mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 12:14:32 +01:00
1d3197e31a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1854 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
660 lines
27 KiB
HTML
660 lines
27 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
|
|
<title>Shoreline Firewall (Shorewall) 2.0</title>
|
|
<base target="_self">
|
|
<meta name="GENERATOR" content="OpenOffice.org 1.1.1 (Linux)">
|
|
<meta name="CREATED" content="20040920;15031500">
|
|
<meta name="CHANGED" content="20040920;15183300">
|
|
</head>
|
|
<body dir="ltr" lang="en-US">
|
|
<h1>Shorewall 2.x</h1>
|
|
<p><b>Tom Eastep</b><br>
|
|
<br>
|
|
The information on this site applies only
|
|
to 2.x releases of Shorewall. For older versions:</p>
|
|
<ul>
|
|
<li>
|
|
<p style="margin-bottom: 0in;">The 1.4 site is <a
|
|
href="http://www.shorewall.net/1.4" target="_top">here.</a></p>
|
|
</li>
|
|
<li>
|
|
<p style="margin-bottom: 0in;">The 1.3 site is <a
|
|
href="http://www.shorewall.net/1.3" target="_top">here.</a> </p>
|
|
</li>
|
|
<li>
|
|
<p>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
|
target="_top">here</a>. </p>
|
|
</li>
|
|
</ul>
|
|
<p>The current 2.0 Stable Release is 2.0.13 -- Here are the <a
|
|
href="http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.13/releasenotes.txt">release
|
|
notes</a>.<br>
|
|
The current Developement Release is 2.2.0 RC2 -- Here
|
|
are the <a
|
|
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC2/releasenotes.txt">release
|
|
notes</a>.<br>
|
|
<br>
|
|
Copyright © 2001-2004 Thomas M. Eastep</p>
|
|
<p>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License,
|
|
Version 1.2 or any later version published by the Free Software
|
|
Foundation; with no Invariant Sections, with no Front-Cover, and with
|
|
no Back-Cover Texts. A copy of the license is included in the section
|
|
entitled “<a href="GnuCopyright.htm" target="_self">GNU
|
|
Free Documentation License</a>”.</p>
|
|
<p>2004-12-24</p>
|
|
<hr>
|
|
<h3>Table of Contents</h3>
|
|
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
|
to Shorewall</a></p>
|
|
<p style="margin-left: 0.83in; margin-bottom: 0in;"><a href="#Glossary">Glossary</a><br>
|
|
<a href="#WhatIs">What
|
|
is Shorewall?</a><br>
|
|
<a href="#GettingStarted">Getting Started with
|
|
Shorewall</a><br>
|
|
<a href="#Info">Looking for Information?</a><br>
|
|
<a href="#Mandrake">Running
|
|
Shorewall on Mandrake® with a two-interface setup?</a><br>
|
|
<a href="#License">License</a></p>
|
|
<p style="margin-bottom: 0in; margin-left: 40px;"><a href="#2_0_10">News</a></p>
|
|
<p style="margin-left: 0.83in; margin-bottom: 0in;"><a href="#2_2_0_RC2">Shorewall
|
|
2.2.0 RC2</a><br>
|
|
<a href="#2_2_0_RC1">Shorewall
|
|
2.2.0 RC1</a><br>
|
|
<a href="#2_2_0_Beta8">Shorewall 2.2.0 Beta 8</a><br>
|
|
<a href="#2_2_0_Beta7">Shorewall 2.2.0 Beta 7</a><br>
|
|
<a href="#2_0_13">Shorewall
|
|
2.0.13</a><br>
|
|
<a href="#2_0_12">Shorewall
|
|
2.0.12</a><br>
|
|
<a href="shorewall_index.htm#2_2_0_Beta6">Shorewall 2.2.0 Beta 6</a><br>
|
|
<a href="#2_2_0_Beta5">Shorewall 2.2.0 Beta 5</a><br>
|
|
<a href="#2_0_11">Shorewall
|
|
2.0.11</a><br>
|
|
<a href="#2_2_0_Beta4">Shorewall 2.2.0 Beta 4</a><br>
|
|
<a href="#2_2_0_Beta3">Shorewall 2.2.0 Beta 3</a><br>
|
|
<a href="#2_2_0_Beta2">Shorewall 2.2.0 Beta 2</a><br>
|
|
<a href="#2_0_10">Shorewall
|
|
2.0.10</a><br>
|
|
<a href="#2_2_0_Beta1">Shorewall 2.2.0 Beta 1</a><br>
|
|
<br>
|
|
</p>
|
|
<div style="margin-left: 40px;"><a href="#Leaf">Leaf</a><br>
|
|
</div>
|
|
<p style="margin-left: 40px;"><a href="#Donations">Donations</a></p>
|
|
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
|
|
<h3><a name="Glossary"></a>Glossary</h3>
|
|
<ul>
|
|
