extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 02:49:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update release notes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9557 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-27 16:52:31 +00:00
parent e6fa6a5153
commit d34d0a5dfa
1 changed files with 65 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
Shorewall/releasenotes.txt
View File

@ -4,7 +4,7 @@ Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
released late in 2009. released late in 2009.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 4 H I G H L I G H T S R E L E A S E 4 . 3 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Support for Shorewall-shell has been discontinued. Shorewall-perl 1) Support for Shorewall-shell has been discontinued. Shorewall-perl
@ -12,7 +12,14 @@ released late in 2009.
Shorewall package. Shorewall package.
2) The interfaces file OPTIONs have been extended to largely remove the 2) The interfaces file OPTIONs have been extended to largely remove the
need for the hosts file. need for the hosts file.
3) It is now possible to define PREROUTING and OUTPUT marking rules
that cause new connections to use the same provider as an existing
connection of the same kind.
4) Shorewall now supports NOTRACK rules (this feature will also be
released in Shorewall 4.2.7).
Problems corrected in 4.3.6 Problems corrected in 4.3.6
@ -47,12 +54,65 @@ None.
New Features in Shorewall 4.3.6 New Features in Shorewall 4.3.6
None. 1) To allow bypassing of connection tracking for certain traffic,
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.
New Features in Shorewall 4.4 Columns in the file are:
SOURCE - <zone>[:<interface>][:<address list>]
DEST - [<address list>]
PROTO - <protocol name or number>
DEST PORT(S) - <port number list>
SOURCE PORT(S) - <port number list>
USER/GROUP - [<user>][:<group>]
May only be specified if the SOURCE <zone> is $FW.
Traffic that matches all given criteria will not be subject to
connection tracking. For such traffic, your policies and/or rules
must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.
Example:
/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY
6to4 net
/etc/shorewall/notrack
#SOURCE DEST PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
Given that 192.88.99.1 is an anycast address, many hosts can
respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.
As part of this change, the 'show' command is enhanced to support a
'show raw' command that is an alias for 'show -t raw'. The raw
table is where NOTRACK rules are created. The dump command is also
enhanced to display the contents of the raw table.
New Features in Shorewall 4.3
1) The Shorewall packaging has been completely revamped in Shorewall 1) The Shorewall packaging has been completely revamped in Shorewall
4.4. 4.3.
The new packages are: The new packages are: