wish - to minimize the number of rules that connection requests must - traverse.
    -
    - A Shorewall DNAT rule actually generates two iptables rules: a header - rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' - table. A DNAT- rule only generates the first of these rules. This is - handy when you have several DNAT rules that would generate the same - ACCEPT rule.
    -
    -    Here are three rules from my previous rules file:
    -
    -         DNAT   net  - dmz:206.124.146.177 tcp smtp - 206.124.146.178
    -         DNAT   net  - dmz:206.124.146.177 tcp smtp - 206.124.146.179
    -         ACCEPT net  - dmz:206.124.146.177 tcp www,smtp,ftp,...
    -
    -    These three rules ended up generating _three_ copies of
    -
    -          ACCEPT net  - dmz:206.124.146.177 tcp smtp
    -
    -    By writing the rules this way, I end up with only one copy - of the ACCEPT rule.
    -
    -         DNAT-  net  - dmz:206.124.146.177 tcp smtp -  206.124.146.178
    -         DNAT-  net  - dmz:206.124.146.177 tcp smtp -  206.124.146.179
    -         ACCEPT net  - dmz:206.124.146.177 tcp www,smtp,ftp,....
    -
    -
  2. -
  3. The 'shorewall check' command now prints out the applicable policy - between each pair of zones.
    -
    -
  4. -
  5. A new CLEAR_TC option has been added to shorewall.conf. If this option - is set to 'No' then Shorewall won't clear the current traffic control - rules during [re]start. This setting is intended for use by people that - prefer to configure traffic shaping when the network interfaces come up - rather than when the firewall is started. If that is what you want to do, - set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an - /etc/shorewall/tcstart file. That way, your traffic shaping rules can - still use the 'fwmark' classifier based on packet marking defined in - /etc/shorewall/tcrules.
    -
    -
  6. -
  7. A new SHARED_DIR variable has been added that allows distribution - packagers to easily move the shared directory (default - /usr/lib/shorewall). Users should never have a need to change the value - of this shorewall.conf setting.
    -
  8. -
- -

1/6/2003 - BURNOUT

- -

Until further notice, I will not be involved in either Shorewall -Development or Shorewall Support

- -

-Tom Eastep
-

- -

12/30/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 -documenation. the PDF may be downloaded from

- -

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-    http://slovakia.shorewall.net/pub/shorewall/pdf/
-

- -

12/27/2002 - Shorewall 1.3.12 Released

- -

Features include:
-

-
    -
  1. "shorewall refresh" now reloads the traffic shaping rules (tcrules and - tcstart).
  2. -
  3. "shorewall debug [re]start" now turns off debugging after an error - occurs. This places the point of the failure near the end of the trace - rather than up in the middle of it.
  4. -
  5. "shorewall [re]start" has been speeded up by more than 40% with my - configuration. Your milage may vary.
  6. -
  7. A "shorewall show classifiers" command has been added which shows the - current packet classification filters. The output from this command is - also added as a separate page in "shorewall monitor"
  8. -
  9. ULOG (must be all caps) is now accepted as a valid syslog level and - causes the subject packets to be logged using the ULOG target rather than - the LOG target. This allows you to run ulogd (available from http://www.netfilter.org/projects/ulogd/index.html) - and log all Shorewall messages to a - separate log file.
  10. -
  11. If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the mangle - table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking - input packets based on their destination even when you are using - Masquerading or SNAT.
  12. -
  13. I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with one - of these names, don't worry -- the upgrade process won't overwrite your - file.
  14. -
  15. I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies - the syslog level at which packets are logged as a result of entries in - the /etc/shorewall/rfc1918 file. Previously, these packets were always - logged at the 'info' level.
    -
  16. -
- -

12/20/2002 - Shorewall 1.3.12 Beta 3
-

-This version corrects a problem with Blacklist logging. In Beta 2, if -BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail to -start and "shorewall refresh" would also fail.
- - -

12/20/2002 - Shorewall 1.3.12 Beta 2

- -

The first public Beta version of Shorewall 1.3.12 is now available (Beta 1 -was made available only to a limited audience).
-

-Features include:
- -
    -
  1. "shorewall refresh" now reloads the traffic shaping rules (tcrules and - tcstart).
  2. -
  3. "shorewall debug [re]start" now turns off debugging after an error - occurs. This places the point of the failure near the end of the trace - rather than up in the middle of it.
  4. -
  5. "shorewall [re]start" has been speeded up by more than 40% with my - configuration. Your milage may vary.
  6. -
  7. A "shorewall show classifiers" command has been added which shows the - current packet classification filters. The output from this command is - also added as a separate page in "shorewall monitor"
  8. -
  9. ULOG (must be all caps) is now accepted as a valid syslog level and - causes the subject packets to be logged using the ULOG target rather than - the LOG target. This allows you to run ulogd (available from http://www.netfilter.org/projects/ulogd/index.html) - and log all Shorewall messages to a - separate log file.
  10. -
  11. If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the mangle - table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This - allows for marking input packets based on their destination even when you - are using Masquerading or SNAT.
  12. -
  13. I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with one - of these names, don't worry -- the upgrade process won't overwrite your - file.
  14. -
-You may download the Beta from:
- - -
- http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
- -

12/12/2002 - Mandrake Multi Network Firewall -

-Shorewall is at the center of MandrakeSoft's recently-announced Multi -Network Firewall (MNF) product. Here is the press -release.
- - -

12/7/2002 - Shorewall Support for Mandrake 9.0

- -

Two months and 3 days after I ordered Mandrake 9.0, it was finally -delivered. I have installed 9.0 on one of my systems and I am now in a -position to support Shorewall users who run Mandrake 9.0.

- -

12/6/2002 - Debian 1.3.11a Packages Available
-

- -

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

12/3/2002 - Shorewall 1.3.11a

- -

This is a bug-fix roll up which includes Roger Aich's fix for DNAT with -excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who don't -need rules of this type need not upgrade to 1.3.11.

