mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-28 10:33:21 +01:00
fc3b04183d
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@198 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
1004 lines
51 KiB
HTML
1004 lines
51 KiB
HTML
<html>
|
||
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||
<title>Shorewall News</title>
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
<meta name="Microsoft Theme" content="none">
|
||
</head>
|
||
|
||
<body>
|
||
|
||
<h1 align="center">Shorewall News Archive</h1>
|
||
|
||
<p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
|
||
|
||
<p>The Shorewall-docs project now contains just the HTML and image files - the
|
||
Frontpage files have been removed.</p>
|
||
|
||
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
|
||
|
||
<p>This branch will only be updated after I release a new version of Shorewall
|
||
so you can always update from this branch to get the latest stable tree.</p>
|
||
|
||
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
|
||
to the <a href="errata.htm">Errata Page</a></b></p>
|
||
|
||
<p>Now there is one place to go to look for issues involved with upgrading to
|
||
recent versions of Shorewall.</p>
|
||
|
||
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
|
||
|
||
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
|
||
|
||
<ul>
|
||
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
|
||
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li>
|
||
<li>Shorewall will now DROP TCP packets that are not part of or
|
||
related to an existing connection and that are not SYN packets. These "New
|
||
not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option
|
||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
||
<li>The processing of "New not SYN" packets may be extended by commands in
|
||
the new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>7/30/2002 - Shorewall 1.3.5b Released</b></p>
|
||
|
||
<p>This interim release:</p>
|
||
|
||
<ul>
|
||
<li>Causes the firewall script to remove the lock file if it is killed.</li>
|
||
<li>Once again allows lists in the second column of the
|
||
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
|
||
<li>Includes the latest <a href="shorewall_quickstart_guide.htm">QuickStart
|
||
Guides</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>7/29/2002 - New Shorewall Setup Guide Available</b></p>
|
||
|
||
<p>The first draft of this guide is available at
|
||
<a href="http://www.shorewall.net/shorewall_setup_guide.htm">
|
||
http://www.shorewall.net/shorewall_setup_guide.htm</a>. The guide is intended
|
||
for use by people who are setting up Shorewall to manage multiple public IP
|
||
addresses and by people who want to learn more about Shorewall than is
|
||
described in the single-address guides. Feedback on the new guide is welcome.</p>
|
||
|
||
<p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
|
||
|
||
<p>Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
||
|
||
<p><b>7/27/2002 - Shorewall 1.3.5a Released</b></p>
|
||
|
||
<p>This interim release restores correct handling of REDIRECT rules. </p>
|
||
|
||
<p><b>7/26/2002 - Shorewall 1.3.5 Released</b></p>
|
||
|
||
<p>This will be the last Shorewall release for a while. I'm going to be
|
||
focusing on rewriting a lot of the documentation.</p>
|
||
|
||
<p><b> </b>In this version:</p>
|
||
|
||
<ul>
|
||
<li>Empty and invalid source and destination qualifiers are now detected in
|
||
the rules file. It is a good idea to use the 'shorewall check' command before
|
||
you issue a 'shorewall restart' command be be sure that you don't have any
|
||
configuration problems that will prevent a successful restart.</li>
|
||
<li>Added <b>MERGE_HOSTS</b> variable in <a href="Documentation.htm#Conf">
|
||
shorewall.conf</a> to provide saner behavior of the /etc/shorewall/hosts
|
||
file.</li>
|
||
<li>The time that the counters were last reset is now displayed in the
|
||
heading of the 'status' and 'show' commands.</li>
|
||
<li>A <b>proxyarp </b>option has been added for entries in
|
||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
|
||
option facilitates Proxy ARP sub-netting as described in the Proxy ARP
|
||
subnetting mini-HOWTO (<a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
|
||
Specifying the proxyarp option for an interface causes Shorewall to set
|
||
/proc/sys/net/ipv4/conf/<interface>/proxy_arp.</li>
|
||
<li>The Samples have been updated to reflect the new capabilities in this
|
||
release. </li>
|
||
</ul>
|
||
|
||
<p><b>7/16/2002 - New Mirror in Argentina</b></p>
|
||
|
||
<p>Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
|
||
Argentina. Thanks Buanzo!!!</p>
|
||
|
||
<p><b>7/16/2002 - Shorewall 1.3.4 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>A new <a href="Documentation.htm#Routestopped">
|
||
/etc/shorewall/routestopped</a> file has been added. This file is intended to
|
||
eventually replace the <b>routestopped</b> option in the