<li>
|
|
<p style="margin-bottom: 0in;"><a href="http://www.netfilter.org/"
|
|
target="_top">Netfilter</a> - the packet filter facility built into
|
|
the 2.4 and later Linux kernels. </p>
|
|
</li>
|
|
<li>
|
|
<p style="margin-bottom: 0in;">ipchains - the packet filter
|
|
facility built into the 2.2 Linux kernels. Also the name of the utility
|
|
program used to configure and control that facility. Netfilter can be
|
|
used in ipchains compatibility mode. </p>
|
|
</li>
|
|
<li>
|
|
<p>iptables - the utility program used to configure and control
|
|
Netfilter. The term 'iptables' is often used to refer to the
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
compatibility mode). </p>
|
|
</li>
|
|
</ul>
|
|
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
|
|
<p style="margin-left: 0.42in;">The Shoreline Firewall, more commonly
|
|
known as "Shorewall", is a high-level tool for configuring
|
|
Netfilter. You describe your firewall/gateway requirements using
|
|
entries in a set of configuration files. Shorewall reads those
|
|
configuration files and with the help of the iptables utility,
|
|
Shorewall configures Netfilter to match your requirements. Shorewall
|
|
can be used on a dedicated firewall system, a multi-function
|
|
gateway/router/server or on a standalone GNU/Linux system. Shorewall
|
|
does not use Netfilter's ipchains compatibility mode and can thus
|
|
take advantage of Netfilter's <a
|
|
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
|
|
target="_top">connection
|
|
state tracking capabilities</a>.<br>
|
|
<br>
|
|
Shorewall is <u>not</u> a
|
|
daemon. Once Shorewall has configured Netfilter, it's job is
|
|
complete. After that, there is no Shorewall code running although the
|
|
<a href="starting_and_stopping_shorewall.htm">/sbin/shorewall program
|
|
can be used at any time to monitor the Netfilter firewall</a>.</p>
|
|
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
|
|
<p style="margin-left: 0.42in;">New to Shorewall? Start by selecting
|
|
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
|
that most closely matches your environment and follow the step by
|
|
step instructions.</p>
|
|
<h3><a name="Info"></a>Looking for Information?</h3>
|
|
<p style="margin-left: 0.42in;">The <a href="Documentation_Index.html">Documentation
|
|
Index</a> is a good place to start as is the Quick Search in the
|
|
frame above. </p>
|
|
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
|
|
two-interface setup?</h3>
|
|
<p style="margin-left: 0.42in;">If so, the documentation on this site
|
|
will not apply directly to your setup. If you want to use the
|
|
documentation that you find here, you will want to consider
|
|
uninstalling what you have and installing a setup that matches the
|
|
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
|
QuickStart Guide</a> for details.<br>
|
|
<br>
|
|
<b>Update: </b>I've been
|
|
informed by Mandrake Development that this problem has been corrected
|
|
in Mandrake 10.0 Final (the problem still exists in the 10.0
|
|
Community release).</p>
|
|
<h3><a name="License"></a>License</h3>
|
|
<p style="margin-left: 0.42in;">This program is free software; you can
|
|
redistribute it and/or modify it under the terms of <a
|
|
href="http://www.gnu.org/licenses/gpl.html">Version
|
|
2 of the GNU General Public License</a> as published by the Free
|
|
Software Foundation.</p>
|
|
<p style="margin-left: 0.42in;">This program is distributed in the
|
|
hope that it will be useful, but WITHOUT ANY WARRANTY; without even
|
|
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
PURPOSE. See the GNU General Public License for more detail.</p>
|
|
<p style="margin-left: 0.42in;">You should have received a copy of the