- -

11/24/2002 - Shorewall 1.3.11

- -

In this version:

-
    -
  • A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. This - option causes Shorewall to make a set of sanity check on TCP packet - header flags.
  • -
  • It is now allowed to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must appear by - itself (in may not be qualified) and it does not enable intra-zone - traffic. For example, the rule
    -
    -     ACCEPT loc all tcp 80
    -
    - does not enable http traffic from 'loc' to 'loc'.
  • -
  • Shorewall's use of the 'echo' command is now compatible with bash - clones such as ash and dash.
  • -
  • fw->fw policies now generate a startup error. fw->fw rules - generate a warning and are ignored
  • -
- -

11/14/2002 - Shorewall Documentation in PDF Format

- -

Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 -documenation. the PDF may be downloaded from

- -

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
-    http://slovakia.shorewall.net/pub/shorewall/pdf/
-

- -

11/09/2002 - Shorewall is Back at SourceForge

- -

The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-

- -

11/09/2002 - Shorewall 1.3.10

- -

In this version:

- - -

10/24/2002 - Shorewall is now in Gentoo Linux
-

-Alexandru Hartmann reports that his Shorewall package is now a part of the Gentoo Linux distribution. Thanks -Alex!
- - -

10/23/2002 - Shorewall 1.3.10 Beta 1

-In this version:
- - -You may download the Beta from:
- - - -

10/10/2002 -  Debian 1.3.9b Packages Available
-

- -

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

10/9/2002 - Shorewall 1.3.9b

-This release rolls up fixes to the installer and to the firewall script.
- - -

10/6/2002 - Shorewall.net now running on RH8.0
-

-The firewall and server here at shorewall.net are now running RedHat release -8.0.
-
-9/30/2002 - Shorewall 1.3.9a

-Roles up the fix for broken tunnels.
- - -

9/30/2002 - TUNNELS Broken in 1.3.9!!!

-There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall --- copy that file to /usr/lib/shorewall/firewall.
- - -

9/28/2002 - Shorewall 1.3.9

- -

In this version:
-

-
    -
  • DNS Names are now - allowed in Shorewall config files (although I recommend against using - them).
  • -
  • The connection SOURCE may now be qualified by both interface and IP - address in a Shorewall rule.
  • -
  • Shorewall startup is now disabled after initial installation until the - file /etc/shorewall/startup_disabled is removed. This avoids nasty - surprises during reboot for users who install Shorewall but don't - configure it.
  • -
  • The 'functions' and 'version' files and the 'firewall' symbolic link - have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease - the LFS police at Debian.
    -
  • -
- -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability -Restored
-

-Brown Paper Bag A couple of recent configuration changes at www.shorewall.net -broke the Search facility:
- - -
-
    -
  1. Mailing List Archive Search was not available.
  2. -
  3. The Site Search index was incomplete
  4. -
  5. Only one page of matches was presented.
  6. -
-
-Hopefully these problems are now corrected. - -

9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability -Restored
-

-A couple of recent configuration changes at www.shorewall.net had the -negative effect of breaking the Search facility:
- -
    -
  1. Mailing List Archive Search was not available.
  2. -
  3. The Site Search index was incomplete
  4. -
  5. Only one page of matches was presented.
  6. -
-Hopefully these problems are now corrected.
- - -

9/18/2002 -  Debian 1.3.8 Packages Available
-

- -

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

9/16/2002 - Shorewall 1.3.8

- -

In this version:
-

-
    -
  • A NEWNOTSYN option has been added - to shorewall.conf. This option determines whether Shorewall accepts TCP - packets which are not part of an established connection and that are not - 'SYN' packets (SYN flag on and ACK flag off).
  • -
  • The need for the 'multi' option to communicate between zones za and zb - on the same interface is removed in the case where the chain 'za2zb' - and/or 'zb2za' exists. 'za2zb' will exist if:
  • -
    • -
    • There is a policy for za to zb; or
    • -
    • There is at least one rule for za to zb.
    • -
    -
  • -
-
    -
  • The /etc/shorewall/blacklist file now contains three columns. In - addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and - PORT columns to block only certain applications from the blacklisted - addresses.
    -
  • -
- -

9/11/2002 - Debian 1.3.7c Packages Available

- -

Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

9/2/2002 - Shorewall 1.3.7c

- -

This is a role up of a fix for "DNAT" rules where the source zone is $FW -(fw).

- -

8/31/2002 - I'm not available

- -

I'm currently on vacation  -- please respect my need for a couple of -weeks free of Shorewall problem reports.

- -

-Tom

- -

8/26/2002 - Shorewall 1.3.7b

- -

This is a role up of the "shorewall refresh" bug fix and the change which -reverses the order of "dhcp" and "norfc1918" checking.

- -

8/26/2002 - French FTP Mirror is Operational

- -

ftp://france.shorewall.net/pub/mirrors/shorewall -is now available.

- -

8/25/2002 - Shorewall Mirror in France

- -

Thanks to a Shorewall user in Paris, the Shorewall web site is now -mirrored at http://france.shorewall.net.

- -

8/25/2002 - Shorewall 1.3.7a Debian Packages Available

- -

Lorenzo Martignoni reports that the packages for version 1.3.7a are -available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author --- Shorewall 1.3.7a released

- -

1.3.7a corrects problems occurring in rules file processing when starting -Shorewall 1.3.7.

- -

8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

- -

Features in this release include:

-
    -
  • The 'icmp.def' file is now empty! The rules in that file were required - in ipchains firewalls but are not required in Shorewall. Users who have - ALLOWRELATED=No in shorewall.conf - should see the Upgrade Issues.
  • -
  • A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting - this variable to Yes is the same as the effect of adding an ACCEPT rule - for ICMP echo-request in /etc/shorewall/icmpdef. Users - who have such a rule in icmpdef are encouraged to switch to - FORWARDPING=Yes.
  • -
  • The loopback CLASS A Network (127.0.0.0/8) has been added to the - rfc1918 file.
  • -
  • Shorewall now works with iptables 1.2.7
  • -
  • The documentation and web site no longer uses FrontPage themes.
  • -
- -

I would like to thank John Distler for his valuable input regarding TCP -SYN and ICMP treatment in Shorewall. That input has led to marked improvement -in Shorewall in the last two releases.

- -

8/13/2002 - Documentation in the CVS -Repository

- -

The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.

- -

8/7/2002 - STABLE branch added to CVS -Repository

- -

This branch will only be updated after I release a new version of -Shorewall so you can always update from this branch to get the latest stable -tree.

- -

8/7/2002 - Upgrade Issues section -added to the Errata Page

- -

Now there is one place to go to look for issues involved with upgrading to -recent versions of Shorewall.

- -

8/7/2002 - Shorewall 1.3.6

- -

This is primarily a bug-fix rollup with a couple of new features:

- - -

7/30/2002 - Shorewall 1.3.5b Released

- -

This interim release:

-
    -
  • Causes the firewall script to remove the lock file if it is killed.
  • -
  • Once again allows lists in the second column of the /etc/shorewall/hosts file.
  • -
  • Includes the latest QuickStart - Guides.
  • -
- -

7/29/2002 - New Shorewall Setup Guide Available

- -

The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. -The guide is intended for use by people who are setting up Shorewall to -manage multiple public IP addresses and by people who want to learn more -about Shorewall than is described in the single-address guides. Feedback on -the new guide is welcome.

