From f208ccce0097d0f241523c90810b6445b6dc7810 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 10 Feb 2006 16:13:47 +0000 Subject: [PATCH] Update Web site for 3.0.5 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3465 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/News.htm | 103 +++++++++++++++++++- Shorewall-Website/Shorewall_index_frame.htm | 20 ++-- Shorewall-Website/shorewall_index.htm | 10 +- 3 files changed, 117 insertions(+), 16 deletions(-) diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index eaac5506b..e4d6cacd0 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -25,9 +25,110 @@ Documentation License”.

+2006-02-10 Shorewall 3.0.5
+
+ + +
Problems corrected in Shorewall 3.0.5
+
+1)  Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
+    but not when Shorewall was restored.
+
+2)  When using the NETKEY IPSEC implementation in kernel 2.6 but without the
+    policy match patch and the Netfilter/IPSEC patches, previously an
+    entry in /etc/shorewall/tunnels was not sufficient in cases where:
+
+    a) gw<->gw traffic was encrypted
+    b) The gw<->gw policy through the tunnel was not ACCEPT
+
+    Thanks to Tuomo Soini, this has been corrected. By simply including the
+    remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
+    additional rules are required.
+
+3)  Extra blank output lines are no longer produced by install.sh (patch
+    courtesy of Tuomo Soini).
+
+4)  TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
+    rules file previously didn't work (they had the "--syn" parameter
+    added to them which resulted in a rule that no traffic would match).
+
+    WARNING: If you use the QUEUE target from an action, Shorewall will
+    still insert --syn if the protocol is tcp. So you don't want to
+    invoke such an action from the ESTABLISHED section of the rules
+    file.
+
+5)  The description of the SOURCE column in /etc/shorewall/rules has been
+    improved (patch courtesy of Ed Suominen).
+
+6)  The 'allow', 'drop' and 'reject' commands no longer produce iptables
+    errors when executed while Shorewall is not started.
+
+7)  The spelling of "maximize-throughput" has been corrected in the code
+    that implements tcclasses parsing. Patch courtesy of Paul Traina.
+
+8)  Shorewall now generates the correct match for devices in
+    /etc/shorewall/tcdevices that are actually bridge ports.
+
+New Features in Shorewall 3.0.5
+
+1)  The facilities available for dealing with the TOS field in
+    /etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
+    contain a comma-separates list of the following:
+
+	tos=0x<value>[/0x<mask>]	(mask defaults to 0xff)
+					- this lets you define a classifier
+					for the given <value>/<mask> combination
+					of the IP packet's TOS/Precedence/DiffSrv
+					octet (aka the TOS byte).  Please note,
+					classifiers override all mark settings,
+					so if you define a classifer for a class,
+					all traffic having that mark will go in it
+					regardless of any mark set on the packet
+					by a firewall/mangle filter.
+
+					NOTE: multiple tos= statements may be
+					applied per class and per interface, but
+					a given value/mask pair is valid for only
+					ONE class per interface.
+
+	tos-<tosname>			- aliases for the following TOS octet
+					value and mask encodings.  TOS encodings
+					of the "TOS byte" have been deprecated in
+					favor of diffserve classes, but programs
+					like ssh, rlogin, and ftp still use them.
+
+   					tos-minimize-delay 	 0x10/0x10
+					tos-maximize-throughput	 0x08/0x08
+					tos-maximize-reliability 0x04/0x04
+					tos-minimize-cost	 0x02/0x02
+					tos-normal-service	 0x00/0x1e
+
+	tcp-ack                 	-    defined causes an tc filter to
+					be created that puts all tcp ack
+					packets on that interface that have
+					an size of <=64 Bytes to go in this
+					class. This is useful for speeding up
+					downloads. Please note that the size
+					of the ack packets is limited to 64
+					bytes as some applications (p2p for
+					example) use to make every packet an
+					ack packet which would cause them
+					all into here. We want only packets
+					WITHOUT payload to match, so the size
+					limit.
+
+					NOTE: This option is only valid for
+					ONE class per interface.
+
+    Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
+    these were tested using a mask of 0xff (example: tos-minimize-delay was
+    equivalent to 0x10/0xff). Now each bit is tested individually.
+
+    This enhancement is courtesy of Paul Traina.
+
2006-01-05 Shorewall 3.0.4
-
Problems Corrected in 3.0.4

1)  The shorewall.conf file is once again "console friendly". Patch is
    courtesy of Tuomo Soini.

