mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Shorewall 1.4.9
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1081 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
8b205571f0
commit
e30c2a7ec8
@ -9,7 +9,7 @@
|
||||
<h1 style="text-align: left;">Shorewall News Archive</h1>
|
||||
<span style="font-weight: bold;">Tom Eastep<br>
|
||||
<br>
|
||||
</span>Copyright © 2001-2003 Thomas M. Eastep<br>
|
||||
</span>Copyright © 2001-2004 Thomas M. Eastep<br>
|
||||
<p>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation;
|
||||
@ -18,9 +18,116 @@ Texts. A copy of the license is included in the section entitled “<span
|
||||
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
|
||||
Documentation License</a></span>”.<br>
|
||||
</p>
|
||||
<p>2003-12-31<br>
|
||||
<p>2004-01-13<br>
|
||||
</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p><b>1/13/2004 - Shorewall 1.4.9</b><b><br>
|
||||
</b></p>
|
||||
<p>Problems Corrected since version 1.4.8:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>There has been a low continuing level of confusion over the
|
||||
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
|
||||
confusion, all instances of "Static NAT" have been replaced with
|
||||
"One-to-one NAT" in the documentation and configuration files.</li>
|
||||
<li>The description of NEWNOTSYN in shorewall.conf has been
|
||||
reworded for clarity.</li>
|
||||
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
|
||||
will
|
||||
no longer produce an error if they attempt to add a rule that would
|
||||
override a NONE policy. The logic for expanding these wild-card
|
||||
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
|
||||
policy.</li>
|
||||
<li>DNAT rules that also specified SNAT now work reliably.
|
||||
Previously,
|
||||
there were cases where the SNAT specification was effectively ignored.</li>
|
||||
</ol>
|
||||
<p>Migration Issues:<br>
|
||||
<br>
|
||||
None.<br>
|
||||
<br>
|
||||
New Features:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>The documentation has been completely rebased to Docbook
|
||||
XML. The
|
||||
documentation is now released as separate HTML and XML packages.</li>
|
||||
<li>To cut down on the number of "Why are these ports closed
|
||||
rather
|
||||
than stealthed?" questions, the SMB-related rules in
|
||||
/etc/shorewall/common.def have been changed from 'reject' to
|
||||
'DROP'.</li>
|
||||
<li>For easier identification, packets logged under the
|
||||
'norfc1918'
|
||||
interface option are now logged out of chains named 'rfc1918'.
|
||||
Previously, such packets were logged under chains named
|
||||
'logdrop'.</li>
|
||||
<li>Distributors and developers seem to be regularly inventing
|
||||
new
|
||||
naming conventions for kernel modules. To avoid the need to change
|
||||
Shorewall code for each new convention, the MODULE_SUFFIX option
|
||||
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
|
||||
suffix for module names in your particular distribution. If
|
||||
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
|
||||
list "o gz ko o.gz".<br>
|
||||
<br>
|
||||
To see what suffix is used by your distribution:<br>
|
||||
<br>
|
||||
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
|
||||
<br>
|
||||
All of the files listed should have the same suffix (extension).
|
||||
Set MODULE_SUFFIX to that suffix.<br>
|
||||
<br>
|
||||
Examples:<br>
|
||||
<br>
|
||||
If all files end in ".kzo" then set
|
||||
MODULE_SUFFIX="kzo"<br>
|
||||
If all files end in ".kz.o" then set
|
||||
MODULE_SUFFIX="kz.o"</li>
|
||||
<li>Support for user defined rule ACTIONS has been implemented
|
||||
through two new files:<br>
|
||||
<br>
|
||||
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
|
||||
/etc/shorewall/action.template - For each user defined
|
||||
<action>, copy this file to
|
||||
/etc/shorewall/action.<action> and add the appropriate rules
|
||||
for that <action>. Once an <action> has been defined,
|
||||
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
|
||||
in /etc/shorewall/rules.<br>
|
||||
<br>
|
||||
Example: You want an action that logs a packet at the 'info' level
|
||||
and accepts the connection.<br>
|
||||
<br>
|
||||
In /etc/shorewall/actions, you would add:<br>
|
||||
<br>
|
||||
LogAndAccept<br>
|
||||
<br>
|
||||
You would then copy /etc/shorewall/action.template to
|
||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the
|
||||
two
|
||||
rules:<br>
|
||||
LOG:info<br>
|
||||
ACCEPT</li>
|
||||
<li>The default value for NEWNOTSYN in shorewall.conf is now
|
||||
"Yes" (non-syn
|
||||
TCP packets that are not part of an existing connection are filtered
|
||||
according to the rules and policies rather than being dropped). I have