- -

7/28/2002 - Shorewall 1.3.5 Debian Package Available

- -

Lorenzo Martignoni reports that the packages are version 1.3.5a and are -available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

7/27/2002 - Shorewall 1.3.5a Released

- -

This interim release restores correct handling of REDIRECT rules.

- -

7/26/2002 - Shorewall 1.3.5 Released

- -

This will be the last Shorewall release for a while. I'm going to be -focusing on rewriting a lot of the documentation.

- -

  In this version:

-
    -
  • Empty and invalid source and destination qualifiers are now detected in - the rules file. It is a good idea to use the 'shorewall check' command - before you issue a 'shorewall restart' command be be sure that you don't - have any configuration problems that will prevent a successful - restart.
  • -
  • Added MERGE_HOSTS variable in shorewall.conf to provide saner - behavior of the /etc/shorewall/hosts file.
  • -
  • The time that the counters were last reset is now displayed in the - heading of the 'status' and 'show' commands.
  • -
  • A proxyarp option has been added for entries in /etc/shorewall/interfaces. This - option facilitates Proxy ARP sub-netting as described in the Proxy ARP - subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface causes Shorewall to set - /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
  • -
  • The Samples have been updated to reflect the new capabilities in this - release.
  • -
- -

7/16/2002 - New Mirror in Argentina

- -

Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in -Argentina. Thanks Buanzo!!!

- -

7/16/2002 - Shorewall 1.3.4 Released

- -

In this version:

-
    -
  • A new /etc/shorewall/routestopped - file has been added. This file is intended to eventually replace the - routestopped option in the /etc/shorewall/interface and - /etc/shorewall/hosts files. This new file makes remote firewall - administration easier by allowing any IP or subnet to be enabled while - Shorewall is stopped.
  • -
  • An /etc/shorewall/stopped extension - script has been added. This script is invoked after Shorewall has - stopped.
  • -
  • A DETECT_DNAT_ADDRS option has been added to /etc/shoreall/shorewall.conf. When this - option is selected, DNAT rules only apply when the destination address is - the external interface's primary IP address.
  • -
  • The QuickStart Guide has - been broken into three guides and has been almost entirely rewritten.
  • -
  • The Samples have been updated to reflect the new capabilities in this - release.
  • -
- -

7/8/2002 - Shorewall 1.3.3 Debian Package Available

- -

Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

7/6/2002 - Shorewall 1.3.3 Released

- -

In this version:

-
    -
  • Entries in /etc/shorewall/interface that use the wildcard character - ("+") now have the "multi" option assumed.
  • -
  • The 'rfc1918' chain in the mangle table has been renamed 'man1918' to - make log messages generated from that chain distinguishable from those - generated by the 'rfc1918' chain in the filter table.
  • -
  • Interface names appearing in the hosts file are now validated against - the interfaces file.
  • -
  • The TARGET column in the rfc1918 file is now checked for - correctness.
  • -
  • The chain structure in the nat table has been changed to reduce the - number of rules that a packet must traverse and to correct problems with - NAT_BEFORE_RULES=No
  • -
  • The "hits" command has been enhanced.
  • -
- -

6/25/2002 - Samples Updated for 1.3.2

- -

The comments in the sample configuration files have been updated to -reflect new features introduced in Shorewall 1.3.2.

- -

6/25/2002 - Shorewall 1.3.1 Debian Package Available

- -

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

6/19/2002 - Documentation Available in PDF Format

- -

Thanks to Mike Martinez, the Shorewall Documentation is now available for -download in Adobe PDF format.

- -

6/16/2002 - Shorewall 1.3.2 Released

- -

In this version:

- - -

6/6/2002 - Why CVS Web access is Password Protected

- -

Last weekend, I installed the CVS Web package to provide brower-based -access to the Shorewall CVS repository. Since then, I have had several -instances where my server was almost unusable due to the high load generated -by website copying tools like HTTrack and WebStripper. These mindless -tools:

-
    -
  • Ignore robot.txt files.
  • -
  • Recursively copy everything that they find.
  • -
  • Should be classified as weapons rather than tools.
  • -
- -

These tools/weapons are particularly damaging when combined with CVS Web -because they doggedly follow every link in the cgi-generated HTML resulting -in 1000s of executions of the cvsweb.cgi script. Yesterday, I spend several -hours implementing measures to block these tools but unfortunately, these -measures resulted in my server OOM-ing under even moderate load.

- -

Until I have the time to understand the cause of the OOM (or until I buy -more RAM if that is what is required), CVS Web access will remain Password -Protected.

- -

6/5/2002 - Shorewall 1.3.1 Debian Package Available

- -

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

- -

6/2/2002 - Samples Corrected

- -

The 1.3.0 samples configurations had several serious problems that -prevented DNS and SSH from working properly. These problems have been -corrected in the 1.3.1 samples.

- -

6/1/2002 - Shorewall 1.3.1 Released

- -

Hot on the heels of 1.3.0, this release:

-
    -
  • Corrects a serious problem with "all <zone> CONTINUE" - policies. This problem is present in all versions of Shorewall that - support the CONTINUE policy. These previous versions optimized away the - "all2<zone>" chain and replaced it with the "all2all" chain - with the usual result that a policy of REJECT was enforced rather than - the intended CONTINUE policy.
  • -
  • Adds an /etc/shorewall/rfc1918 - file for defining the exact behavior of the 'norfc1918' interface option.
  • -
- -

5/29/2002 - Shorewall 1.3.0 Released

- -

In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 -includes:

-
    -
  • A 'filterping' interface option that allows ICMP echo-request (ping) - requests addressed to the firewall to be handled by entries in - /etc/shorewall/rules and /etc/shorewall/policy.
  • -
- -

5/23/2002 - Shorewall 1.3 RC1 Available

- -

In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) -incorporates the following:

-
    -
  • Support for the /etc/shorewall/whitelist file has been withdrawn. If - you need whitelisting, see these instructions.
  • -
- -

5/19/2002 - Shorewall 1.3 Beta 2 Available

- -

In addition to the changes in Beta 1, this release which carries the -designation 1.2.91 adds:

-
    -
  • The structure of the firewall is changed markedly. There is now an - INPUT and a FORWARD chain for each interface; this reduces the number of - rules that a packet must traverse, especially in complicated setups.
  • -
  • Sub-zones may now be excluded from - DNAT and REDIRECT rules.
  • -
  • The names of the columns in a number of the configuration files have - been changed to be more consistent and self-explanatory and the - documentation has been updated accordingly.
  • -
  • The sample configurations have been updated for 1.3.
  • -
- -

5/17/2002 - Shorewall 1.3 Beta 1 Available

- -

Beta 1 carries the version designation 1.2.90 and implements the following -features:

-
    -
  • Simplified rule syntax which makes the intent of each rule clearer and - hopefully makes Shorewall easier to learn.
  • -
  • Upward compatibility with 1.2 configuration files has been maintained - so that current users can migrate to the new syntax at their - convenience.
  • -
  • WARNING:  Compatibility with the old - parameterized sample configurations has NOT been maintained. Users still - running those configurations should migrate to the new sample - configurations before upgrading to 1.3 Beta 1.
  • -
- -

5/4/2002 - Shorewall 1.2.13 is Available

- -

In this version:

- - -

4/30/2002 - Shorewall Debian News

- -

Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian Testing -Branch and the Debian Unstable -Branch.

