mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
8d5387466c
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1953 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
223 lines
5.0 KiB
Plaintext
223 lines
5.0 KiB
Plaintext
Changes in 2.2.1
|
|
|
|
1) Add examples to the zones and policy files.
|
|
|
|
2) Simon Matter's patch for umask.
|
|
|
|
Changes since 2.0.3
|
|
|
|
1) Fix security vulnerability involving temporary files/directories.
|
|
|
|
2) Hack security fix so that it works under Slackware.
|
|
|
|
3) Correct mktempfile() for case where mktemp isn't installed.
|
|
|
|
4) Implement 'dropInvalid' builtin action.
|
|
|
|
5) Fix logging nat rules.
|
|
|
|
6) Fix COMMAND typos.
|
|
|
|
7) Add PKTTYPE option.
|
|
|
|
8) Enhancements to /etc/shorewall/masq
|
|
|
|
8) Allow overriding ADD_IP_ALIASES=Yes
|
|
|
|
9) Fix syntax error in setup_nat()
|
|
|
|
10) Port "shorewall status" changes from 2.0.7.
|
|
|
|
11) All config files are now empty.
|
|
|
|
12) Port blacklisting fix from 2.0.7
|
|
|
|
13) Pass rule chain and display chain separately to log_rule_limit.
|
|
Prep work for action logging.
|
|
|
|
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
|
|
|
15) Implement STARTUP_ENABLED.
|
|
|
|
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
|
|
|
17) Removed SNAT from ORIGINAL DESTINATION column.
|
|
|
|
18) Removed DNAT ONLY column.
|
|
|
|
19) Added IPSEC column to /etc/shorewall/masq.
|
|
|
|
20) No longer enforce source port 500 for ISAKMP.
|
|
|
|
21) Apply policy to interface/host options.
|
|
|
|
22) Fix policy and maclist.
|
|
|
|
23) Implement additional IPSEC options for zones and masq entries.
|
|
|
|
24) Deprecate the -c option in /sbin/shorewall.
|
|
|
|
25) Allow distinct input and output IPSEC parameters.
|
|
|
|
26) Allow source port remapping in /etc/shorewall/masq.
|
|
|
|
27) Include params file on 'restore'
|
|
|
|
28) Apply Richard Musil's patch.
|
|
|
|
29) Correct parsing of PROTO column in setup_tc1().
|
|
|
|
30) Verify Physdev match if BRIDGING=Yes
|
|
|
|
31) Don't NAT tunnel traffic.
|
|
|
|
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
|
|
|
|
33) Add iprange support.
|
|
|
|
34) Add CLASSIFY support.
|
|
|
|
35) Fix iprange support so that ranges in both source and destination
|
|
work.
|
|
|
|
36) Remove logunclean and dropunclean
|
|
|
|
37) Fixed proxy arp flag setting for complex configurations.
|
|
|
|
38) Added RETAIN_ALIASES option.
|
|
|
|
39) Relax OpenVPN source port restrictions.
|
|
|
|
40) Implement DELAYBLACKLISTLOAD.
|
|
|
|
41) Avoid double-setting proxy arp flags.
|
|
|
|
42) Fix DELAYBLACKLISTLOAD=No.
|
|
|
|
43) Merge 'brctl show' change from 2.0.9.
|
|
|
|
44) Implememt LOGTAGONLY.
|
|
|
|
45) Merge 'tcrules' clarification from 2.0.10.
|
|
|
|
46) Implement 'sourceroute' interface option.
|
|
|
|
47) Add 'AllowICMPs' action.
|
|
|
|
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
|
|
handled before traffic from non-IPSEC zones.
|
|
|
|
49) Correct logmartians handling.
|
|
|
|
50) Add a clarification and fix a typo in the blacklist file.
|
|
|
|
51) Allow setting a specify MSS value.
|
|
|
|
52) Detect duplicate zone names.
|
|
|
|
53) Add mss=<number> option to the ipsec file.
|
|
|
|
54) Added CONNMARK/ipp2p support.
|
|
|
|
55) Added LOGALLNEW support.
|
|
|
|
56) Fix typo in check_config()
|
|
|
|
57) Allow outgoing NTP responses in action.AllowNTP.
|
|
|
|
58) Clarification of the 'ipsec' hosts file option.
|
|
|
|
59) Allow list in the SUBNET column of the rfc1918 file.
|
|
|
|
60) Restore missing '#' in the rfc1918 file.
|
|
|
|
61) Add note for Slackware users to INSTALL.
|
|
|
|
62) Allow interface in DEST tcrules column.
|
|
|
|
63) Remove 'ipt_unclean' from search expression in "log" commands.
|
|
|
|
64) Remove nonsense from IPSEC description in masq file.
|
|
|
|
65) Correct typo in rules file.
|
|
|
|
66) Update bogons file.
|
|
|
|
67) Add a rule for NNTPS to action.AllowNNTP
|
|
|
|
68) Fix "shorewall add"
|
|
|
|
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
|
|
|
70) Correct typo in shorewall.conf.
|
|
|
|
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
|
|
|
72) Apply Tuomas Jormola's IPTABLES patch.
|
|
|
|
73) Fixed some bugs in Tuomas's patch.
|
|
|
|
74) Correct bug in "shorewall add"
|
|
|
|
75) Correct bridge handling in "shorewall add" and "shorewall delete"
|
|
|
|
76) Add "shorewall show zones"
|
|
|
|
77) Remove dependency of "show zones" on dynamic zones.
|
|
|
|
78) Implement variable expansion in INCLUDE directives
|
|
|
|
79) More fixes for "shorewall delete" with bridging.
|
|
|
|
80) Split restore-base into two files.
|
|
|
|
81) Correct OUTPUT handling of dynamic zones.
|
|
|
|
83) Add adapter statistics to the output of "shorewall status".
|
|
|
|
84) Log drops due to policy rate limiting.
|
|
|
|
85) Continue determining capabilities when fooX1234 already exists.
|
|
|
|
86) Corrected typo in interfaces file.
|
|
|
|
87) Add DROPINVALID option.
|
|
|
|
88) Allow list of hosts in add and delete commands. Fix ipsec problem
|
|
with "add" and "delete"
|
|
|
|
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
|
|
|
|
90) Implement OpenVPN TCP support.
|
|
|
|
91) Simplify the absurdly over-engineered code that restores the
|
|
dynamic chain.
|
|
|
|
92) Add OPENVPNPORT option.
|
|
|
|
93) Remove OPENVPNPORT option and change default port to 1194.
|
|
|
|
94) Avoid shell error during "shorewall stop/clear"
|
|
|
|
95) Change encryption to blowfish in 'ipsecvpn' script.
|
|
|
|
96) Correct rate limiting rule example.
|
|
|
|
97) Fix <if>:: handling in setup_masq().
|
|
|
|
98) Fix mis-leading typo in tunnels.
|
|
|
|
99) Fix brain-dead ipsec option handling in setup_masq().
|
|
|
|
100) Reconcile ipsec masq file implementation with the documentation.
|
|
|
|
101) Add netfilter module display to status output.
|
|
|
|
102) Add 'allowInvalid' builtin action.
|
|
|
|
103) Expand range of Traceroute ports.
|
|
|
|
102) Correct uninitialized variable in setup_ecn()
|
|
|
|
103) Allow DHCP to be IPSEC-encrypted.
|