From f201d06f6ee1e3e88251b3fdb44ecc4484bf20ef Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 31 Jan 2004 03:35:08 +0000 Subject: [PATCH] Shorewall 1.4.10 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1101 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/News.htm | 239 +++++++++++++++++- Shorewall-Website/Shorewall_index_frame.htm | 5 +- Shorewall-Website/Shorewall_sfindex_frame.htm | 4 +- Shorewall-Website/mailing_list.htm | 86 ++++--- Shorewall-Website/seattlefirewall_index.htm | 100 ++++++-- Shorewall-Website/sourceforge_index.htm | 100 ++++++-- 6 files changed, 449 insertions(+), 85 deletions(-) diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index 74602efdd..b76ab6b2a 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -18,9 +18,246 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2004-01-13
+

2004-01-30

+

1/30/2004 - Shorewall 1.4.10

+

Problems Corrected since version 1.4.9

+
    +
  1. The column descriptions in the action.template file did not +match the column headings. That has been corrected.
    2. +
  2. The presence of IPV6 addresses on devices generated error +messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes +are specified in /etc/shorewall/shorewall.conf. These messages have +been eliminated.
    3. +
  3. The CONTINUE action in /etc/shorewall/rules now +works +correctly. A couple of problems involving rate limiting have been +corrected. These bug fixes courtesy of Steven Jan Springl.
    4. +
  4. Shorewall now tried to avoid sending an ICMP response to +broadcasts and smurfs.
    5. +
  5. Specifying "-" or "all" in the PROTO column of an action no +longer causes a startup error.
    6. +
+Migragion Issues:
+
+    None.
+
+New Features:
+
    +
  1. The INTERFACE column in the /etc/shorewall/masq file may +now specify a destination list.
    +
    +Example:
    +
    +    #INTERFACE        +    SUBNET        ADDRESS
    +    eth0:192.0.2.3,192.0.2.16/28    eth1
    +
    +If the list begins with "!" then SNAT will occur only if the +destination IP address is NOT included in the list.
    +
    +
    2. +
  2. Output traffic control rules (those with the firewall as +the +source) may now be qualified by the effective userid and/or effective +group id of the program generating the output. This feature is courtesy +of  Frédéric LESPEZ.
    +
    +A new USER column has been added to /etc/shorewall/tcrules. It may +contain :
    +
    +      [<user name or number>]:[<group +name or number>]
    +
    +The colon is optionnal when specifying only a user.
    +
    +       Examples : john: / john / :users / +john:users
    +
    +
    3. +
  3. A "detectnets" interface option has been added for entries +in +/etc/shorewall/interfaces. This option automatically taylors the +definition of the zone named in the ZONE column to include just  +those +hosts that have routes through the interface named in the INTERFACE +column. The named interface must be UP when Shorewall is [re]started.
    +
    + WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! +  
    4. +
+

1/27/2004 - Shorewall 1.4.10 RC3

+

http://shorewall.net/pub/shorewall/Beta
+ftp://shorewall.net/pub/shorewall/Beta
+

+

Problems Corrected since version 1.4.9

+
    +
  1. The column descriptions in the action.template file did not +match the column headings. That has been corrected.
    2. +
  2. The presence of IPV6 addresses on devices generated error +messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes +are specified in /etc/shorewall/shorewall.conf. These messages have +been eliminated.
    3. +
  3. The CONTINUE action in /etc/shorewall/rules now works +correctly. A couple of problems involving rate limiting have been +corrected. These bug fixes courtesy of Steven Jan Springl.
    4. +
  4. Shorewall now tried to avoid sending an ICMP response to +broadcasts and smurfs.
    +
    5. +
+Migragion Issues:
+
+    None.
+
+New Features:
+
    +
  1. The INTERFACE column in the /etc/shorewall/masq file may +now specify a destination list.
    +
    +Example:
    +
    +    #INTERFACE        +    SUBNET        ADDRESS
    +    eth0:192.0.2.3,192.0.2.16/28    eth1
    +
    +If the list begins with "!" then SNAT will occur only if the +destination IP address is NOT included in the list.
    +
    +
    2. +
  2. Output traffic control rules (those with the firewall as +the +source) may now be qualified by the effective userid and/or effective +group id of the program generating the output. This feature is courtesy +of  Frédéric LESPEZ.
    +
    +A new USER column has been added to /etc/shorewall/tcrules. It may +contain :
    +
    +      [<user name or number>]:[<group +name or number>]
    +
    +The colon is optionnal when specifying only a user.
    +
    +       Examples : john: / john / :users / +john:users
    +
    +
    3. +
  3. A "detectnets" interface option has been added for entries +in +/etc/shorewall/interfaces. This option automatically taylors the +definition of the zone named in the ZONE column to include just  +those +hosts that have routes through the interface named in the INTERFACE +column. The named interface must be UP when Shorewall is [re]started.
    +
    + WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! +  
    4. +
+

