Shorewall 1.4.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1081 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-13 22:33:26 +00:00
parent 8b205571f0
commit e30c2a7ec8
6 changed files with 143 additions and 41 deletions

View File

@ -9,7 +9,7 @@
<h1 style="text-align: left;">Shorewall News Archive</h1>
<span style="font-weight: bold;">Tom Eastep<br>
<br>
</span>Copyright © 2001-2003 Thomas M. Eastep<br>
</span>Copyright © 2001-2004 Thomas M. Eastep<br>
<p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
@ -18,9 +18,116 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br>
</p>
<p>2003-12-31<br>
<p>2004-01-13<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><b>1/13/2004 - Shorewall 1.4.9</b><b><br>
</b></p>
<p>Problems Corrected since version 1.4.8:<br>
</p>
<ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
confusion, all instances of "Static NAT" have been replaced with
"One-to-one NAT" in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
will
no longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.</li>
<li>DNAT rules that also specified SNAT now work reliably.
Previously,
there were cases where the SNAT specification was effectively ignored.</li>
</ol>
<p>Migration Issues:<br>
<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features:<br>
</p>
<ol>
<li>The documentation has been completely rebased to Docbook
XML. The
documentation is now released as separate HTML and XML packages.</li>
<li>To cut down on the number of "Why are these ports closed
rather
than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to
'DROP'.</li>
<li>For easier identification, packets logged under the
'norfc1918'
interface option are now logged out of chains named 'rfc1918'.
Previously, such packets were logged under chains named
'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing
new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
suffix for module names in your particular distribution. If
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
list "o gz ko o.gz".<br>
<br>
To see what suffix is used by your distribution:<br>
<br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br>
All of the files listed should have the same suffix (extension).
Set MODULE_SUFFIX to that suffix.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br>
<br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined
&lt;action&gt;, copy this file to
/etc/shorewall/action.&lt;action&gt; and add the appropriate rules
for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
in /etc/shorewall/rules.<br>
<br>
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.<br>
<br>
In /etc/shorewall/actions, you would add:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
<li>The default value for NEWNOTSYN in shorewall.conf is now
"Yes" (non-syn
TCP packets that are not part of an existing connection are filtered
according to the rules and policies rather than being dropped). I have
made this change for two reasons:<br>
<br>
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.<br>
<br>
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I could
have changed the default value of LOGNEWNOTSYN to suppress logging, I
dislike defaults that silently throw away packets.</li>
<li>The common.def file now contains an entry that silently drops
ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
external network.</li>
</ol>
<p><b>12/29/2003 - Shorewall 1.4.9 Beta 2</b><b> </b></p>
<div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
@ -98,7 +205,8 @@ In /etc/shorewall/actions, you would add:<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
@ -194,7 +302,8 @@ In /etc/shorewall/actions, you would add:<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>

View File

@ -45,9 +45,6 @@ Repository</a></li>
</tr>
</tbody>
</table>
<p> <a href="http://validator.w3.org/check/referer"><img
src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!"
height="31" width="88"></a> </p>
<p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas
M. Eastep.</font></a><br>
</p>

View File

@ -11,7 +11,7 @@
<h1 style="text-align: left;">Shorewall Download</h1>
<span style="font-weight: bold;">Tom Eastep<br>
<br>
</span>Copyright ©&nbsp; 2001-2003 Thomas M. Eastep<span
</span>Copyright ©&nbsp; 2001-2004 Thomas M. Eastep<span
style="font-weight: bold;"><br>
</span>
<p>Permission is granted to copy, distribute and/or modify this
@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br>
</p>
<p>2003-12-30<br>
<p>2004-01-13<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><b>I strongly urge you to read and print a copy of the <a
@ -38,9 +38,9 @@ at:</p>
&nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz
packages below.</p>
<p>The documentation in both XML and HTML formats is also available for
download from the Download Sites listed in the table below.<br>
</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
@ -53,8 +53,8 @@ chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you are running LRP, download the .lrp file.<br>
</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
@ -63,15 +63,8 @@ Testing Branch</a> and the <a
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm
files and there is an documentation .deb that also contains the
documentation.&nbsp;&nbsp;The .rpm will install the documentation in
your default document directory which can be obtained using the
following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote>
<p>You will probably also want to download the HTML version of the
documentation for easy reference.</p>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
errata</a></font> to see if there are updates that apply to the version
that you have downloaded.</p>

View File

@ -78,7 +78,7 @@ any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled <a>"GNU Free
Documentation License"</a>.
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
If so, the documentation <b></b>on this site will not apply directly
to your setup. If you want to use the documentation that you find here,
@ -87,14 +87,10 @@ setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.<br>
<h2>News</h2>
<p><b>12/29/2003 - Shorewall 1.4.9 Beta 2 </b><b><img alt="(New)"
<p><b>1/13/2004 - Shorewall 1.4.9 </b><b><img alt="(New)"
src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b><b>
</b></p>
<div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
</div>
<p>Problems Corrected since version 1.4.8:</p>
<ol>
<li>There has been a low continuing level of confusion over the
@ -167,7 +163,8 @@ In /etc/shorewall/actions, you would add:<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
@ -184,7 +181,11 @@ dropping all of the retries.<br>
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I could
have changed the default value of LOGNEWNOTSYN to suppress logging, I
dislike defaults that silently throw away packets.<br>
dislike defaults that silently throw away packets.</li>
<li>The common.def file now contains an entry that silently
drops ICMP packets with a null source address. Ad Koster reported a
case where these were occuring frequently as a result of a broken
system on his external network.<br>
<br>
</li>
</ol>
@ -233,7 +234,7 @@ Children's Foundation</a>. Thanks!</big><br>
</tbody>
</table>
</div>
<p><font size="2">Updated 12/29/2003 - <a href="support.htm">Tom Eastep</a></font><br>
<p><font size="2">Updated 01/13/2004 - <a href="support.htm">Tom Eastep</a></font><br>
</p>
</body>
</html>

View File

@ -9,7 +9,7 @@
</head>
<frameset rows="90,*">
<frame name="banner" scrolling="no" noresize target="contents" src="Shorewall_Banner.htm">
<frame name="banner" scrolling="no" noresize target="contents" src="Banner.html">
<frameset cols="262,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="main" src="seattlefirewall_index.htm" target="_self">

View File

@ -64,7 +64,7 @@ document under the terms of the GNU Free Documentation License, Version
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <a>"GNU
Free Documentation License"</a>.</p>
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
@ -92,14 +92,10 @@ and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.
<h2><b>News</b></h2>
<p><b>12/29/2003 - Shorewall 1.4.9 Beta 2</b> <b><img
<p><b>1/13/2004 - Shorewall 1.4.9</b> <b><img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""><br>
</b></p>
<div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
</div>
<p>Problems Corrected since version 1.4.8:<br>
</p>
<ol>
@ -180,7 +176,8 @@ In /etc/shorewall/actions, you would add:<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
/etc/shorewall/action.LogAndAccept and in that file, you would add the
two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
@ -198,6 +195,11 @@ b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I could
have changed the default value of LOGNEWNOTSYN to suppress logging, I
dislike defaults that silently throw away packets.</li>
<li>The common.def file now contains an entry that silently
drops ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
external network.</li>
</ol>
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
On-line</b> <b><img alt="(New)" src="images/new10.gif"
@ -266,7 +268,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 12/29/2003 - <a href="support.htm">Tom
<p><font size="2">Updated 01/13/2004 - <a href="support.htm">Tom
Eastep</a></font><br>
</p>
</body>