diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 29425d6ba..c8972d1cb 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,13 +1,4 @@ -Changes since 1.4.2 +Changes since 1.4.3a -1. The 'add' and 'delete' commands no longer leave behind a temporary - directory in /tmp. - -2. Added support for 6to4 tunnels. - -3. Added $LOGMARKER for fireparse support - -4. Return more appropriate ICMP responses if the systems supports them. - -5. Silently drop UDP 135 in common.def. +1. Implement REDIRECT-. diff --git a/Shorewall/firewall b/Shorewall/firewall index b20fc8b84..80d17cbaf 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2123,6 +2123,17 @@ process_rule() # $1 = target servers="$FW::$servers" fi ;; + REDIRECT-) + target=ACCEPT + logtarget=REDIRECT + dnat_only=Yes + address=${address:=all} + if [ "x-" = "x$servers" ]; then + servers=$FW + else + servers="$FW::$servers" + fi + ;; esac # Parse and validate source @@ -2263,7 +2274,7 @@ process_rules() # $1 = name of rules file while read xtarget xclients xservers xprotocol xports xcports xaddress; do case "${xtarget%:*}" in - ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|LOG|CONTINUE) + ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) expandv xclients xservers xprotocol xports xcports xaddress if [ "x$xclients" = xall ]; then diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 48c70abe5..3ea891ac3 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -2,36 +2,10 @@ This is a minor release of Shorewall. Problems Corrected: -1) There were several cases where Shorewall would fail to remove a - temporary directory from /tmp. These cases have been corrected. - -2) The rules for allowing all traffic via the loopback interface have - been moved to before the rule that drops status=INVALID - packets. This insures that all loopback traffic is allowed even if - Netfilter connection tracking is confused. - New Features: -1) IPV6-IPV4 (6to4) tunnels are now supported in the - /etc/shorewall/tunnels file. +1) A REDIRECT- rule target has been added. This target behaves for + REDIRECT in the same was as DNAT- does for DNAT in that the + Netfilter nat table REDIRECT rule is added but not the companion + filter table ACCEPT rule. -2) Shorewall can now be easily integrated with fireparse - (http://www.fireparse.com) by setting LOGMARKER="fp=" in - /etc/shorewall/shorewall.conf. Note: You may not use ULOG - with fireparse unless you modify fireparse. - -3) If you are running iptables 1.2.7a and kernel 2.4.20, then - Shorewall will return reject replies as follows: - - a) tcp - RST - b) udp - ICMP port unreachable - c) icmp - ICMP host unreachable - d) Otherwise - ICMP host prohibited - - If you are running earlier software, Shorewall will follow it's - traditional convention: - - a) tcp - RST - b) Otherwise - ICMP port unreachable - -4) UDP Port 135 is now silently dropped in the common.def chain. diff --git a/Shorewall/rules b/Shorewall/rules index e658a9e9f..2ff32024f 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -31,6 +31,11 @@ # the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. # CONTINUE -- (For experts only). Do not process # any of the following rules for this # (source zone,destination zone). If