- -

4/20/2002 - Shorewall 1.2.12 is Available

-
    -
  • The 'try' command works again
  • -
  • There is now a single RPM that also works with SUSE.
  • -
- -

4/17/2002 - Shorewall Debian News

- -

Lorenzo Marignoni reports that:

- - -

Thanks, Lorenzo!

- -

4/16/2002 - Shorewall 1.2.11 RPM Available for SUSE

- -

Thanks to Stefan Mohr, there -is now a Shorewall 1.2.11 SUSE -RPM available.

- -

4/13/2002 - Shorewall 1.2.11 Available

- -

In this version:

-
    -
  • The 'try' command now accepts an optional timeout. If the timeout is - given in the command, the standard configuration will automatically be - restarted after the new configuration has been running for that length of - time. This prevents a remote admin from being locked out of the firewall - in the case where the new configuration starts but prevents access.
  • -
  • Kernel route filtering may now be enabled globally using the new - ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
  • -
  • Individual IP source addresses and/or subnets may now be excluded from - masquerading/SNAT.
  • -
  • Simple "Yes/No" and "On/Off" values are now case-insensitive in - /etc/shorewall/shorewall.conf.
  • -
- -

4/13/2002 - Hamburg Mirror now has FTP

- -

Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  -Thanks Stefan!

- -

4/12/2002 - New Mirror in Hamburg

- -

Thanks to Stefan Mohr, there -is now a mirror of the Shorewall website at http://germany.shorewall.net.

- -

4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

- -

Version 1.1 of the QuickStart -Guide is now available. Thanks to those who have read version 1.0 and -offered their suggestions. Corrections have also been made to the sample -scripts.

- -

4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

- -

Version 1.0 of the QuickStart -Guide is now available. This Guide and its accompanying sample -configurations are expected to provide a replacement for the recently -withdrawn parameterized samples.

- -

4/8/2002 - Parameterized Samples Withdrawn

- -

Although the parameterized -samples have allowed people to get a firewall up and running quickly, -they have unfortunately set the wrong level of expectation among those who -have used them. I am therefore withdrawing support for the samples and I am -recommending that they not be used in new Shorewall installations.

- -

4/2/2002 - Updated Log Parser

- -

John Lodge has provided an -updated version of his CGI-based log -parser with corrected date handling.

- -

3/30/2002 - Shorewall Website Search Improvements

- -

The quick search on the home page now excludes the mailing list archives. -The Extended Search allows excluding the -archives or restricting the search to just the archives. An archive search -form is also available on the mailing list information -page.

- -

3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

- - -

3/25/2002 - Log Parser Available

- -

John Lodge has provided a CGI-based log parser for Shorewall. Thanks -John.

- -

3/20/2002 - Shorewall 1.2.10 Released

- -

In this version:

-
    -
  • A "shorewall try" command has been added (syntax: shorewall try - <configuration directory>). This command attempts "shorewall - -c <configuration directory> start" and if that results in - the firewall being stopped due to an error, a "shorewall start" command - is executed. The 'try' command allows you to create a new configuration and attempt to start - it; if there is an error that leaves your firewall in the stopped state, - it will automatically be restarted using the default configuration (in - /etc/shorewall).
  • -
  • A new variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. If this - variable is set to "Yes", Shorewall will automatically add IP addresses - listed in the third column of the /etc/shorewall/masq file.
  • -
  • Copyright notices have been added to the documenation.
  • -
- -

3/11/2002 - Shorewall 1.2.9 Released

- -

In this version:

- - -

3/1/2002 - 1.2.8 Debian Package is Available

- -

See http://security.dsi.unimi.it/~lorenzo/debian.html

- -

2/25/2002 - New Two-interface Sample

- -

I've enhanced the two interface sample to allow access from the firewall -to servers in the local zone - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

- -

2/23/2002 - Shorewall 1.2.8 Released

- -

Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects -problems associated with the lock file used to prevent multiple -state-changing operations from occuring simultaneously. My apologies for any -inconvenience my carelessness may have caused.

- -

2/22/2002 - Shorewall 1.2.7 Released

- -

In this version:

-
    -
  • UPnP probes (UDP destination port 1900) are now silently dropped in the - common chain
  • -
  • RFC 1918 checking in the mangle table has been streamlined to no longer - require packet marking. RFC 1918 checking in the filter table has been - changed to require half as many rules as previously.
  • -
  • A 'shorewall check' command has been added that does a cursory - validation of the zones, interfaces, hosts, rules and policy files.
  • -
- -

2/18/2002 - 1.2.6 Debian Package is Available

- -

See http://security.dsi.unimi.it/~lorenzo/debian.html

- -

2/8/2002 - Shorewall 1.2.6 Released

- -

In this version:

-
    -
  • $-variables may now be used anywhere in the configuration files except - /etc/shorewall/zones.
  • -
  • The interfaces and hosts files now have their contents validated before - any changes are made to the existing Netfilter configuration. The - appearance of a zone name that isn't defined in /etc/shorewall/zones - causes "shorewall start" and "shorewall restart" to abort without - changing the Shorewall state. Unknown options in either file cause a - warning to be issued.
  • -
  • A problem occurring when BLACKLIST_LOGLEVEL was not set has been - corrected.
  • -
- -

2/4/2002 - Shorewall 1.2.5 Debian Package Available

- -

see http://security.dsi.unimi.it/~lorenzo/debian.html

- -

2/1/2002 - Shorewall 1.2.5 Released

- -

Due to installation problems with Shorewall 1.2.4, I have released -Shorewall 1.2.5. Sorry for the rapid-fire development.