|
||
/etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes
|
||
remote firewall administration easier by allowing any IP or subnet to be
|
||
enabled while Shorewall is stopped.</li>
|
||
<li>An /etc/shorewall/stopped <a href="Documentation.htm#Scripts">extension
|
||
script</a> has been added. This script is invoked after Shorewall has
|
||
stopped.</li>
|
||
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added to
|
||
<a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this
|
||
option is selected, DNAT rules only apply when the destination address is the
|
||
external interface's primary IP address.</li>
|
||
<li>The <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> has
|
||
been broken into three guides and has been almost entirely rewritten.</li>
|
||
<li>The Samples have been updated to reflect the new capabilities in this
|
||
release. </li>
|
||
</ul>
|
||
|
||
<p><b>7/8/2002 - Shorewall 1.3.3 Debian Package Available</b></p>
|
||
|
||
<p>Lorenzo Marignoni reports that the packages are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
||
|
||
<p><b>7/6/2002 - Shorewall 1.3.3 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>Entries in /etc/shorewall/interface that use the wildcard character ("+")
|
||
now have the "multi" option assumed.</li>
|
||
<li>The 'rfc1918' chain in the mangle table has been renamed 'man1918' to
|
||
make log messages generated from that chain distinguishable from those
|
||
generated by the 'rfc1918' chain in the filter table.</li>
|
||
<li>Interface names appearing in the hosts file are now validated against the
|
||
interfaces file.</li>
|
||
<li>The TARGET column in the rfc1918 file is now checked for correctness.</li>
|
||
<li>The chain structure in the nat table has been changed to reduce the
|
||
number of rules that a packet must traverse and to correct problems with
|
||
NAT_BEFORE_RULES=No</li>
|
||
<li>The "hits" command has been enhanced.</li>
|
||
</ul>
|
||
|
||
<p><b>6/25/2002 - Samples Updated for 1.3.2</b></p>
|
||
|
||
<p>The comments in the sample configuration files have been updated to reflect
|
||
new features introduced in Shorewall 1.3.2.</p>
|
||
|
||
<p><b>6/25/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
|
||
|
||
<p>Lorenzo Marignoni reports that the package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
||
|
||
<p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
|
||
|
||
<p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
|
||
<a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
|
||
PDF format.</p>
|
||
|
||
<p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>A <a href="Documentation.htm#Starting">logwatch command</a> has been
|
||
added to /sbin/shorewall.</li>
|
||
<li>A <a href="blacklisting_support.htm">dynamic blacklist facility</a> has
|
||
been added.</li>
|
||
<li>Support for the <a href="Documentation.htm#Conf">Netfilter multiport
|
||
match function</a> has been added.</li>
|
||
<li>The files <b>firewall, functions </b>and <b>version</b> have been moved
|
||
from /etc/shorewall to /var/lib/shorewall.</li>
|
||
</ul>
|
||
|
||
<p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
|
||
|
||
<p>Last weekend, I installed the CVS Web package to provide brower-based access
|
||
to the Shorewall CVS repository. Since then, I have had several instances where
|
||
my server was almost unusable due to the high load generated by website copying
|
||
tools like HTTrack and WebStripper. These mindless tools:</p>
|
||
|
||
<ul>
|
||
<li>Ignore robot.txt files.</li>
|
||
<li>Recursively copy everything that they find.</li>
|
||
<li>Should be classified as weapons rather than tools.</li>
|
||
</ul>
|
||
|
||
<p>These tools/weapons are particularly damaging when combined with CVS Web
|
||
because they doggedly follow every link in the cgi-generated HTML resulting in
|
||
1000s of executions of the cvsweb.cgi script. Yesterday, I spend several hours
|
||
implementing measures to block these tools but unfortunately, these measures
|
||
resulted in my server OOM-ing under even moderate load.</p>
|
||
|
||
<p>Until I have the time to understand the cause of the OOM (or until I buy
|
||
more RAM if that is what is required), CVS Web access will remain Password
|
||
Protected. </p>
|
||
|
||
<p><b>6/5/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
|
||
|
||
<p>Lorenzo Marignoni reports that the package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
|
||
|
||
<p><b>6/2/2002 - Samples Corrected</b></p>
|
||
|
||
<p>The 1.3.0 samples configurations had several serious problems that prevented
|
||
DNS and SSH from working properly. These problems have been corrected in the
|
||
<a href="/pub/shorewall/samples-1.3.1">1.3.1 samples.</a></p>
|
||
|
||
<p><b>6/1/2002 - Shorewall 1.3.1 Released</b></p>
|
||
|
||
<p>Hot on the heels of 1.3.0, this release:</p>
|
||
|
||
<ul>
|
||
<li>Corrects a serious problem with "all <i><zone></i> CONTINUE" policies.