1/24/2004 - Shorewall 1.4.10 RC2 

+

http://shorewall.net/pub/shorewall/Beta
+ftp://shorewall.net/pub/shorewall/Beta
+

+

Problems Corrected since version 1.4.9

+
    +
  1. The column descriptions in the action.template file did not +match the column headings. That has been corrected.
    2. +
  2. The presence of IPV6 addresses on devices generated error +messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes +are specified in /etc/shorewall/shorewall.conf. These messages have +been eliminated.
    3. +
+Migragion Issues:
+
+    None.
+
+New Features:
+
    +
  1. The INTERFACE column in the /etc/shorewall/masq file may +now specify a destination list.
    +
    +Example:
    +
    +    #INTERFACE        +    SUBNET        ADDRESS
    +    eth0:192.0.2.3,192.0.2.16/28    eth1
    +
    +If the list begins with "!" then SNAT will occur only if the +destination IP address is NOT included in the list.
    +
    +
    2. +
  2. Output traffic control rules (those with the firewall as +the source) may now be qualified by the effective userid and/or +effective group id of the program generating the output. This feature +is courtesy of  Frédéric LESPEZ.
    +
    +A new USER column has been added to /etc/shorewall/tcrules. It may +contain :
    +
    +      [<user name or number>]:[<group +name or number>]
    +
    +The colon is optionnal when specifying only a user.
    +
    +       Examples : john: / john / :users / +john:users
    +
    +
    3. +
  3. A "detectnets" interface option has been added for entries in +/etc/shorewall/interfaces. This option automatically taylors the +definition of the zone named in the ZONE column to include just  +those +hosts that have routes through the interface named in the INTERFACE +column. The named interface must be UP when Shorewall is [re]started.
    +
    + WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
    4. +
+

1/22/2004 - Shorewall 1.4.10 RC1 

+

Problems Corrected since version 1.4.9

+
    +
  1. The column descriptions in the action.template file did not match +the column headings. That has been corrected.
    2. +
  2. The presence of IPV6 addresses on devices generated error +messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes +are specified in /etc/shorewall/shorewall.conf. These messages have +been eliminated.
    3. +
+Migragion Issues:
+
+    None.
+
+New Features:
+
    +
  1. The INTERFACE column in the /etc/shorewall/masq file may now +specify a destination list.
    +
    +Example:
    +
    +    #INTERFACE        +    SUBNET        ADDRESS
    +    eth0:192.0.2.3,192.0.2.16/28    eth1
    +
    +If the list begins with "!" then SNAT will occur only if the +destination IP address is NOT included in the list.
    +
    +
    2. +
  2. Output traffic control rules (those with the firewall as the +source) may now be qualified by the effective userid and/or effective +group id of the program generating the output. This feature is courtesy +of  Frédéric LESPEZ.
    +
    +A new USER column has been added to /etc/shorewall/tcrules. It may +contain :
    +
    +      [<user name or number>]:[<group +name or number>]
    +
    +The colon is optionnal when specifying only a user.
    +
    +       Examples : john: / john / :users / +john:users   
    +
    3. +