- -

In version 1.2.5:

-
    -
  • The installation problems have been corrected.
  • -
  • SNAT is now supported.
  • -
  • A "shorewall version" command has been added
  • -
  • The default value of the STATEDIR variable in - /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in - order to conform to the GNU/Linux File Hierarchy Standard, Version - 2.2.
  • -
- -

1/28/2002 - Shorewall 1.2.4 Released

-
    -
  • The "fw" zone may now be given a - different name.
  • -
  • You may now place end-of-line comments (preceded by '#') in any of the - configuration files
  • -
  • There is now protection against against two state changing operations - occuring concurrently. This is implemented using the 'lockfile' utility - if it is available (lockfile is part of procmail); otherwise, a less - robust technique is used. The lockfile is created in the STATEDIR defined - in /etc/shorewall/shorewall.conf and has the name "lock".
  • -
  • "shorewall start" no longer fails if "detect" is specified in /etc/shorewall/interfaces for an - interface with subnet mask 255.255.255.255.
  • -
- -

1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

- -

1/20/2002 - Corrected firewall script available 

- -

Corrects a problem with BLACKLIST_LOGLEVEL. See the -errata for details.

- -

1/19/2002 - Shorewall 1.2.3 Released

- -

This is a minor feature and bugfix release. The single new feature is:

-
    -
  • Support for TCP MSS Clamp to PMTU -- This support is usually required - when the internet connection is via PPPoE or PPTP and may be enabled - using the CLAMPMSS option in - /etc/shorewall/shorewall.conf.
  • -
- -

The following problems were corrected:

-
    -
  • The "shorewall status" command no longer hangs.
  • -
  • The "shorewall monitor" command now displays the icmpdef chain
  • -
  • The CLIENT PORT(S) column in tcrules is no longer ignored
  • -
- -

1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

- -

Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF -distribution that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo -for details.

- -

1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 -Shorewall Debian package is now available. There is a link to Lorenzo's site -from the Shorewall download page.

- -

1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version -restores the "shorewall status" command to health.

- -

1/8/2002 - Shorewall 1.2.2 Released

- -

In version 1.2.2

-
    -
  • Support for IP blacklisting has been added -
      -
    • You specify whether you want packets from blacklisted hosts dropped - or rejected using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf
    • -
    • You specify whether you want packets from blacklisted hosts logged - and at what syslog level using the BLACKLIST_LOGLEVEL setting in - /etc/shorewall/shorewall.conf
    • -
    • You list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
    • -
    • You specify the interfaces you want checked against the blacklist - using the new "blacklist" - option in /etc/shorewall/interfaces.
    • -
    • The black list is refreshed from /etc/shorewall/blacklist by the - "shorewall refresh" command.
    • -
    -
  • -
  • Use of TCP RST replies has been expanded  -
      -
    • TCP connection requests rejected because of a REJECT policy are now - replied with a TCP RST packet.
    • -
    • TCP connection requests rejected because of a protocol=all rule in - /etc/shorewall/rules are now replied with a TCP RST packet.
    • -
    -
  • -
  • A LOGFILE specification has - been added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the - /sbin/shorewall program where to look for Shorewall messages.
  • -
- -

1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates to -the previously-released samples. There are two new rules added:

-
    -
  • Unless you have explicitly enabled Auth connections (tcp port 113) to - your firewall, these connections will be REJECTED rather than DROPPED. - This speeds up connection establishment to some servers.
  • -
  • Orphan DNS replies are now silently dropped.
  • -
- -

See the README file for upgrade instructions.

- -

1/1/2002 - Shorewall Mailing List -Moving

- -

The Shorewall mailing list hosted at Sourceforge is moving to Shorewall.net. If -you are a current subscriber to the list at Sourceforge, please see these instructions. If -you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

- -

12/31/2001 - Shorewall 1.2.1 Released

- -

In version 1.2.1:

- - -

12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist -releasing 1.2 on 12/21/2001

- -

Version 1.2 contains the following new features:

- - -

For the next month or so, I will continue to provide corrections to -version 1.1.18 as necessary so that current version 1.1.x users will not be -forced into a quick upgrade to 1.2.0 just to have access to bug fixes.

- -

For those of you who have installed one of the Beta RPMS, you will need to -use the "--oldpackage" option when upgrading to 1.2.0:

- -
-

rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

-
- -

12/19/2001 - Thanks to Steve -Cowles, there is now a Shorewall mirror in Texas. This web site is -mirrored at http://www.infohiiway.com/shorewall and the ftp site is at -ftp://ftp.infohiiway.com/pub/mirrors/shorewall. - 

- -

11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:

-
    -
  • Ping is now allowed between the zones.
  • -
  • In the three-interface configuration, it is now possible to configure - the internet services that are to be available to servers in the - DMZ. 
  • -
- -

11/20/2001 - The current version of Shorewall is 1.1.18. 

- -

In this version:

-
    -
  • The spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf - file
  • -
  • The logic for deleting user-defined chains has been simplified so that - it avoids a bug in the LRP version of the 'cut' utility.
  • -
  • The /var/lib/lrpkg/shorwall.conf file has been corrected to properly - display the NAT entry in that file.
  • -
- -

11/19/2001 - Thanks to Juraj -Ontkanin, there is now a Shorewall mirror in the Slovak Republic. The -website is now mirrored at http://www.nrg.sk/mirror/shorewall and the FTP site is -mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

- -

11/2/2001 - Announcing Shorewall Parameter-driven Sample -Configurations. There are three sample configurations:

-
    -
  • One Interface -- for a standalone system.
  • -
  • Two Interfaces -- A masquerading firewall.
  • -
  • Three Interfaces -- A masquerading firewall with DMZ.
  • -
- -

Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 -. See the README file for instructions.

- -

11/1/2001 - The current version of Shorewall is 1.1.17.  I -intend this to be the last of the 1.1 Shorewall releases.

- -

In this version:

- - -

10/22/2001 - The current version of Shorewall is 1.1.16. In this -version:

-
    -
  • A new "shorewall show connections" command has been added.
  • -
  • In the "shorewall monitor" output, the currently tracked connections - are now shown on a separate page.
  • -
  • Prior to this release, Shorewall unconditionally added the external IP - adddress(es) specified in /etc/shorewall/nat. Beginning with version - 1.1.16, a new parameter (ADD_IP_ALIASES) may be set to "no" - (or "No") to inhibit this behavior. This allows IP aliases created using - your distribution's network configuration tools to be used in static - NAT. 
  • -
- -

10/15/2001 - The current version of Shorewall is 1.1.15. In this -version:

-
    -
  • Support for nested zones has been improved. See the documentation for details
  • -
  • Shorewall now correctly checks the alternate configuration directory - for the 'zones' file.
  • -
- -