|
||
This problem is present in all versions of Shorewall that support the
|
||
CONTINUE policy. These previous versions optimized away the "all2<i><zone></i>"
|
||
chain and replaced it with the "all2all" chain with the usual result that a
|
||
policy of REJECT was enforced rather than the intended CONTINUE policy.</li>
|
||
<li>Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
|
||
file for defining the exact behavior of the<a href="Documentation.htm#Interfaces">
|
||
'norfc1918' interface option</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>5/29/2002 - Shorewall 1.3.0 Released</b></p>
|
||
|
||
<p>In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
|
||
includes:</p>
|
||
|
||
<ul>
|
||
<li>A 'filterping' interface option that allows ICMP echo-request (ping)
|
||
requests addressed to the firewall to be handled by entries in
|
||
/etc/shorewall/rules and /etc/shorewall/policy.</li>
|
||
</ul>
|
||
|
||
<p><b>5/23/2002 - Shorewall 1.3 RC1 Available</b></p>
|
||
|
||
<p>In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
|
||
incorporates the following:</p>
|
||
|
||
<ul>
|
||
<li>Support for the /etc/shorewall/whitelist file has been withdrawn. If you
|
||
need whitelisting, see <a href="/1.3/whitelisting_under_shorewall.htm">these
|
||
instructions</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>5/19/2002 - Shorewall 1.3 Beta 2 Available</b></p>
|
||
|
||
<p>In addition to the changes in Beta 1, this release which carries the
|
||
designation 1.2.91 adds:</p>
|
||
|
||
<ul>
|
||
<li>The structure of the firewall is changed markedly. There is now an INPUT
|
||
and a FORWARD chain for each interface; this reduces the number of rules that
|
||
a packet must traverse, especially in complicated setups.</li>
|
||
<li><a href="Documentation.htm#Exclude">Sub-zones may now be excluded from
|
||
DNAT and REDIRECT rules.</a></li>
|
||
<li>The names of the columns in a number of the configuration files have been
|
||
changed to be more consistent and self-explanatory and the documentation has
|
||
been updated accordingly.</li>
|
||
<li>The sample configurations have been updated for 1.3.</li>
|
||
</ul>
|
||
|
||
<p><b>5/17/2002 - Shorewall 1.3 Beta 1 Available</b></p>
|
||
|
||
<p>Beta 1 carries the version designation 1.2.90 and implements the following
|
||
features:</p>
|
||
|
||
<ul>
|
||
<li>Simplified rule syntax which makes the intent of each rule clearer and
|
||
hopefully makes Shorewall easier to learn.</li>
|
||
<li>Upward compatibility with 1.2 configuration files has been maintained so
|
||
that current users can migrate to the new syntax at their convenience.</li>
|
||
<li><b><font color="#CC6666">WARNING: Compatibility with the old
|
||
parameterized sample configurations has NOT been maintained. Users still
|
||
running those configurations should migrate to the new sample configurations
|
||
before upgrading to 1.3 Beta 1.</font></b></li>
|
||
</ul>
|
||
|
||
<p><b>5/4/2002 - Shorewall 1.2.13 is Available</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li><a href="Documentation.htm#Whitelist">White-listing</a> is supported.</li>
|
||
<li><a href="Documentation.htm#Policy">SYN-flood protection </a>is added.</li>
|
||
<li>IP addresses added under <a href="Documentation.htm#Conf">ADD_IP_ALIASES
|
||
and ADD_SNAT_ALIASES</a> now inherit the VLSM and Broadcast Address of the
|
||
interface's primary IP address.</li>
|
||
<li>The order in which port forwarding DNAT and Static DNAT
|
||
<a href="Documentation.htm#Conf">can now be reversed</a> so that port
|
||
forwarding rules can override the contents of <a href="Documentation.htm#NAT">
|
||
/etc/shorewall/nat</a>. </li>
|
||
</ul>
|
||
|
||
<p><b>4/30/2002 - Shorewall Debian News</b></p>
|
||
|
||
<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
|
||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||
Testing Branch</a> and the
|
||