|
|
GNU General Public License along with this program; if not, write to
|
|
the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
|
|
02139, USA</p>
|
|
<p style="margin-left: 0.42in;">Permission is granted to copy,
|
|
distribute and/or modify this document under the terms of the GNU
|
|
Free Documentation License, Version 1.2 or any later version
|
|
published by the Free Software Foundation; with no Invariant
|
|
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy
|
|
of the license is included in the section entitled "GNU Free
|
|
Documentation License". </p>
|
|
<hr>
|
|
<h2><a name="News"></a>News</h2>
|
|
<span style="font-weight: bold;"><a name="2_2_0_RC2"></a>12/19/2004 -
|
|
Shorewall 2.2.0 RC2<br>
|
|
<br>
|
|
</span>New Features:<br>
|
|
<ol>
|
|
<li>By popular demand, the default port for Open VPN tunnels is now
|
|
1194 (the IANA-reserved port number for Open VPN).</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_RC1"></a>12/19/2004 -
|
|
Shorewall 2.2.0 RC1<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>The syntax of the add and delete command has been clarified in
|
|
the help summary produced by /sbin/shorewall.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
|
|
type. OpenVPN entries in /etc/shorewall/tunnels have this format:<br>
|
|
<br>
|
|
openvpn[:{tcp|udp}][:<port>]
|
|
<zone> <gateway><br>
|
|
<br>
|
|
Examples:<br>
|
|
<pre> openvpn:tcp net 1.2.3.4 # TCP tunnel on port 5000<br> openvpn:3344 net 1.2.3.4 # UDP on port 3344<br> openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455</pre>
|
|
</li>
|
|
<li>A new 'ipsecvpn' script is included in the tarball and in the
|
|
RPM. The RPM installs the file in the Documentation directory
|
|
(/usr/share/doc/packages/shorewall-2.2.0-0RC1).<br>
|
|
<br>
|
|
This script is intended for use on Roadwarrior laptops for establishing
|
|
an IPSEC SA to/from remote networks. The script has some limitations:<br>
|
|
<br>
|
|
- Only one instance of the script may be used at a
|
|
time.<br>
|
|
- Only the first SPD accessed will be instantiated
|
|
at the remote gateway. So while the script creates SPDs to/from the
|
|
remote gateway and each network listed in the NETWORKS setting at the
|
|
front of the script, only one of these may be used at a time.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta8"></a>12/11/2004 -
|
|
Shorewall 2.2.0 Beta 8<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>A typo in the /etc/shorewall/interfaces file has been corrected.</li>
|
|
<li>Previously, the "add" and "delete" commands were generating
|
|
incorrect policy matches when policy match support was available.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>Recent 2.6 kernels include code that evaluates TCP packets based
|
|
on TCP Window analysis. This can cause packets that were previously
|
|
classified as NEW or ESTABLISHED to be classified as INVALID.<br>
|
|
<br>
|
|
The new kernel code can be disabled by including this command in your
|
|
/etc/shorewall/init file:<br>
|
|
<br>
|
|
echo 1 >
|
|
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal<br>
|
|
<br>
|
|
Additional kernel logging about INVALID TCP packets may be obtained by
|
|
adding this command to /etc/shorewall/init:<br>
|
|
<br>
|
|
echo 1 >
|
|
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid<br>
|
|
<br>
|
|
Traditionally, Shorewall has dropped INVALID TCP packets early. The new
|
|
DROPINVALID option allows INVALID packets to be passed through the
|
|
normal rules chains by setting DROPINVALID=No.<br>
|
|
<br>
|
|
If not specified or if specified as empty (e.g., DROPINVALID="") then
|
|
DROPINVALID=Yes is assumed.<br>
|
|
<br>
|
|
</li>
|
|
<li>The "shorewall add" and "shorewall delete" commands now accept a