|
||||
made this change for two reasons:<br>
|
||||
<br>
|
||||
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
|
||||
any timeout during TCP session tear down results in the firewall
|
||||
dropping all of the retries.<br>
|
||||
<br>
|
||||
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
|
||||
lots of confusing messages when a connection got "stuck". While I could
|
||||
have changed the default value of LOGNEWNOTSYN to suppress logging, I
|
||||
dislike defaults that silently throw away packets.</li>
|
||||
<li>The common.def file now contains an entry that silently drops
|
||||
ICMP
|
||||
packets with a null source address. Ad Koster reported a case where
|
||||
these were occuring frequently as a result of a broken system on his
|
||||
external network.</li>
|
||||
</ol>
|
||||
<p><b>12/29/2003 - Shorewall 1.4.9 Beta 2</b><b> </b></p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
@ -98,7 +205,8 @@ In /etc/shorewall/actions, you would add:<br>
|
||||
LogAndAccept<br>
|
||||
<br>
|
||||
You would then copy /etc/shorewall/action.template to
|
||||
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the
|
||||
two
|
||||
rules:<br>
|
||||
LOG:info<br>
|
||||
ACCEPT<br>
|
||||
@ -194,7 +302,8 @@ In /etc/shorewall/actions, you would add:<br>
|
||||
LogAndAccept<br>
|
||||
<br>
|
||||
You would then copy /etc/shorewall/action.template to
|
||||
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the
|
||||
two
|
||||
rules:<br>
|
||||
LOG:info<br>
|
||||
ACCEPT<br>
|
||||
|
@ -45,9 +45,6 @@ Repository</a></li>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p> <a href="http://validator.w3.org/check/referer"><img
|
||||
src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!"
|
||||
height="31" width="88"></a> </p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas
|
||||
M. Eastep.</font></a><br>
|
||||
</p>
|
||||
|
@ -11,7 +11,7 @@
|
||||
<h1 style="text-align: left;">Shorewall Download</h1>
|
||||
<span style="font-weight: bold;">Tom Eastep<br>
|
||||
<br>
|
||||
</span>Copyright © 2001-2003 Thomas M. Eastep<span
|
||||
</span>Copyright © 2001-2004 Thomas M. Eastep<span
|
||||
style="font-weight: bold;"><br>
|
||||
</span>
|
||||
<p>Permission is granted to copy, distribute and/or modify this
|
||||
@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “<span
|
||||
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
|
||||
Documentation License</a></span>”.<br>
|
||||
</p>
|
||||
<p>2003-12-30<br>
|
||||
<p>2004-01-13<br>
|
||||
</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
@ -38,9 +38,9 @@ at:</p>
|
||||
<a
|
||||
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
<p>The documentation in HTML format is included in the .rpm and in the
|
||||
.tgz
|
||||
packages below.</p>
|
||||
<p>The documentation in both XML and HTML formats is also available for
|
||||
download from the Download Sites listed in the table below.<br>
|
||||
</p>
|
||||
<p> Once you've printed the appropriate QuickStart Guide, download <u>
|
||||
one</u> of the modules:</p>
|
||||
<ul>
|
||||
@ -53,8 +53,8 @@ chkconfig or insserv). If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
|
||||
them here. See the <a href="Install.htm">Installation Instructions</a>
|
||||
if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you might also
|
||||
want to download the .tgz so you will have a copy of the documentation).</li>
|
||||
<li>If you are running LRP, download the .lrp file.<br>
|
||||
</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
|
||||
would like a .deb package, Shorewall is included in both the <a
|
||||
href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
@ -63,15 +63,8 @@ Testing Branch</a> and the <a
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
|
||||
</ul>
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm
|
||||
files and there is an documentation .deb that also contains the
|
||||
documentation. The .rpm will install the documentation in
|
||||
your default document directory which can be obtained using the
|
||||
following command:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
|
||||
</blockquote>
|
||||
<p>You will probably also want to download the HTML version of the
|
||||
documentation for easy reference.</p>
|
||||
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
|
||||
errata</a></font> to see if there are updates that apply to the version
|
||||
that you have downloaded.</p>
|
||||
|
@ -78,7 +78,7 @@ any later version published by the Free Software Foundation; with no
|
||||
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
||||
A copy of the license is included in the section entitled <a>"GNU Free
|
||||
Documentation License"</a>.