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||
Unstable Branch</a>.</p>
|
||
|
||
<p><b>4/20/2002 - Shorewall 1.2.12 is Available</b></p>
|
||
|
||
<ul>
|
||
<li>The 'try' command works again</li>
|
||
<li>There is now a single RPM that also works with SuSE.</li>
|
||
</ul>
|
||
|
||
<p><b>4/17/2002 - Shorewall Debian News</b></p>
|
||
|
||
<p>Lorenzo Marignoni reports that:</p>
|
||
|
||
<ul>
|
||
<li>Shorewall 1.2.10 is in the
|
||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||
Testing Branch</a></li>
|
||
<li>Shorewall 1.2.11 is in the
|
||
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||
Unstable Branch</a></li>
|
||
</ul>
|
||
|
||
<p>Thanks, Lorenzo!</p>
|
||
|
||
<p><b>4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE</b></p>
|
||
|
||
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there is
|
||
now a Shorewall 1.2.11
|
||
<a href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm">
|
||
SuSE RPM</a> available. </p>
|
||
|
||
<p><b>4/13/2002 - Shorewall 1.2.11 Available </b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>The 'try' command now accepts an optional timeout. If the timeout is
|
||
given in the command, the standard configuration will automatically be
|
||
restarted after the new configuration has been running for that length of
|
||
time. This prevents a remote admin from being locked out of the firewall in
|
||
the case where the new configuration starts but prevents access.</li>
|
||
<li>Kernel route filtering may now be enabled globally using the new
|
||
ROUTE_FILTER parameter in <a href="Documentation.htm#Conf">
|
||
/etc/shorewall/shorewall.conf</a>.</li>
|
||
<li>Individual IP source addresses and/or subnets may now be excluded from
|
||
masquerading/SNAT.</li>
|
||
<li>Simple "Yes/No" and "On/Off" values are now case-insensitive in
|
||
/etc/shorewall/shorewall.conf.</li>
|
||
</ul>
|
||
|
||
<p><b>4/13/2002 - Hamburg Mirror now has FTP </b></p>
|
||
|
||
<p>Stefan now has an FTP mirror at
|
||
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">
|
||
ftp://germany.shorewall.net/pub/shorewall</a>. Thanks Stefan!</p>
|
||
|
||
<p><b>4/12/2002 - New Mirror in Hamburg</b></p>
|
||
|
||
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there is
|
||
now a mirror of the Shorewall website at
|
||
<a target="_top" href="http://germany.shorewall.net">
|
||
http://germany.shorewall.net</a>. </p>
|
||
|
||
<p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
|
||
|
||
<p><a href="shorewall_quickstart_guide.htm">Version 1.1 of the QuickStart Guide</a>
|
||
is now available. Thanks to those who have read version 1.0 and offered their
|
||
suggestions. Corrections have also been made to the sample scripts.</p>
|
||
|
||
<p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
|
||
|
||
<p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart Guide</a>
|
||
is now available. This Guide and its accompanying sample configurations are
|
||
expected to provide a replacement for the recently withdrawn parameterized
|
||
samples. </p>
|
||
|
||
<p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
|
||
|
||
<p>Although the <a href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized
|
||
samples</a> have allowed people to get a firewall up and running quickly, they
|
||
have unfortunately set the wrong level of expectation among those who have used
|
||
them. I am therefore withdrawing support for the samples and I am recommending
|
||
that they not be used in new Shorewall installations.</p>
|
||
|
||
<p><b>4/2/2002 - Updated Log Parser</b></p>
|
||
|
||
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated
|
||
version of his
|
||
<a href="pub/shorewall/parsefw/">CGI-based log parser</a> with corrected date
|
||
handling. </p>
|
||
|
||
<p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
|
||
|
||
<p>The quick search on the home page now excludes the mailing list archives.