|
|
list of hosts to add or delete.<br>
|
|
<br>
|
|
Examples:<br>
|
|
<br>
|
|
shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12<br>
|
|
shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12<br>
|
|
<br>
|
|
The above commands may also be written:<br>
|
|
<br>
|
|
shorewall add eth1:1.2.3.4,2.3.4.5 z12<br>
|
|
shorewall delete eth1:1.2.3.4,2.3.4.5 z12<br>
|
|
<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta7"></a>12/04/2004 -
|
|
Shorewall 2.2.0 Beta 7<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>The "shorewall add" and "shorewall delete" commands now work in a
|
|
bridged environment. The syntax is:<br>
|
|
<br>
|
|
shorewall
|
|
add <interface>[:<port>]:<address> <zone><br>
|
|
shorewall
|
|
delete <interface>[:<port>]:<address> <zone><br>
|
|
<br>
|
|
Examples:<br>
|
|
<br>
|
|
shorewall
|
|
add br0:eth2:192.168.1.3 OK<br>
|
|
shorewall
|
|
delete br0:eth2:192.168.1.3 OK<br>
|
|
<br>
|
|
</li>
|
|
<li>Previously, "shorewall save" created an out-of-sequence restore
|
|
script. The commands saved in the user's /etc/shorewall/start script
|
|
were executed prior to the Netfilter configuration being restored. This
|
|
has been corrected so that "shorewall save" now places those commands
|
|
at the end of the script.<br>
|
|
<br>
|
|
To accomplish this change, the "restore base" file
|
|
(/var/lib/shorewall/restore-base) has been split into two files:<br>
|
|
<br>
|
|
/var/lib/shorewall/restore-base -- commands to be executed before
|
|
Netfilter the configuration is restored.<br>
|
|
<br>
|
|
/var/lib/shorewall/restore-tail -- commands to be executed after the
|
|
Netfilter configuration is restored.<br>
|
|
<br>
|
|
</li>
|
|
<li>Previously, traffic from the firewall to a dynamic zone member
|
|
host did not need to match the interface specified when the host was
|
|
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
|
zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
|
|
the fw->Z policies and rules. This has been corrected.</li>
|
|
<li>Shorewall uses the temporary chain 'fooX1234' to probe iptables
|
|
for detrmining which features are supported. Previously, if that chain
|
|
happened to exist when Shorewall was run, capabilities were
|
|
mis-detected.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>You can now use the "shorewall show zones" command to display the
|
|
current contents of the zones. This is particularly useful if you use
|
|
dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
ursa:/etc/shorewall #
|
|
shorewall show zones<br>
|
|
Shorewall-2.2.0-Beta7 Zones
|
|
at ursa - Sat Nov 27 11:18:25 PST 2004<br>
|
|
<br>
|
|
loc<br>
|
|
|
|
eth0:192.168.1.0/24<br>
|
|
|
|
eth1:1.2.3.4<br>
|
|
net<br>
|
|
|
|
eth0:0.0.0.0/0<br>
|
|
WiFi<br>
|
|
|
|
eth1:0.0.0.0/0<br>
|
|
sec<br>
|
|
|
|
eth1:0.0.0.0/0<br>
|
|
<br>
|
|
ursa:/etc/shorewall #<br>
|
|
<br>
|
|
</li>
|
|
<li>Variable expansion may now be used with the INCLUDE directive.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
/etc/shorewall/params<br>
|
|
<br>
|
|
|
|
FILE=/etc/foo/bar<br>
|
|
<br>
|
|
Any other config file:<br>
|
|
<br>
|
|
|
|
INCLUDE $FILE<br>
|
|
<br>
|
|
</li>
|
|
<li>The output of "shorewall status" now includes the results of "ip
|
|
-stat link ls". This helps diagnose performance problems caused by link
|
|
errors.</li>
|
|
<li>Previously, when rate-limiting was specified in
|
|
/etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded
|
|
the specified rate was silently dropped. Now, if a log<br>
|
|
level is given in the entry (LEVEL column) then drops are logged at
|
|
that level at a rate of 5/min with a burst of 5.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_0_13"></a>12/02/2004 -
|
|
