Shorewall 1.4.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1081 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-10 15:48:13 +01:00 · 2004-01-13 22:33:26 +00:00 · 2004-01-13 22:33:26 +00:00 · e30c2a7ec8
commit e30c2a7ec8
parent 8b205571f0
6 changed files with 143 additions and 41 deletions
--- a/Shorewall-Website/News.htm
+++ b/Shorewall-Website/News.htm
@ -9,7 +9,7 @@
 <h1 style="text-align: left;">Shorewall News Archive</h1>
 <span style="font-weight: bold;">Tom Eastep<br>
 <br>
-</span>Copyright © 2001-2003 Thomas M. Eastep<br>
+</span>Copyright © 2001-2004 Thomas M. Eastep<br>
 <p>Permission is granted to copy, distribute and/or modify this
 document under the terms of the GNU Free Documentation License, Version
 1.2 or any later version published by the Free Software Foundation;
@ -18,9 +18,116 @@ Texts. A copy of the license is included in the section entitled “<span
 class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
 Documentation License</a></span>”.<br>
 </p>
-<p>2003-12-31<br>
+<p>2004-01-13<br>
 </p>
 <hr style="width: 100%; height: 2px;">
 <p><b>1/13/2004 - Shorewall 1.4.9</b><b><br>
 </b></p>
 <p>Problems Corrected since version 1.4.8:<br>
 </p>
 <ol>
  <li>There has been a low continuing level of confusion over the
 terms "Source NAT" (SNAT) and "Static NAT". To avoid future
 confusion, all instances of "Static NAT" have been replaced with
 "One-to-one NAT" in the documentation and configuration files.</li>
  <li>The description of NEWNOTSYN in shorewall.conf has been
 reworded for clarity.</li>
  <li>Wild-card rules (those involving "all" as SOURCE or DEST)
 will
 no longer produce an error if they attempt to add a rule that would
 override a NONE policy. The logic for expanding these wild-card
 rules now simply skips those (SOURCE,DEST) pairs that have a NONE
 policy.</li>
  <li>DNAT rules that also specified SNAT now work reliably.
 Previously,
 there were cases where the SNAT specification was effectively ignored.</li>
 </ol>
 <p>Migration Issues:<br>
 <br>
 &nbsp;&nbsp;&nbsp; None.<br>
 <br>
 New Features:<br>
 </p>
 <ol>
  <li>The documentation has been completely rebased to Docbook
 XML. The
 documentation is now released as separate HTML and XML packages.</li>
  <li>To cut down on the number of "Why are these ports closed
 rather
 than stealthed?" questions, the SMB-related rules in
 /etc/shorewall/common.def have been changed from 'reject' to
 'DROP'.</li>
  <li>For easier identification, packets logged under the
 'norfc1918'
 interface option are now logged out of chains named 'rfc1918'.
 Previously, such packets were logged under chains named
 'logdrop'.</li>
  <li>Distributors and developers seem to be regularly inventing
 new
 naming conventions for kernel modules. To avoid the need to change
 Shorewall code for each new convention, the MODULE_SUFFIX option
 has been added to shorewall.conf. MODULE_SUFFIX may be set to the
 suffix for module names in your particular distribution. If
 MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
 list "o gz ko o.gz".<br>
    <br>
 To see what suffix is used by your distribution:<br>
    <br>
 ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
    <br>
 All of the files listed should have the same suffix (extension).
 Set MODULE_SUFFIX to that suffix.<br>
    <br>
 Examples:<br>
    <br>
 &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
 MODULE_SUFFIX="kzo"<br>
 &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
 MODULE_SUFFIX="kz.o"</li>
  <li>Support for user defined rule ACTIONS has been implemented
 through two new files:<br>
    <br>
 /etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
 /etc/shorewall/action.template - For each user defined
 &lt;action&gt;, copy this file to
 /etc/shorewall/action.&lt;action&gt; and add the appropriate rules
 for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
 it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
 in /etc/shorewall/rules.<br>
    <br>
 Example: You want an action that logs a packet at the 'info' level
 and accepts the connection.<br>
    <br>
 In /etc/shorewall/actions, you would add:<br>
    <br>
 &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
    <br>
 You would then copy /etc/shorewall/action.template to
 /etc/shorewall/action.LogAndAccept and in that file, you would add the
 two
 rules:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
  <li>The default value for NEWNOTSYN in shorewall.conf is now
 "Yes" (non-syn
 TCP packets that are not part of an existing connection are filtered
 according to the rules and policies rather than being dropped). I have
 made this change for two reasons:<br>
    <br>
 a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
 any timeout during TCP session tear down results in the firewall
 dropping all of the retries.<br>
    <br>
 b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
 lots of confusing messages when a connection got "stuck". While I could
 have changed the default value of LOGNEWNOTSYN to suppress logging, I
 dislike defaults that silently throw away packets.</li>
  <li>The common.def file now contains an entry that silently drops
 ICMP
 packets with a null source address. Ad Koster reported a case where
 these were occuring frequently as a result of a broken system on his
 external network.</li>
 </ol>
 <p><b>12/29/2003 - Shorewall 1.4.9 Beta 2</b><b> </b></p>
 <div style="margin-left: 40px;"><a
 href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
@ -98,7 +205,8 @@ In /etc/shorewall/actions, you would add:<br>
 &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
    <br>
 You would then copy /etc/shorewall/action.template to
-/etc/shorewall/LogAndAccept and in that file, you would add the two
+/etc/shorewall/action.LogAndAccept and in that file, you would add the
 two
 rules:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
@ -194,7 +302,8 @@ In /etc/shorewall/actions, you would add:<br>
 &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
    <br>
 You would then copy /etc/shorewall/action.template to
-/etc/shorewall/LogAndAccept and in that file, you would add the two
+/etc/shorewall/action.LogAndAccept and in that file, you would add the
 two
 rules:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
--- a/Shorewall-Website/Shorewall_index_frame.htm
+++ b/Shorewall-Website/Shorewall_index_frame.htm
@ -45,9 +45,6 @@ Repository</a></li>
    </tr>
  </tbody>
 </table>
 <p> <a href="http://validator.w3.org/check/referer"><img
 src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!"