1/13/2004 - Shorewall 1.4.9

Problems Corrected since version 1.4.8:
diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm index 8f7518a8f..99bd80c23 100644 --- a/Shorewall-Website/Shorewall_index_frame.htm +++ b/Shorewall-Website/Shorewall_index_frame.htm @@ -23,7 +23,10 @@

  • QuickStart Guides (HOWTOs)
  • Documentation
    • -
  • FAQs
    • +
  • FAQs  (Wiki)
    +
  • Useful Links
  • Things to try if it doesn't work
    • diff --git a/Shorewall-Website/Shorewall_sfindex_frame.htm b/Shorewall-Website/Shorewall_sfindex_frame.htm index 9acf4080e..afeb12fa1 100644 --- a/Shorewall-Website/Shorewall_sfindex_frame.htm +++ b/Shorewall-Website/Shorewall_sfindex_frame.htm @@ -32,7 +32,9 @@ Guides (HOWTOs)
  • Documentation
    • -
  • FAQs
    • +
  • FAQs  (Wiki)
  • Useful Links
  • Things to try if it doesn't diff --git a/Shorewall-Website/mailing_list.htm b/Shorewall-Website/mailing_list.htm index 98f0fc52e..d886f2273 100755 --- a/Shorewall-Website/mailing_list.htm +++ b/Shorewall-Website/mailing_list.htm @@ -13,7 +13,7 @@

    Shorewall Mailing Lists

    Tom Eastep

    -Copyright 2001-2003 Thomas M. Eastep
    +Copyright 2001-2004 Thomas M. Eastep

    @@ -27,49 +27,22 @@ Documentation License
    -

    2003-12-30
    +

    2004-01-28

    -

    Acknowlegments

    -The Shorewall Mailing Lists use the following software:
    - -

    Note
    -

    +

    Note

    If you are reporting a problem or asking a question, you are at the wrong place -- please see the Shorewall Support Guide.
    -
    -If you experience problems with any of these lists, -please let me -know -

    Not able to Post Mail to shorewall.net?

    -

    You can report such problems by sending mail to -tmeastep at -hotmail dot com.

    -

    A Word about the SPAM Filters at Shorewall.net 

    -

    Please note that the mail server at shorewall.net checks -incoming mail:
    -

    -
      -
    1. against Spamassassin -(including Vipul's Razor).
      -
      2. -
    2. to ensure that the sender address is -fully qualified.
      3. -
    3. to verify that the sender's domain has an A or MX record in DNS.
      4. -
    4. to ensure that the host name in the HELO/EHLO command is a valid -fully-qualified DNS name.
      5. -
    +

    Mailing Lists are Moderated for Non-Member Posts

    +Given the +recent problems associated with the MyDoom virus (and the more annoying +problem of clueless mail admins who configure their AV software to spam +innocent bystanders during a virus storm), the Shorewall lists are now +moderated for non-member posts. It is also a good idea to mention that +you are a non-member so that people will include you in the CC list +when replying.

    Please post in plain text

    A growing number of MTAs serving list subscribers are rejecting all HTML traffic. At least one MTA has gone so far as to blacklist @@ -125,7 +98,8 @@ Search:

    Please do not try to download the entire -Archive -- it is 164MB (and growing daily) and my slow DSL line simply +HTML Archive -- it is 212MB (and growing daily) and my slow DSL line +simply won't stand the traffic. If I catch you, you will be blacklisted.

    @@ -238,6 +212,40 @@ password, there is another button that will cause your password to be emailed to you.

    • +

    A Word about the SPAM Filters at Shorewall.net 

    +

    Please note that the mail server at shorewall.net checks +incoming mail:
    +

    +
      +
    1. against Spamassassin +(including Vipul's Razor).
      +
      2. +
    2. to ensure that the sender address is +fully qualified.
      3. +
    3. to verify that the sender's domain has an A or MX record in DNS.
      4. +
    4. to ensure that the host name in the HELO/EHLO command is a valid +fully-qualified DNS name.
      5. +
    +

    +If you experience problems with any of these lists, +please let me +know +

    +

    Not able to Post Mail to shorewall.net?