|
||||
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
|
||||
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
|
||||
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
|
||||
If so, the documentation <b></b>on this site will not apply directly
|
||||
to your setup. If you want to use the documentation that you find here,
|
||||
@ -87,14 +87,10 @@ setup that matches the documentation on this site. See the <a
|
||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||
details.<br>
|
||||
<h2>News</h2>
|
||||
<p><b>12/29/2003 - Shorewall 1.4.9 Beta 2 </b><b><img alt="(New)"
|
||||
<p><b>1/13/2004 - Shorewall 1.4.9 </b><b><img alt="(New)"
|
||||
src="images/new10.gif"
|
||||
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b><b>
|
||||
</b></p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
|
||||
</div>
|
||||
<p>Problems Corrected since version 1.4.8:</p>
|
||||
<ol>
|
||||
<li>There has been a low continuing level of confusion over the
|
||||
@ -167,7 +163,8 @@ In /etc/shorewall/actions, you would add:<br>
|
||||
LogAndAccept<br>
|
||||
<br>
|
||||
You would then copy /etc/shorewall/action.template to
|
||||
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the
|
||||
two
|
||||
rules:<br>
|
||||
LOG:info<br>
|
||||
ACCEPT<br>
|
||||
@ -184,7 +181,11 @@ dropping all of the retries.<br>
|
||||
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
|
||||
lots of confusing messages when a connection got "stuck". While I could
|
||||
have changed the default value of LOGNEWNOTSYN to suppress logging, I
|
||||
dislike defaults that silently throw away packets.<br>
|
||||
dislike defaults that silently throw away packets.</li>
|
||||
<li>The common.def file now contains an entry that silently
|
||||
drops ICMP packets with a null source address. Ad Koster reported a
|
||||
case where these were occuring frequently as a result of a broken
|
||||
system on his external network.<br>
|
||||
<br>
|
||||
</li>
|
||||
</ol>
|
||||
@ -233,7 +234,7 @@ Children's Foundation</a>. Thanks!</big><br>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<p><font size="2">Updated 12/29/2003 - <a href="support.htm">Tom Eastep</a></font><br>
|
||||
<p><font size="2">Updated 01/13/2004 - <a href="support.htm">Tom Eastep</a></font><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,7 +9,7 @@
|
||||
</head>
|
||||
|
||||
<frameset rows="90,*">
|
||||
<frame name="banner" scrolling="no" noresize target="contents" src="Shorewall_Banner.htm">
|
||||
<frame name="banner" scrolling="no" noresize target="contents" src="Banner.html">
|
||||
<frameset cols="262,*">
|
||||
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
|
||||
<frame name="main" src="seattlefirewall_index.htm" target="_self">
|
||||
|
@ -64,7 +64,7 @@ document under the terms of the GNU Free Documentation License, Version
|
||||
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled <a>"GNU
|
||||
Free Documentation License"</a>.</p>
|
||||
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
|
||||
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
|
||||
<h2>This is the Shorewall 1.4 Web Site</h2>
|
||||
The information on this site applies only to 1.4.x releases of
|
||||
Shorewall. For older versions:<br>
|
||||
@ -92,14 +92,10 @@ and installing a setup that matches the documentation on this site.
|
||||
See the <a href="two-interface.htm">Two-interface QuickStart
|
||||
Guide</a> for details.
|
||||
<h2><b>News</b></h2>
|
||||
<p><b>12/29/2003 - Shorewall 1.4.9 Beta 2</b> <b><img
|
||||
<p><b>1/13/2004 - Shorewall 1.4.9</b> <b><img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""><br>
|
||||
</b></p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</div>
|
||||
<p>Problems Corrected since version 1.4.8:<br>
|
||||
</p>
|
||||
<ol>
|
||||
@ -180,7 +176,8 @@ In /etc/shorewall/actions, you would add:<br>
|
||||
LogAndAccept<br>
|
||||
<br>
|
||||
You would then copy /etc/shorewall/action.template to
|
||||
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the
|
||||
two
|
||||
rules:<br>
|
||||
LOG:info<br>
|
||||
ACCEPT</li>
|
||||
@ -198,6 +195,11 @@ b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
|
||||
lots of confusing messages when a connection got "stuck". While I could
|
||||
have changed the default value of LOGNEWNOTSYN to suppress logging, I
|
||||
dislike defaults that silently throw away packets.</li>
|
||||
<li>The common.def file now contains an entry that silently
|
||||
drops ICMP
|
||||
packets with a null source address. Ad Koster reported a case where
|
||||
these were occuring frequently as a result of a broken system on his
|
||||
external network.</li>
|
||||
</ol>
|
||||
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
|
||||
On-line</b> <b><img alt="(New)" src="images/new10.gif"
|
||||
@ -266,7 +268,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 12/29/2003 - <a href="support.htm">Tom
|
||||
<p><font size="2">Updated 01/13/2004 - <a href="support.htm">Tom
|
||||
Eastep</a></font><br>
|
||||
</p>
|
||||
</body>
|
||||
|
Loading…
Reference in New Issue
Block a user