 height="31" width="88"></a> </p>
 <p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas
 M. Eastep.</font></a><br>
 </p>
--- a/Shorewall-Website/download.htm
+++ b/Shorewall-Website/download.htm
@ -11,7 +11,7 @@
 <h1 style="text-align: left;">Shorewall Download</h1>
 <span style="font-weight: bold;">Tom Eastep<br>
 <br>
-</span>Copyright ©&nbsp; 2001-2003 Thomas M. Eastep<span
+</span>Copyright ©&nbsp; 2001-2004 Thomas M. Eastep<span
 style="font-weight: bold;"><br>
 </span>
 <p>Permission is granted to copy, distribute and/or modify this
@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “<span
 class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
 Documentation License</a></span>”.<br>
 </p>
-<p>2003-12-30<br>
+<p>2004-01-13<br>
 </p>
 <hr style="width: 100%; height: 2px;">
 <p><b>I strongly urge you to read and print a copy of the <a
@ -38,9 +38,9 @@ at:</p>
 &nbsp;&nbsp;&nbsp; <a
 href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
 </p>
-<p>The documentation in HTML format is included in the .rpm and in the
+<p>The documentation in both XML and HTML formats is also available for
-.tgz
+download from the Download Sites listed in the table below.<br>
-packages below.</p>
+</p>
 <p> Once you've printed the appropriate QuickStart Guide, download <u>
 one</u> of the modules:</p>
 <ul>
@ -53,8 +53,8 @@ chkconfig or insserv). If you find that it works in other cases, let <a
 href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
 them here. See the <a href="Install.htm">Installation Instructions</a>
 if you have problems installing the RPM.</li>
-  <li>If you are running LRP, download the .lrp file (you might also
+  <li>If you are running LRP, download the .lrp file.<br>
-want to download the .tgz so you will have a copy of the documentation).</li>
+  </li>
  <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
 would like a .deb package, Shorewall is included in both the <a
 href="http://packages.debian.org/testing/net/shorewall.html">Debian
@ -63,15 +63,8 @@ Testing Branch</a> and the <a
 Unstable Branch</a>.</li>
  <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
 </ul>
-<p>The documentation in HTML format is included in the .tgz and .rpm
+<p>You will probably also want to download the HTML version of the
-files and there is an documentation .deb that also contains the
+documentation for easy reference.</p>
 documentation.&nbsp;&nbsp;The .rpm will install the documentation in
 your default document directory which can be obtained using the
 following command:<br>
 </p>
 <blockquote>
  <p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
 </blockquote>
 <p>Please check the <font color="#ff0000"> <a href="errata.htm">
 errata</a></font> to see if there are updates that apply to the version
 that you have downloaded.</p>
--- a/Shorewall-Website/seattlefirewall_index.htm
+++ b/Shorewall-Website/seattlefirewall_index.htm
@ -78,7 +78,7 @@ any later version published by the Free Software Foundation; with no
 Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
 A copy of the license is included in the section entitled <a>"GNU Free
 Documentation License"</a>.