    +

    You can report such problems by sending mail to +tmeastep at +hotmail dot com.

    +

    Acknowlegments

    +The Shorewall Mailing Lists use the following software:
    +

    Frustrated by having to Rebuild Mailman to use it with Postfix?

    diff --git a/Shorewall-Website/seattlefirewall_index.htm b/Shorewall-Website/seattlefirewall_index.htm index 76235ffd8..e294bb2ac 100755 --- a/Shorewall-Website/seattlefirewall_index.htm +++ b/Shorewall-Website/seattlefirewall_index.htm @@ -87,10 +87,82 @@ setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

    News

    -

    1/13/2004 - Shorewall 1.4.9 (New)1/30/2004 - Shorewall 1.4.10 (New) -

    + style="border: 0px solid ; width: 28px; height: 12px;" title="">

    +

    Problems Corrected since version 1.4.9

    +
      +
    1. The column descriptions in the action.template file did not +match the column headings. That has been corrected.
      2. +
    2. The presence of IPV6 addresses on devices generated error +messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes +are specified in /etc/shorewall/shorewall.conf. These messages have +been eliminated.
      3. +
    3. The CONTINUE action in /etc/shorewall/rules now works +correctly. A couple of problems involving rate limiting have been +corrected. These bug fixes courtesy of Steven Jan Springl.
      4. +
    4. Shorewall now tried to avoid sending an ICMP response to +broadcasts and smurfs.
      5. +
    5. Specifying "-" or "all" in the PROTO column of an action no +longer causes a startup error.
      +
      +
      6. +
    +Migragion Issues:
    +
    +    None.
    +
    +New Features:
    +
      +
    1. The INTERFACE column in the /etc/shorewall/masq file may +now specify a destination list.
      +
      +Example:
      +
      +    #INTERFACE        +    SUBNET        ADDRESS
      +    eth0:192.0.2.3,192.0.2.16/28    eth1
      +
      +If the list begins with "!" then SNAT will occur only if the +destination IP address is NOT included in the list.
      +
      +
      2. +
    2. Output traffic control rules (those with the firewall as +the source) may now be qualified by the effective userid and/or +effective group id of the program generating the output. This feature +is courtesy of  Frédéric LESPEZ.
      +
      +A new USER column has been added to /etc/shorewall/tcrules. It may +contain :
      +
      +      [<user name or number>]:[<group +name or number>]
      +
      +The colon is optionnal when specifying only a user.
      +
      +       Examples : john: / john / :users / +john:users
      +
      +
      3. +
    3. A "detectnets" interface option has been added for entries +in /etc/shorewall/interfaces. This option automatically taylors the +definition of the zone named in the ZONE column to include just  +those hosts that have routes through the interface named in the +INTERFACE column. The named interface must be UP when Shorewall is +[re]started.
      +
      + WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
      +
      4. +
    +

    1/17/2004 - FAQ Wiki Available 

    +

    It has been asserted that the use of CVS for maintaining the +Shorewall documentation has been a barrier to community participation. +To test this theory, Alex Martin has +created a Wiki and with the help of Mike Noyes has populated the +Wiki with the Shorewall FAQ.
    +

    +

    1/13/2004 - Shorewall 1.4.9 

    Problems Corrected since version 1.4.8:

    1. There has been a low continuing level of confusion over the @@ -189,22 +261,6 @@ system on his external network.

    -

    12/28/2003 - www.shorewall.net/ftp.shorewall.net Back -On-line (New)
    -

    -

    Our high-capacity server has been restored to service -- -please let us know if you -find any problems.

    -

    12/03/2003 - Support Torch Passed

    -Effective today, I am reducing my participation in the day-to-day -support of Shorewall. As part of this shift to community-based -Shorewall support a new Shorewall -Newbies mailing list has been established to field questions and -problems from new users. I will not monitor that list personally. I -will continue my active development of Shorewall and will be available -via the development list to handle development issues -- Tom.