Shorewall 2.0.13<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>A typo in /usr/share/shorewall/firewall caused the "shorewall
|
|
add" to issue an error message:<br>
|
|
<pre class="programlisting">/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found</pre>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_0_12"></a>12/01/2004 -
|
|
Shorewall 2.0.12<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>A typo in shorewall.conf (NETNOTSYN) has been corrected.</li>
|
|
<li>The "shorewall add" and "shorewall delete" commands now work in a
|
|
bridged environment. The syntax is:<br>
|
|
<br>
|
|
shorewall add
|
|
<interface>[:<bridge port>][:<address>] <zone><br>
|
|
shorewall delete
|
|
<interface>[:<bridge port>][:<address>] <zone><br>
|
|
<br>
|
|
Examples:<br>
|
|
<br>
|
|
shorewall add br0:eth2:192.168.1.3 OK<br>
|
|
shorewall delete br0:eth2:192.168.1.3 OK<br>
|
|
<br>
|
|
</li>
|
|
<li>Previously, "shorewall save" created an out-of-sequence restore
|
|
script. The commands saved in the user's /etc/shorewall/start script
|
|
were executed prior to the Netfilter configuration being restored. This
|
|
has been corrected so that "shorewall save" now places those commands
|
|
at the end of the script.<br>
|
|
<br>
|
|
To accomplish this change, the "restore base" file
|
|
(/var/lib/shorewall/restore-base) has been split into two files:<br>
|
|
<br>
|
|
/var/lib/shorewall/restore-base -- commands to be executed
|
|
before the Netfilter configuration is restored.<br>
|
|
<br>
|
|
/var/lib/shorewall/restore-tail -- commands to be executed
|
|
after the Netfilter configuration is restored.<br>
|
|
<br>
|
|
</li>
|
|
<li>Previously, traffic from the firewall to a dynamic zone member
|
|
host did not need to match the interface specified when the host was
|
|
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
|
zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
|
|
the fw->Z policies and rules. This has been corrected.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>Variable expansion may now be used with the INCLUDE directive.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
/etc/shorewall/params<br>
|
|
<br>
|
|
|
|
FILE=/etc/foo/bar<br>
|
|
<br>
|
|
Any other config file:<br>
|
|
<br>
|
|
|
|
INCLUDE $FILE<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta6"></a>11/26/2004 -
|
|
Shorewall 2.2.0 Beta 6<br>
|
|
<br>
|
|
</span>Beta 5 was more or less DOA. Here's Beta 6.<br>
|
|
<br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>Fixed a number of problems associated with not having an IPTABLES
|
|
value assigned in shorewall.conf</li>
|
|
<li>Corrected a 'duplicate chain' error on "shorewall add" when the
|
|
'mss' option is present in /etc/shorewall/ipsec.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta5"></a>11/26/2004 -
|
|
Shorewall 2.2.0 Beta 5<br>
|
|
</span><br>
|
|
Problems corrected:<br>
|
|
<ol>
|
|
<li>A typo in shorewall.conf (NETNOTSYN) has been corrected.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>For consistency, the CLIENT PORT(S) column in the tcrules file
|
|
has been renamed SOURCE PORT(S).</li>
|
|
<li>The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now
|
|
shown in the output of "shorewall status".</li>
|
|
<li>A new IPTABLES option has been added to shorewall.conf. IPTABLES
|
|
can be used to designate the iptables executable to be used by
|
|
Shorewall. If not specified, the iptables executable determined by the
|
|
PATH setting is used.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_0_11"></a>11/23/2004 -
|
|
Shorewall 2.0.11<br>
|
|
</span><br>
|
|
Problems corrected:<br>
|
|
<ol>
|
|
<li>The INSTALL file now include special instructions for Slackware
|
|
users.</li>
|
|
<li>The bogons file has been updated.</li>
