shorewall_code/Shorewall2/releasenotes.txt
2004-05-27 18:18:41 +00:00

85 lines
3.0 KiB
Plaintext
Executable File

Shorewall 2.0.3 Beta 1
----------------------------------------------------------------------
Problems Corrected since 2.0.2
1) The 'firewall' script is not purging temporary restore files in
/var/lib/shorewall. These files have names of the form
"restore-nnnnn".
2) The /var/lib/shorewall/restore script did not load the kernel
modules specified in /etc/shorewall/modules.
3) Specifying a null common action in /etc/shorewall/actions (e.g.,
:REJECT) results in a startup error.
4) If /var/lib/shorewall does not exist, shorewall start fails.
5) DNAT rules with a dynamic source zone don't work properly. When
used, these rules cause the rule to be checked against ALL input,
not just input from the designated zone.
6) The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
1) The 'dropNonSyn' standard builtin action has been replaced with the
'dropNotSyn' standard builtin action. The old name can still be used
but will generate a warning.
2) To lay the groundwork for eventual removal of NEWNOTSYN from
shorewall.conf and removal of the 'newnotsyn' interface option,
several new standard builtin actions have been defined. See New
Feature 3 below.
-----------------------------------------------------------------------
New Features:
1) "!" is now allowed in accounting rules.
2) Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).
3) A new 'rejectNonSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
action. The old name will be accepted until the next major release
of Shorewall but will generate a warning.
Several new logging actions involving "New not SYN" packets have
been added:
logNewNotSyn -- logs the packet with disposition = LOG
dLogNewNotSyn -- logs the packet with disposition = DROP
rLogNewNotSyn -- logs the packet with disposition = REJECT
The packets are logged at the log level specified in the
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
not specified, then 'info' is assumed.
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
A: To simulate the behavior of NEWNOTSYN=No:
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
b) Create /etc/shorewall/action.NoNewNotSyn containing:
dLogNotSyn
dropNotSyn
c) Early in your rules file, place:
NoNewNotSyn all all tcp
B: Drop 'New not SYN' packets from the net only. Don't log them.
a) Early in your rules file, place:
dropNotSyn net all tcp