10/4/2001 - The current version of Shorewall is 1.1.14. In this -version

-
    -
  • Shorewall now supports alternate configuration directories. When an - alternate directory is specified when starting or restarting Shorewall - (e.g., "shorewall -c /etc/testconf restart"), Shorewall will first look - for configuration files in the alternate directory then in - /etc/shorewall. To create an alternate configuration simply:
    - 1. Create a New Directory
    - 2. Copy to that directory any of your configuration files that you want - to change.
    - 3. Modify the copied files as needed.
    - 4. Restart Shorewall specifying the new directory.
  • -
  • The rules for allowing/disallowing icmp echo-requests (pings) are now - moved after rules created when processing the rules file. This allows you - to add rules that selectively allow/deny ping based on source or - destination address.
  • -
  • Rules that specify multiple client ip addresses or subnets no longer - cause startup failures.
  • -
  • Zone names in the policy file are now validated against the zones - file.
  • -
  • If you have packet - mangling support enabled, the "norfc1918" interface option now - logs and drops any incoming packets on the interface that have an RFC - 1918 destination address.
  • -
- -

9/12/2001 - The current version of Shorewall is 1.1.13. In this -version

-
    -
  • Shell variables can now be used to parameterize Shorewall rules.
  • -
  • The second column in the hosts file may now contain a comma-separated - list.
    -
    - Example:
    -     sea    - eth0:130.252.100.0/24,206.191.149.0/24
  • -
  • Handling of multi-zone interfaces has been improved. See the documentation for the - /etc/shorewall/interfaces file.
  • -
- -

8/28/2001 - The current version of Shorewall is 1.1.12. In this -version

-
    -
  • Several columns in the rules file may now contain comma-separated - lists.
  • -
  • Shorewall is now more rigorous in parsing the options in - /etc/shorewall/interfaces.
  • -
  • Complementation using "!" is now supported in rules.
  • -
- -

7/28/2001 - The current version of Shorewall is 1.1.11. In this -version

-
    -
  • A "shorewall refresh" command has been added to allow for refreshing - the rules associated with the broadcast address on a dynamic interface. - This command should be used in place of "shorewall restart" when the - internet interface's IP address changes.
  • -
  • The /etc/shorewall/start file (if any) is now processed after all - temporary rules have been deleted. This change prevents the accidental - removal of rules added during the processing of that file.
  • -
  • The "dhcp" interface option is now applicable to firewall interfaces - used by a DHCP server running on the firewall.
  • -
  • The RPM can now be built from the .tgz file using "rpm -tb" 
  • -
- -

7/6/2001 - The current version of Shorewall is 1.1.10. In this -version

-
    -
  • Shorewall now enables Ipv4 Packet Forwarding by default. Packet - forwarding may be disabled by specifying IP_FORWARD=Off in - /etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or - disable packet forwarding, add IP_FORWARDING=Keep to your - /etc/shorewall/shorewall.conf file.
  • -
  • The "shorewall hits" command no longer lists extraneous service names - in its last report.
  • -
  • Erroneous instructions in the comments at the head of the firewall - script have been corrected.
  • -
- -

6/23/2001 - The current version of Shorewall is 1.1.9. In this -version

-
    -
  • The "tunnels" file really is in the RPM now.
  • -
  • SNAT can now be applied to port-forwarded connections.
  • -
  • A bug which would cause firewall start failures in some dhcp - configurations has been fixed.
  • -
  • The firewall script now issues a message if you have the name of an - interface in the second column in an entry in /etc/shorewall/masq and - that interface is not up.
  • -
  • You can now configure Shorewall so that it doesn't require the NAT and/or mangle - netfilter modules.
  • -
  • Thanks to Alex  Polishchuk, the "hits" command from seawall is now - in shorewall.
  • -
  • Support for IPIP tunnels has been added.
  • -
- -

6/18/2001 - The current version of Shorewall is 1.1.8. In this -version

- - -

6/2/2001 - The current version of Shorewall is 1.1.7. In this -version

-
    -
  • The TOS rules are now deleted when the firewall is stopped.
  • -
  • The .rpm will now install regardless of which version of iptables is - installed.
  • -
  • The .rpm will now install without iproute2 being installed.
  • -
  • The documentation has been cleaned up.
  • -
  • The sample configuration files included in Shorewall have been - formatted to 80 columns for ease of editing on a VGA console.
  • -
- -

5/25/2001 - The current version of Shorewall is 1.1.6. In this -version

-
    -
  • You may now rate-limit the packet - log.
  • -
  • Previous versions of Shorewall have an implementation of Static NAT - which violates the principle of least surprise.  NAT only occurs for - packets arriving at (DNAT) or send from (SNAT) the interface named in the - INTERFACE column of /etc/shorewall/nat. Beginning with version 1.1.6, NAT - effective regardless of which interface packets come from or are destined - to. To get compatibility with prior versions, I have added a new "ALL "ALL INTERFACES"  column to - /etc/shorewall/nat. By placing "no" or "No" in the new column, the - NAT behavior of prior versions may be retained. 
  • -
  • The treatment of IPSEC Tunnels where - the remote gateway is a standalone system has been improved. - Previously, it was necessary to include an additional rule allowing UDP - port 500 traffic to pass through the tunnel. Shorewall will now create - this rule automatically when you place the name of the remote peer's zone - in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
  • -
- -

5/20/2001 - The current version of Shorewall is 1.1.5. In this -version

- - -

5/10/2001 - The current version of Shorewall is 1.1.4. In this -version

-
    -
  • Accepting RELATED connections is now - optional.
  • -
  • Corrected problem where if "shorewall start" aborted early (due to - kernel configuration errors for example), superfluous 'sed' error - messages were reported.
  • -
  • Corrected rules generated for port redirection.
  • -
  • The order in which iptables kernel modules are loaded has been - corrected (Thanks to Mark Pavlidis). 
  • -
- -

4/28/2001 - The current version of Shorewall is 1.1.3. In this -version

-
    -
  • Correct message issued when Proxy ARP address added (Thanks to Jason - Kirtland).
  • -
  • /tmp/shorewallpolicy-$$ is now removed if there is an error while - starting the firewall.
  • -
  • /etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to - define the icmpdef and common chains unless overridden by the presence of - /etc/shorewall/icmpdef or /etc/shorewall/common.
  • -
  • In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. - An extra space after "/etc/shorwall/policy" has been removed and - "/etc/shorwall/rules" has been added.
  • -
  • When a sub-shell encounters a fatal error and has stopped the firewall, - it now kills the main shell so that the main shell will not continue.
  • -
  • A problem has been corrected where a sub-shell stopped the firewall and - main shell continued resulting in a perplexing error message referring to - "common.so" resulted.
  • -
  • Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules - resulted in an error message during start. This has been corrected.
  • -
  • The first line of "install.sh" has been corrected -- I had - inadvertently deleted the initial "#".
  • -
- -

