extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-19 11:11:22 +01:00
Code Issues Packages Projects Releases Wiki Activity
3d9d913b4b
shorewall_code/Shorewall/releasenotes.txt
teastep 4c08cc4780 ADMINISABSENTMINDED Option 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@681 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-07-29 23:04:04 +00:00

80 lines
2.8 KiB
Plaintext
Executable File
Raw Blame History

This is a minor release of Shorewall.
Problems Corrected since version 1.4.6:
1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
being tested before it was set.
2) Corrected handling of MAC addresses in the SOURCE column of the
tcrules file. Previously, these addresses resulted in an invalid
iptables command.
Migration Issues:
1) Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow'
or 'save' commands.
2) To maintain strict compatibility with previous versions, current
uses of "shorewall drop" and "shorewall reject" should be replaced
with "shorewall dropall" and "shorewall rejectall".
New Features:
1) Shorewall now creates a dynamic blacklisting chain for each interface
defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is
to be used for blacklisting the specified IP address(es).
Two new commands ('dropall' and 'rejectall') have been introduced
that do what 'drop' and 'reject' used to do; namely, when an address
is blacklisted using these new commands, it will be blacklisted on
all of your firewall's interfaces.
2) Thanks to Steve Herber, the help command can now give
command-specific help.
3) The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured
Shorewall.
4) A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of
"No" in which case Shorewall's 'stopped' state continues as it has
been; namely, in the stopped state only traffic to/from hosts listed
in /etc/shorewall/routestopped is accepted.
With ADMINISABSENTMINDED=Yes, in addition to traffic to/from the
hosts listed in /etc/shorewall/routestopped, Shorewall will allow:
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an already-existing
connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
Note though that it is still possible for people to shoot themselves
in the foot.
Example:
/etc/shorewall/nat:
206.124.146.178 eth0:0 192.168.1.5
/etc/shorewall/rules:
ACCEPT net loc:192.168.1.5 tcp 22
ACCEPT loc fw tcp 22
I ssh into 206.124.146.178 which establishes an SSH connection with
192.168.1.5. I then create a second SSH connection from that
computer to the firewall and confidently type "shorewall
stop". As part of stopping, Shorewall removes eth0:0 which kills my
SSH connection to 192.168.1.5!!!
Reference in New Issue View Git Blame Copy Permalink