|
||
The <a href="htdig/search.html">Extended Search</a> allows excluding the
|
||
archives or restricting the search to just the archives. An archive search form
|
||
is also available on the <a href="mailing_list.htm">mailing list information
|
||
page</a>.</p>
|
||
|
||
<p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
|
||
|
||
<ul>
|
||
<li>The 1.2.10 Debian Package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
|
||
<li>Shorewall 1.2.9 is now in the
|
||
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||
Unstable Distribution</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>3/25/2002 - Log Parser Available</b></p>
|
||
|
||
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided a
|
||
<a href="pub/shorewall/parsefw/">CGI-based log parser</a> for Shorewall. Thanks
|
||
John.</p>
|
||
|
||
<p><b>3/20/2002 - Shorewall 1.2.10 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>A "shorewall try" command has been added (syntax: shorewall try <i>
|
||
<configuration directory></i>). This command attempts "shorewall -c <i>
|
||
<configuration directory></i> start" and if that results in the firewall
|
||
being stopped due to an error, a "shorewall start" command is executed. The
|
||
'try' command allows you to create a new <a href="Documentation.htm#Configs">
|
||
configuration</a> and attempt to start it; if there is an error that leaves
|
||
your firewall in the stopped state, it will automatically be restarted using
|
||
the default configuration (in /etc/shorewall).</li>
|
||
<li>A new variable ADD_SNAT_ALIASES has been added to
|
||
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>. If this
|
||
variable is set to "Yes", Shorewall will automatically add IP addresses
|
||
listed in the third column of the <a href="Documentation.htm#Masq">
|
||
/etc/shorewall/masq</a> file.</li>
|
||
<li>Copyright notices have been added to the documenation.</li>
|
||
</ul>
|
||
|
||
<p><b>3/11/2002 - Shorewall 1.2.9 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>Filtering by <a href="Documentation.htm#MAC">MAC address</a> has been added.
|
||
MAC addresses may be used as the source address in:<ul>
|
||
<li>Filtering rules (<a href="Documentation.htm#Rules">/etc/shorewall/rules</a>)</li>
|
||
<li>Traffic Control Classification Rules (<a href="traffic_shaping.htm#tcrules">/etc/shorewall/tcrules</a>)</li>
|
||
<li>TOS Rules (<a href="Documentation.htm#TOS">/etc/shorewall/tos</a>)</li>
|
||
<li>Blacklist (<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a>)</li>
|
||
</ul>
|
||
</li>
|
||
<li>Several bugs have been fixed</li>
|
||
<li>The 1.2.9 Debian Package is also available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>3/1/2002 - 1.2.8 Debian Package is Available</b></p>
|
||
|
||
<p>See <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
||
|
||
<p><b>2/25/2002 - New Two-interface Sample</b></p>
|
||
<p>I've enhanced the two interface sample to allow access from the firewall to
|
||
servers in the local zone -
|
||
<a href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">
|
||
http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz</a></p>
|
||
|
||
<p><b>2/23/2002 - Shorewall 1.2.8 Released</b></p>
|
||
|
||
<p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
|
||
problems associated with the lock file used to prevent multiple state-changing
|
||
operations from occuring simultaneously. My apologies for any inconvenience my
|
||
carelessness may have caused.</p>
|
||
|
||
<p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>UPnP probes (UDP destination port 1900) are now silently dropped in the
|
||
<i>common</i> chain</li>
|
||
<li>RFC 1918 checking in the mangle table has been streamlined to no longer
|
||
require packet marking. RFC 1918 checking in the filter table has been
|
||
changed to require half as many rules as previously.</li>
|
||
<li>A 'shorewall check' command has been added that does a cursory validation
|
||
of the zones, interfaces, hosts, rules and policy files.</li>
|
||
</ul>
|
||
|
||
<p><b>2/18/2002 - 1.2.6 Debian Package is Available</b></p>
|
||
|
||
<p>See <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
||
|
||
<p><b>2/8/2002 - Shorewall 1.2.6 Released</b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>$-variables may now be used anywhere in the configuration files except
|
||
/etc/shorewall/zones.</li>
|
||
<li>The interfaces and hosts files now have their contents validated before
|
||
any changes are made to the existing Netfilter configuration. The appearance
|
||
of a zone name that isn't defined in /etc/shorewall/zones causes "shorewall
|
||
start" and "shorewall restart" to abort without changing the Shorewall state.