4/12/2001 - The current version of Shorewall is 1.1.2. In this -version

-
    -
  • Port redirection now works again.
  • -
  • The icmpdef and common chains may - now be user-defined.
  • -
  • The firewall no longer fails to start if "routefilter" is specified for - an interface that isn't started. A warning message is now issued in this - case.
  • -
  • The LRP Version is renamed "shorwall" for 8,3 MSDOS file system - compatibility.
  • -
  • A couple of LRP-specific problems were corrected.
  • -
- -

4/8/2001 - Shorewall is now affiliated with the Leaf Project

- -

4/5/2001 - The current version of Shorewall is 1.1.1. In this -version:

-
    -
  • The common chain is traversed from INPUT, OUTPUT and FORWARD before - logging occurs
  • -
  • The source has been cleaned up dramatically
  • -
  • DHCP DISCOVER packets with RFC1918 source addresses no longer generate - log messages. Linux DHCP clients generate such packets and it's annoying - to see them logged. 
  • -
- -

3/25/2001 - The current version of Shorewall is 1.1.0. In this -version:

-
    -
  • Log messages now indicate the packet disposition.
  • -
  • Error messages have been improved.
  • -
  • The ability to define zones consisting of an enumerated set of hosts - and/or subnetworks has been added.
  • -
  • The zone-to-zone chain matrix is now sparse so that only those chains - that contain meaningful rules are defined.
  • -
  • 240.0.0.0/4 and 169.254.0.0/16 have been added to the source - subnetworks whose packets are dropped under the norfc1918 - interface option.
  • -
  • Exits are now provided for executing an user-defined script when a - chain is defined, when the firewall is initialized, when the firewall is - started, when the firewall is stopped and when the firewall is - cleared.
  • -
  • The Linux kernel's route filtering facility can now be specified - selectively on network interfaces.
  • -
- -

3/19/2001 - The current version of Shorewall is 1.0.4. This -version:

-
    -
  • Allows user-defined zones. Shorewall now has only one pre-defined zone - (fw) with the remaining zones being defined in the new configuration file - /etc/shorewall/zones. The /etc/shorewall/zones file released in this - version provides behavior that is compatible with Shorewall - 1.0.3. 
  • -
  • Adds the ability to specify logging in entries in the - /etc/shorewall/rules file.
  • -
  • Correct handling of the icmp-def chain so that only ICMP packets are - sent through the chain.
  • -
  • Compresses the output of "shorewall monitor" if awk is installed. - Allows the command to work if awk isn't installed (although it's not - pretty).
  • -
- -

3/13/2001 - The current version of Shorewall is 1.0.3. This is a -bug-fix release with no new features.

-
    -
  • The PATH variable in the firewall script now includes /usr/local/bin - and /usr/local/sbin.
  • -
  • DMZ-related chains are now correctly deleted if the DMZ is deleted.
  • -
  • The interface OPTIONS for "gw" interfaces are no longer ignored.
  • -
- -

3/8/2001 - The current version of Shorewall is 1.0.2. It supports an -additional "gw" (gateway) zone for tunnels and it supports IPSEC tunnels with -end-points on the firewall. There is also a .lrp available now.

- - diff --git a/web/search.html b/web/search.html deleted file mode 100644 index ffefe00f7..000000000 --- a/web/search.html +++ /dev/null @@ -1,78 +0,0 @@ - - - - - - - ht://Dig WWW Search - - - - -

Shorewall Site Searches

-
- This search will allow you to search the contents of all the - publicly available WWW documents at shorewall.net. - Currently searches only the shorewall.net mirror in Washington - State, USA. - -
-
- - - - - - - - -
- -
-
-
-
-
- -

This search will allow you to search the contents of the - Mailing List Archives at shorewall.net. Currently - searches at the main shorewall.net site only.

- -
-
- - - - - - - - -
- -
-
-
-
- -


-

-
-
- - - diff --git a/web/shoreline.htm b/web/shoreline.htm deleted file mode 100644 index ba26cb2f1..000000000 --- a/web/shoreline.htm +++ /dev/null @@ -1,119 +0,0 @@ - - - - - About the Shorewall Author - - - - -

Tom Eastep

-
-Open Source Software is not free; it -comes -at a very high cost.
-
--
Wietse Venema
-
-
-The painful task of thinking belongs -to -me.
-
--
Baron George Brydges Rodney
-
-Perfection in design is achieved not -when -there is nothing left to add, but rather when there is nothing left to -take -away.
-
-
-
- - Antoine de Saint-Exupery
-
-
-
-
-
Nothing -is foolproof to a -sufficiently-talented fool
-
-
-
-
- Anonymous
-
-Still, it is an error to argue in -front of your data. You find yourself insensibly twisting them round to -fit your theories.
-
-
- Holmes to Watson, "The -Adventure of Wisteria Lodge", Arthur Conan Doyle
-
-Copyright © 2001-2008 Thomas M. Eastep
-
-
-
-
-
-
-

Permission is granted to copy, distribute and/or modify this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled “GNU Free Documentation -License”.
-

-

2008-12-21
-

-
-

Tom, his dog, and his new car - May 2006

-
-"Tom, his dog Tipper, and his new car" -- May 2006
-
-


-

- -

I am currently an architect in the Open System Services development -group -within the NonStop Enterprise Division of HP.
-

-

I became interested in Internet Security when I established a home -office -in 1999 and had DSL service installed in our home. I investigated -ipchains -and developed the scripts which are now collectively known as Seattle Firewall. Expanding -on what -I learned from Seattle Firewall, I then designed and wrote Shorewall.

-

I telework from our home -in Shoreline, -Washington -where I live with my wife Tarry. 

-

For information about our home network see my Shorewall Configuration files.

-
- - diff --git a/web/shorewall.css b/web/shorewall.css deleted file mode 100644 index 74249ca9f..000000000 --- a/web/shorewall.css +++ /dev/null @@ -1,47 +0,0 @@ -/* CSS stylesheet for the upcoming new shorewall website - -Author : Cristian Rodriguez webmaster@shorewall.net - -*/ - -HTML {background: rgb(51, 102, 255); } - -BODY { - -background: rgb(51, 102, 255); -margin: 0em; - -} - -.menu { - -font-family : Verdana, Eyechart, Geneva, Arial, Helvetica, sans-serif; -color : white; -font-weight: bold; -font-size: small; -padding: 4px; -} - -.submenu { - -font-family : Verdana, Eyechart, Geneva, Arial, Helvetica, sans-serif; -color : white; -font-size: small; -padding: 4px; - -} - -.copyright - -{ - -text-align: left; -color: white; -font-family: Verdana, Eyechart, Geneva, Arial, Helvetica, sans-serif; -font-size: xx-small; -} - -A:link {color: white; text-decoration: none } -A:active {color: white;text-decoration: none} -A:hover {color: white; text-decoration: underline; } -A:visited {color: #E9E9E9; text-decoration: none; } diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm deleted file mode 100644 index a8b23178b..000000000 --- a/web/shorewall_index.htm +++ /dev/null @@ -1,214 +0,0 @@ - - - - - Shoreline Firewall (Shorewall) - - - - - -
- - - - - - - - - - - - - -
Current Shorewall Releases
-
Getting Started with Shorewall
-
Looking for Information?
-
What is Shorewall?
-
License
-
Donations
-
Logo
-
Copyright
-
-
2009-08-17
-