|
|
<li>Service names are replaced by port numbers in /etc/shorewall/tos.</li>
|
|
<li>A typo in the install.sh file that caused an error during a new
|
|
install has been corrected.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta4"></a>11/19/2004 -
|
|
Shorewall 2.2.0 Beta 4<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>A cut and paste error resulted in some nonsense in the
|
|
description of the IPSEC column in /etc/shorewall/masq.</li>
|
|
<li>A typo in /etc/shorewall/rules has been corrected.</li>
|
|
<li>The bogons file has been updated.</li>
|
|
<li>The "shorewall add" command previously reported success but did
|
|
nothing -- now it works.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>The AllowNNTP action now allows NNTP over SSL/TLS (NNTPS).<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta3"></a>11/09/2004 -
|
|
Shorewall 2.2.0 Beta 3<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>Missing '#' in the rfc1918 file has been corrected.</li>
|
|
<li>The INSTALL file now includes special instructions for Slackware
|
|
users.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may
|
|
now appear in the DEST column as in:<br>
|
|
<pre> #MARK/ SOURCE DEST PROTO PORT(S)<br> #CLASSIFY<br> 1:30 - eth0 tcp 25</pre>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta2"></a>11/02/2004 -
|
|
Shorewall 2.2.0 Beta 2<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>The "shorewall check" command results in the (harmless) error
|
|
message:<br>
|
|
<br>
|
|
|
|
/usr/share/shorewall/firewall: line 2753:<br>
|
|
|
|
check_dupliate_zones: command not found<br>
|
|
<br>
|
|
</li>
|
|
<li>The AllowNTP standard action now allows outgoing responses to
|
|
broadcasts.</li>
|
|
<li>A clarification has been added to the hosts file's description of
|
|
the 'ipsec' option pointing out that the option is redundent if the
|
|
zone named in the ZONE column has been designated an IPSEC zone in the
|
|
/etc/shorewall/ipsec file.<span style="font-weight: bold;"></span></li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>The SUBNET column in /etc/shorewall/rfc1918 has been renamed
|
|
SUBNETS and it is now possible to specify a list of addresses in that
|
|
column.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_0_10"></a>10/25/2004 -
|
|
Shorewall 2.0.10<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>The GATEWAY column was previously ignored in 'pptpserver' entries
|
|
in /etc/shorewall/tunnels.</li>
|
|
<li>When log rule numbers are included in the LOGFORMAT, duplicate
|
|
rule numbers could previously be generated.</li>
|
|
<li>The /etc/shorewall/tcrules file now includes a note to the effect
|
|
that rule evaluation continues after a match.</li>
|
|
<li>The error message produced if Shorewall couldn't obtain the
|
|
routes
|
|
through an interface named in the SUBNET column of /etc/shorewall/masq
|
|
was less than helpful since it didn't include the interface name.<br>
|
|
</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>The "shorewall status" command has been enhanced to include the
|
|
values of key /proc settings:<br>
|
|
<br>
|
|
Example from a two-interface firewall:<br>
|
|
<br>
|
|
/proc<br>
|
|
<br>
|
|
/proc/sys/net/ipv4/ip_forward = 1<br>
|
|
/proc/sys/net/ipv4/conf/all/proxy_arp = 0<br>
|
|
/proc/sys/net/ipv4/conf/all/arp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/all/rp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/default/proxy_arp = 0<br>
|
|
/proc/sys/net/ipv4/conf/default/arp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/default/rp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0<br>
|
|
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0<br>
|
|