2)  A potential security hole has been closed. Previously, Shorewall ACCEPTed
    all traffic from a bridge port that was sent back out on the same port. If
    the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
    xenbr0:vif+), this could lead to traffic being passed in variance with the
    supplied policies and rules.

3)  Previously, an intra-zone policy of NONE would cause a startup error. That
    problem has been corrected.

4)  When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
    add the retained aliases. This means that the following sequence of
    events resulted in missing aliases:

            shorewall start
            shorewall restart
            shorewall save
            reboot
            shorewall -f start (which is the default during boot up)

5)  When a 2.x standard action is invoked with a log level (example
    "AllowPing:info"), logging does not occur.

New Features in 3.0.4

1)  By popular demand, the 'Limit' action described at
    http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
    action. Limit requires 'recent match' support in your kernel and iptables.

2)  DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
    change is reported to improve Java startup time on some distributions.

3)  Shorewall now contains support for wildcard ports. In
    /etc/shorewall/hosts, you may specify the port name with trailing "+" then
    use specific port names in rules.

    Example:

    /etc/shorewall/hosts

        vpn      br0:tap+

    /etc/shorewall/hosts

        DROP      vpn:tap0              vpn:tap1          udp    9999

4)  For the benefit of those who run Shorewall on distributions that don't
    autoload kernel modules, /etc/shorewall/modules now contains load commands
    for a wide range of Netfilter modules.
+
Problems Corrected in 3.0.4

1)  The shorewall.conf file is once again "console friendly". Patch is
    courtesy of Tuomo Soini.

2)  A potential security hole has been closed. Previously, Shorewall ACCEPTed
    all traffic from a bridge port that was sent back out on the same port. If
    the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
    xenbr0:vif+), this could lead to traffic being passed in variance with the
    supplied policies and rules.

3)  Previously, an intra-zone policy of NONE would cause a startup error. That
    problem has been corrected.

4)  When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
    add the retained aliases. This means that the following sequence of
    events resulted in missing aliases:

            shorewall start
            shorewall restart
            shorewall save
            reboot
            shorewall -f start (which is the default during boot up)

5)  When a 2.x standard action is invoked with a log level (example
    "AllowPing:info"), logging does not occur.

New Features in 3.0.4

1)  By popular demand, the 'Limit' action described at
    http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
    action. Limit requires 'recent match' support in your kernel and iptables.

2)  DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
    change is reported to improve Java startup time on some distributions.

3)  Shorewall now contains support for wildcard ports. In
    /etc/shorewall/hosts, you may specify the port name with trailing "+" then
    use specific port names in rules.

    Example:

    /etc/shorewall/hosts

        vpn      br0:tap+

    /etc/shorewall/rules

        DROP      vpn:tap0              vpn:tap1          udp    9999

4)  For the benefit of those who run Shorewall on distributions that don't
    autoload kernel modules, /etc/shorewall/modules now contains load commands
    for a wide range of Netfilter modules.
2005-12-13 Shorewall 3.0.3
diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm index 18d6830f2..4e0f87062 100644 --- a/Shorewall-Website/Shorewall_index_frame.htm +++ b/Shorewall-Website/Shorewall_index_frame.htm @@ -11,17 +11,17 @@ +Home
+News
+Download
+Installation/Upgrade
+Documentation
+Support
+Mirrors
+
Other +Links
diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index 1f8f8332b..637725c18 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -13,13 +13,13 @@

Shoreline Firewall (Shorewall)

-

The current Stable Version is  3.0.4 -- Get it from the The current Stable Version is  3.0.5 -- Get it from the download sites. Here are the + href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt"> release notes and here are the + href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt"> known problems and + href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/errata/"> updates.

The current Development Version is 3.1.5 -- Get it from the download sites. Here are the GNU Free Documentation License”.

-

2005-02-03

+

2005-02-10


Table of Contents

Introduction