-      <p>Copyright © 2001-2003 Thomas M. Eastep </p>
+      <p>Copyright © 2001-2004 Thomas M. Eastep </p>
      <h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
 If so, the documentation <b></b>on this site will not apply directly
 to your setup. If you want to use the documentation that you find here,
@ -87,14 +87,10 @@ setup that matches the documentation on this site. See the <a
 href="two-interface.htm">Two-interface QuickStart Guide</a> for
 details.<br>
      <h2>News</h2>
-      <p><b>12/29/2003 - Shorewall 1.4.9 Beta 2 </b><b><img alt="(New)"
+      <p><b>1/13/2004 - Shorewall 1.4.9 </b><b><img alt="(New)"
 src="images/new10.gif"
 style="border: 0px solid ; width: 28px; height: 12px;" title=""></b><b>
      </b></p>
      <div style="margin-left: 40px;"><a
 href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
      </div>
      <p>Problems Corrected since version 1.4.8:</p>
      <ol>
        <li>There has been a low continuing level of confusion over the
@ -167,7 +163,8 @@ In /etc/shorewall/actions, you would add:<br>
 &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
          <br>
 You would then copy /etc/shorewall/action.template to
-/etc/shorewall/LogAndAccept and in that file, you would add the two
+/etc/shorewall/action.LogAndAccept and in that file, you would add the
 two
 rules:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
@ -184,7 +181,11 @@ dropping all of the retries.<br>
 b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
 lots of confusing messages when a connection got "stuck". While I could
 have changed the default value of LOGNEWNOTSYN to suppress logging, I
-dislike defaults that silently throw away packets.<br>
+dislike defaults that silently throw away packets.</li>
        <li>The common.def file now contains an entry that silently
 drops ICMP packets with a null source address. Ad Koster reported a
 case where these were occuring frequently as a result of a broken
 system on his external network.<br>
          <br>
        </li>
      </ol>
@ -233,7 +234,7 @@ Children's Foundation</a>. Thanks!</big><br>
  </tbody>
 </table>
 </div>
-<p><font size="2">Updated 12/29/2003 - <a href="support.htm">Tom Eastep</a></font><br>
+<p><font size="2">Updated 01/13/2004 - <a href="support.htm">Tom Eastep</a></font><br>
 </p>
 </body>
 </html>
--- a/Shorewall-Website/shorewall_index.htm
+++ b/Shorewall-Website/shorewall_index.htm
@ -9,7 +9,7 @@
 </head>
 <frameset rows="90,*">
-  <frame name="banner" scrolling="no" noresize target="contents" src="Shorewall_Banner.htm">
+  <frame name="banner" scrolling="no" noresize target="contents" src="Banner.html">
  <frameset cols="262,*">
    <frame name="contents" target="main" src="Shorewall_index_frame.htm">
    <frame name="main" src="seattlefirewall_index.htm" target="_self">
--- a/Shorewall-Website/sourceforge_index.htm
+++ b/Shorewall-Website/sourceforge_index.htm
@ -64,7 +64,7 @@ document under the terms of the GNU Free Documentation License, Version
 with no Invariant Sections, with no Front-Cover, and with no Back-Cover
 Texts. A copy of the license is included in the section entitled <a>"GNU
 Free Documentation License"</a>.</p>
-      <p>Copyright © 2001-2003 Thomas M. Eastep </p>
+      <p>Copyright © 2001-2004 Thomas M. Eastep </p>
      <h2>This is the Shorewall 1.4 Web Site</h2>
 The information on this site applies only to 1.4.x releases of
 Shorewall. For older versions:<br>
@ -92,14 +92,10 @@ and installing a setup that matches the documentation on this site.
 See the <a href="two-interface.htm">Two-interface QuickStart
 Guide</a> for details.
      <h2><b>News</b></h2>
-      <p><b>12/29/2003 - Shorewall 1.4.9 Beta 2</b> <b><img
+      <p><b>1/13/2004 - Shorewall 1.4.9</b> <b><img
 style="border: 0px solid ; width: 28px; height: 12px;"
 src="images/new10.gif" alt="(New)" title=""><br>
      </b></p>
      <div style="margin-left: 40px;"><a
 href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
      </div>
      <p>Problems Corrected since version 1.4.8:<br>
      </p>
      <ol>
@ -180,7 +176,8 @@ In /etc/shorewall/actions, you would add:<br>
 &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
          <br>
 You would then copy /etc/shorewall/action.template to
-/etc/shorewall/LogAndAccept and in that file, you would add the two
+/etc/shorewall/action.LogAndAccept and in that file, you would add the
 two
 rules:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
@ -198,6 +195,11 @@ b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
 lots of confusing messages when a connection got "stuck". While I could
 have changed the default value of LOGNEWNOTSYN to suppress logging, I
 dislike defaults that silently throw away packets.</li>
        <li>The common.def file now contains an entry that silently
 drops ICMP
 packets with a null source address. Ad Koster reported a case where
 these were occuring frequently as a result of a broken system on his
 external network.</li>
      </ol>
      <p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
 On-line</b> <b><img alt="(New)" src="images/new10.gif"
@ -266,7 +268,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
    </tr>
  </tbody>
 </table>
-<p><font size="2">Updated 12/29/2003 - <a href="support.htm">Tom
+<p><font size="2">Updated 01/13/2004 - <a href="support.htm">Tom
 Eastep</a></font><br>
 </p>
 </body>