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0<br>
|
|
/proc/sys/net/ipv4/conf/lo/arp_filter = 0<br>
|
|
/proc/sys/net/ipv4/conf/lo/rp_filter = 0<br>
|
|
</li>
|
|
</ol>
|
|
<br>
|
|
<span style="font-weight: bold;"><a name="2_2_0_Beta1"></a>10/24/2004 -
|
|
Shorewall 2.2.0 Beta1<br>
|
|
<br>
|
|
</span>The first beta in the 2.2 series is now available. Download
|
|
location is:<br>
|
|
<br>
|
|
<div style="margin-left: 40px;"><a
|
|
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1">http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1</a><br>
|
|
<a target="_top"
|
|
href="ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1">ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1</a><br>
|
|
</div>
|
|
<p>The features available in this release and the migration
|
|
considerations are covered in the <a
|
|
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1/releasenotes.txt">release
|
|
notes</a>. Highlights include:<br>
|
|
</p>
|
|
<ol>
|
|
<li>The behavior produced by specifying a log level in an action
|
|
invocation is now much more rational. Previously, all packets sent to
|
|
the action were logged; now each rule within the invoked action behaves
|
|
as if logging had been specified on it.</li>
|
|
<li>Support for the 2.6 Kernel's native IPSEC implementation is now
|
|
available.</li>
|
|
<li>Support for ipp2p is included.</li>
|
|
<li>Support for the iptables CONNMARK facility is now included in
|
|
Shorewall.</li>
|
|
<li>A new LOGALLNEW option facilitates problem analysis.</li>
|
|
<li>Users with a large static blacklist can now defer loading the
|
|
blacklist until after the rest of the ruleset has been enabled. Doing
|
|
so can decrease substantially the amount of time that connections are
|
|
disabled during <span style="font-weight: bold;">shorewall [re]start</span>.</li>
|
|
<li>Support for the iptables 'iprange match' feature has been
|
|
enabled. Users whose kernel and iptables contain this feature can use
|
|
ip address ranges in most places in their Shorewall configuration where
|
|
a CIDR netowrk can be used.</li>
|
|
<li>Accepting of source routing and martian logging may now be
|
|
enabled/disabled on each interface.</li>
|
|
<li>Shorewall now supports the CLASSIFY iptable target.</li>
|
|
</ol>
|
|
<p><a href="News.htm">More News</a></p>
|
|
<hr>
|
|
<h2><a name="Leaf"></a>Leaf</h2>
|
|
<p><a href="http://leaf.sourceforge.net/" target="_top"><font
|
|
color="#000000"><img src="images/leaflogo.gif" name="Graphic1"
|
|
alt="(Leaf Logo)" align="bottom" border="1" height="39" width="52"></font></a>
|
|
LEAF is an open source project which provides a Firewall/router on a
|
|
floppy, CD or CF. Several LEAF distributions including Bering and
|
|
Bering-uClibc use Shorewall as their Netfilter configuration tool.</p>
|
|
<hr>
|
|
<h2><a name="Donations"></a>Donations</h2>
|
|
<p align="left"><a href="http://www.alz.org/" target="_top"><font
|
|
color="#000000"><img src="images/alz_logo2.gif" name="Graphic2"
|
|
alt="(Alzheimer's Association Logo)" align="right" border="1"
|
|
height="63" width="303"></font></a><a href="http://www.starlight.org/"
|
|
target="_top"><font color="#000000"><img src="images/newlog.gif"
|
|
name="Graphic3" alt="(Starlight Foundation Logo)" align="right"
|
|
border="1" height="105" width="62"></font></a><font size="4">Shorewall
|
|
is free but if you try it and find it useful, please consider making
|
|
a donation to the <a href="http://www.alz.org/" target="_top">Alzheimer's
|
|
Association</a> or to the <a href="http://www.starlight.org/"
|
|
target="_top">Starlight
|
|
Children's Foundation</a>.</font></p>
|
|
<p align="left"><font size="4">Thanks</font></p>
|
|
<p align="left"><br>
|
|
<br>
|
|
</p>
|
|
</body>
|
|
</html>
|