No -Shorewall-shell in Shorewall 4.4 -- read the details
-

-

Current Shorewall Releases

- - - - - - - - - - - - - - - - - - - - - -
-
Current -Stable Release
-
-
4.4.0Release -notes Known -Problems
-
Previous -Stable Release
-
-
4.2.10
-
Release -Notes
-
Known -Problems
-
-
Development -Release
-
-
No -current development release
-

-

-
-

Read more about the Shorewall 4.x -releases here. Get them from the download -sites

-

Getting Started with Shorewall

-

New to Shorewall? Download the current -Stable -version (see above) then select the QuickStart Guide that most -closely -matches your environment and follow the step by step instructions.

-

Looking for Information?

-

The Documentation -Index is a good place to start as -is the Site Search in the frame above.

-

What is Shorewall?
-

-

For a high level description of -Shorewall, see the Introduction to -Shorewall. To review Shorewall functionality, see the Features Page.
-

-

License

-

This program is free software; you can -redistribute it and/or modify it under the terms of Version 2 of the GNU -General -Public License as published by the Free Software Foundation.

-

This program is distributed in the hope -that -it will be useful, but WITHOUT ANY WARRANTY; without even the implied -warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See -the GNU -General Public License for more detail.

-

You should have received a copy of the -GNU -General Public License along with this program; if not, write to the -Free -Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -02110-1301 USA.

-

Permission is granted to copy, -distribute -and/or modify this document under the terms of the GNU Free -Documentation -License, Version 1.2 or any later version published by the Free -Software -Foundation; with no Invariant Sections, with no Front-Cover, and with -no -Back-Cover Texts. A copy of the license is included in the section -entitled -"GNU Free Documentation License"

-

Donations

-
(Alzheimer's Association Logo)(Starlight Foundation Logo)Shorewall -is free but if you try it and -find it useful, please consider making a donation to the Alzheimer's Association -or to -the Starlight -Children's -Foundation.
-
-


-

-
Thank You
-

Logo

-

The Shorewall -Logo is the work of Gareth Davies of Thusa and is licensed under the -Creative -Commons -Attribution-Share Alike 2.5 South Africa License. To view a copy of -this -licence, visit http://creativecommons.org/licenses/by-sa/2.5/za/ -or send a -letter to Creative Commons, 171 Second Street, Suite 300, San -Francisco, -California 94105, USA.
-

-

Copyright

-
Copyright © 2001-2009 Thomas M. -Eastep -
-
-
Permission is granted to copy, -distribute and/or modify -this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled "GNU Free Documentation License".
-


-

- - diff --git a/web/shorewall_index.html b/web/shorewall_index.html deleted file mode 100644 index fe20fa8de..000000000 --- a/web/shorewall_index.html +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - - - Shoreline Firewall - - - - - - - - - - - - - - - <body> - <p>This page uses frames, but your browser doesn't support - them.</p> - </body> - - - - diff --git a/web/shorewall_mirrors.htm b/web/shorewall_mirrors.htm deleted file mode 100644 index f8e866831..000000000 --- a/web/shorewall_mirrors.htm +++ /dev/null @@ -1,147 +0,0 @@ - - - - - Shorewall Mirrors - - - - - - -

Shorewall Mirrors
-

-
-

2009-08-26

-

Remember that updates to the mirrors are often -delayed for -6-12 hours after an update to the primary site. The primary site has a -very low bandwidth so we -encourage -you to use a mirror site whenever possible.
-

-

The primary web site is http://www1.shorewall.net -(Shoreline, Washington, -USA).
-

-

It -is mirrored via rsync at:

- - - - - - - - - - - - - - - - - - - - - - - - - - - -
North -America
-
http://[www.]shorewall.net -(Seattle Washington, USA)
South -America
-
http://argentina.shorewall.net -(Argentina)
Europe
-
http://slovakia.shorewall.net -(Slovak Republic)

-
http://shorewall.ru -(Moscow, -Russia)
Asia
-
Volunteers, anyone?
-
Australia
-
http://www.shorewall.com.au -(Australia) Downloads Only
-
-The primary FTP site is ftp://ftp1.shorewall.net/pub/shorewall/  -(Shoreline, -Washington, USA). It is mirrored via rsync at:
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
North -America
-
ftp://[ftp.]shorewall.net -(Seattle, Washington, USA)
South -AmericaVolunteers, anyone?
-
Europe
-
ftp://slovakia.shorewall.net/mirror/shorewall -(Slovak Republic)

-
ftp://shorewall.ru -(Moscow, -Russia)

-
http://shorewall.de/pub/shorewall/ -(Frankfurt/Main, Germany)
AsiaVolunteers, anyone?
AustraliaVolunteers, anyone?
-
-
Copyright © 2001-2009 Thomas M . -Eastep -

Permission is granted to copy, distribute and/or modify this -document -under the terms of the GNU Free Documentation License, Version 1.2 or -any -later version published by the Free Software Foundation; with no -Invariant -Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of -the -license is included in the section entitled “GNU Free Documentation License”.

- - diff --git a/web/support.html b/web/support.html deleted file mode 100644 index dd44a51d4..000000000 --- a/web/support.html +++ /dev/null @@ -1,72 +0,0 @@ - - - - - - Shorewall Support - - -

Shorewall Support
-

-Tom Eastep
-
-
Copyright © 2005,2006,2007 Thomas M. Eastep
-

Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, with no Front-Cover, and with no Back-Cover -Texts. A copy of the license is included in the section entitled “GNU Free -Documentation License”.
-

-

2007-02-09
-

-
-

Self-Help Resources

- -

Errata

-
    -
  • At each download site (with the exception of SourceForge), the -directory for each release contains the following:
  • -
      -
    • A known_problems.txt -file that details the problems found in that release
    • -
    • An errata directory -containing updated Shorewall components that correct problems described -in the known_problems.txt file.
    • -
    -
  • If you are not running the latest minor release, be sure to check -the releases newer than yours to see if your issue has been addressed -in a later version.
    -
  • -
-

Getting Help

- - -