    More News

    (Leaf Logo). Thanks!

    + +
    + + -

    Updated 01/13/2004 - Tom Eastep
    +

    Updated 01/30/2004 - Tom Eastep

    diff --git a/Shorewall-Website/sourceforge_index.htm b/Shorewall-Website/sourceforge_index.htm index 02b109a8a..a547b9988 100644 --- a/Shorewall-Website/sourceforge_index.htm +++ b/Shorewall-Website/sourceforge_index.htm @@ -92,9 +92,82 @@ and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

    News

    -

    1/13/2004 - Shorewall 1.4.9 (New)
    +

    1/30/2004 - Shorewall 1.4.10 (New)

    +

    Problems Corrected since version 1.4.9

    +
      +
    1. The column descriptions in the action.template file did not +match the column headings. That has been corrected.
      2. +
    2. The presence of IPV6 addresses on devices generated error +messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes +are specified in /etc/shorewall/shorewall.conf. These messages have +been eliminated.
      3. +
    3. The CONTINUE action in /etc/shorewall/rules now +works +correctly. A couple of problems involving rate limiting have been +corrected. These bug fixes courtesy of Steven Jan Springl.
      4. +
    4. Shorewall now tried to avoid sending an ICMP response to +broadcasts and smurfs.
      5. +
    5. Specifying "-" or "all" in the PROTO column of an action no +longer causes a startup error.
      6. +
    +Migragion Issues:
    +
    +    None.
    +
    +New Features:
    +
      +
    1. The INTERFACE column in the /etc/shorewall/masq file may +now specify a destination list.
      +
      +Example:
      +
      +    #INTERFACE        +    SUBNET        ADDRESS
      +    eth0:192.0.2.3,192.0.2.16/28    eth1
      +
      +If the list begins with "!" then SNAT will occur only if the +destination IP address is NOT included in the list.
      +
      +
      2. +
    2. Output traffic control rules (those with the firewall as +the +source) may now be qualified by the effective userid and/or effective +group id of the program generating the output. This feature is courtesy +of  Frédéric LESPEZ.
      +
      +A new USER column has been added to /etc/shorewall/tcrules. It may +contain :
      +
      +      [<user name or number>]:[<group +name or number>]
      +
      +The colon is optionnal when specifying only a user.
      +
      +       Examples : john: / john / :users / +john:users
      +
      +
      3. +
    3. A "detectnets" interface option has been added for entries +in +/etc/shorewall/interfaces. This option automatically taylors the +definition of the zone named in the ZONE column to include just  +those +hosts that have routes through the interface named in the INTERFACE +column. The named interface must be UP when Shorewall is [re]started.
      +
      + WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! +  
      4. +
    +

    1/17/2004 - FAQ Wiki Available 

    +It has been asserted that the use of CVS for maintaining the +Shorewall documentation has been a barrier to community participation. +To test this theory, Alex Martin has +created a Wiki and with the help of Mike Noyes has populated the +Wiki with the Shorewall FAQ. +

    1/13/2004 - Shorewall 1.4.9

    Problems Corrected since version 1.4.8:

    @@ -201,25 +274,6 @@ packets with a null source address. Ad Koster reported a case where these were occuring frequently as a result of a broken system on his external network. -

    12/28/2003 - www.shorewall.net/ftp.shorewall.net Back -On-line (New)
    -

    -

    Our high-capacity server has been restored to service -- -please let us know if you -find any problems.

    -

    12/03/2003 - Support Torch Passed (New)

    -Effective today, I am reducing my participation in the day-to-day -support of Shorewall. As part of this shift to community-based -Shorewall support a new Shorewall -Newbies mailing list has been established to field questions -and problems from new users. I will not monitor that list -personally. I will continue my active development of Shorewall and -will be available via the development list to handle development -issues -- Tom.

    More News

    @@ -268,7 +322,7 @@ Children's Foundation. Thanks!

    -

    Updated 01/13/2004 - Tom +

    Updated 01/30/2004 - Tom Eastep