|
||
Unknown options in either file cause a warning to be issued.</li>
|
||
<li>A problem occurring when BLACKLIST_LOGLEVEL was not set has been
|
||
corrected.</li>
|
||
</ul>
|
||
|
||
<p><b>2/4/2002 - Shorewall 1.2.5 Debian Package Available</b></p>
|
||
|
||
<p>see <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
||
|
||
<p><b>2/1/2002 - Shorewall 1.2.5 Released</b></p>
|
||
|
||
<p>Due to installation problems with Shorewall 1.2.4, I have released Shorewall
|
||
1.2.5. Sorry for the rapid-fire development.</p>
|
||
|
||
<p>In version 1.2.5:</p>
|
||
|
||
<ul>
|
||
<li>The installation problems have been corrected.</li>
|
||
<li><a href="Documentation.htm#Masq">SNAT</a> is now supported.</li>
|
||
<li>A "shorewall version" command has been added</li>
|
||
<li>The default value of the STATEDIR variable in
|
||
/etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in
|
||
order to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.</li>
|
||
</ul>
|
||
|
||
<p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
|
||
|
||
<ul>
|
||
<li>The "fw" zone <a href="Documentation.htm#FW">may now be given a
|
||
different name</a>.</li>
|
||
<li>You may now place end-of-line comments (preceded by '#') in any of the
|
||
configuration files</li>
|
||
<li>There is now protection against against two state changing operations
|
||
occuring concurrently. This is implemented using the 'lockfile' utility if
|
||
it is available (lockfile is part of procmail); otherwise, a less robust
|
||
technique is used. The lockfile is created in the STATEDIR defined in
|
||
/etc/shorewall/shorewall.conf and has the name "lock".</li>
|
||
<li>"shorewall start" no longer fails if "detect" is
|
||
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> for an interface with subnet mask 255.255.255.255.</li>
|
||
</ul>
|
||
|
||
<p><b>1/27/2002 - Shorewall 1.2.3 Debian Package Available </b>-- see <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
|
||
|
||
<p><b>1/20/2002 - Corrected firewall script available </b></p>
|
||
|
||
<p>Corrects a problem with BLACKLIST_LOGLEVEL. See <a href="errata.htm">the
|
||
errata</a> for details.</p>
|
||
|
||
<p><b>1/19/2002 - Shorewall 1.2.3 Released</b></p>
|
||
|
||
<p>This is a minor feature and bugfix release. The single new feature is:</p>
|
||
|
||
<ul>
|
||
<li>Support for TCP MSS Clamp to PMTU -- This support is usually required when
|
||
the internet connection is via PPPoE or PPTP and may be enabled using the <a href="Documentation.htm#ClampMSS">CLAMPMSS</a>
|
||
option in /etc/shorewall/shorewall.conf.</li>
|
||
</ul>
|
||
<p>The following problems were corrected:</p>
|
||
<ul>
|
||
<li>The "shorewall status" command no longer hangs.</li>
|
||
<li>The "shorewall monitor" command now displays the icmpdef chain</li>
|
||
<li>The CLIENT PORT(S) column in tcrules is no longer ignored</li>
|
||
</ul>
|
||
<p><b>1/18/2002 - Shorewall 1.2.2 packaged with new </b><a href="http://leaf.sourceforge.net">LEAF</a><b>
|
||
release</b></p>
|
||
|
||
<p>Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
|
||
that includes Shorewall 1.2.2. See <a href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a>
|
||
for details.</p>
|
||
|
||
<p><b>1/11/2002 - Debian Package (.deb) Now Available - </b>Thanks to <a href="mailto:lorenzo.martignoni@milug.org">Lorenzo
|
||
Martignoni</a>, a 1.2.2 Shorewall Debian package is now available. There is a
|
||
link to Lorenzo's site from the <a href="download.htm">Shorewall download page</a>.</p>
|
||
|
||
<p><b>1/9/2002 - Updated 1.2.2 /sbin/shorewall available - </b><a href="/pub/shorewall/errata/1.2.2/shorewall">This
|
||
corrected version </a>restores the "shorewall status" command to
|
||
health.</p>
|
||
|
||
<p><b>1/8/2002 - Shorewall 1.2.2 Released</b></p>
|
||
|
||
<p>In version 1.2.2</p>
|
||
|
||
<ul>
|
||
<li>Support for IP blacklisting has been added
|
||
<ul>
|
||
<li>You specify whether you want packets from blacklisted hosts dropped or
|
||
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION
|
||
</a>setting in /etc/shorewall/shorewall.conf</li>
|
||
<li>You specify whether you want packets from blacklisted hosts logged and
|
||
at what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
|
||
setting in /etc/shorewall/shorewall.conf</li>
|
||
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
|
||
<li>You specify the interfaces you want checked against the blacklist
|
||
using the new "<a href="Documentation.htm#BLInterface">blacklist</a>"
|
||
option in /etc/shorewall/interfaces.</li>
|
||
<li>The black list is refreshed from /etc/shorewall/blacklist by the
|
||
"shorewall refresh" command.</li>
|
||
</ul>
|
||
</li>
|
||
<li>Use of TCP RST replies has been expanded
|
||
<ul>
|
||
<li>TCP connection requests rejected because of a REJECT policy are now
|
||
replied with a TCP RST packet.</li>
|
||
<li>TCP connection requests rejected because of a protocol=all rule in
|
||
/etc/shorewall/rules are now replied with a TCP RST packet.</li>
|
||
</ul>
|
||
</li>
|
||
<li>A <a href="Documentation.htm#Logfile">LOGFILE</a> specification has been
|
||
added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the
|
||
/sbin/shorewall program where to look for Shorewall messages.</li>
|
||
</ul>
|
||
|
||
<p><b>1/5/2002 - New Parameterized Samples (<a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.2.0/" target="_blank">version
|
||
1.2.0</a>) released. </b>These are minor updates to the previously-released
|
||
samples. There are two new rules added:</p>
|
||
|
||
<ul>
|
||
<li>Unless you have explicitly enabled Auth connections (tcp port 113) to your
|
||
firewall, these connections will be REJECTED rather than DROPPED. This
|
||
speeds up connection establishment to some servers.</li>
|
||
<li>Orphan DNS replies are now silently dropped.</li>
|
||
</ul>
|
||
<p>See the README file for upgrade instructions.</p>
|
||
|
||
<p><b>1/1/2002 - <u><font color="#FF6633">Shorewall Mailing List Moving</font></u></b></p>
|
||
|
||
<p>The Shorewall mailing list hosted at <a href="http://sourceforge.net"> Sourceforge</a> is moving to Shorewall.net.
|
||
If you are a current subscriber to the list at Sourceforge, please <a href="shorewall_mailing_list_migration.htm">see
|
||
these instructions</a>. If you would like to subscribe to the new list, visit <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
|
||
|
||
<p><b>12/31/2001 - Shorewall 1.2.1 Released</b></p>
|
||
|
||
<p>In version 1.2.1:</p>
|
||
|
||
<ul>
|
||
<li><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
|
||
Packets</a> is added. </li>
|
||
<li>The <a href="IPIP.htm">tunnel script</a> has been corrected.</li>
|
||
<li>'shorewall show tc' now correctly handles tunnels.</li>
|
||
</ul>
|
||
|
||
<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist
|
||
releasing 1.2 on 12/21/2001</b></p>
|
||
|
||
<p>Version 1.2 contains the following new features:</p>
|
||
|
||
<ul>
|
||
<li>Support for <a href="traffic_shaping.htm">Traffic Control/Shaping</a></li>
|
||
<li>Support for <a href="Documentation.htm#Unclean">Filtering of
|
||
Mangled/Invalid Packets</a></li>
|
||
<li>Support for <a href="IPIP.htm">GRE Tunnels</a></li>
|
||
</ul>
|
||
<p>For the next month or so, I will continue to provide corrections to version
|
||
1.1.18 as necessary so that current version 1.1.x users will not be forced into a
|
||
quick upgrade to 1.2.0 just to have access to bug fixes.</p>
|
||
<p>For those of you who have installed one of the Beta RPMS, you will need to
|
||
use the "--oldpackage" option when upgrading to 1.2.0:</p>
|
||
<blockquote>
|
||
<p>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</p>
|
||
</blockquote>
|
||
|
||
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
|
||
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site is
|
||
mirrored at <a href="http://www.infohiiway.com/shorewall" target="_top">http://www.infohiiway.com/shorewall</a>
|
||
and the ftp site is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
|
||
|
||
<p><b>11/30/2001 - A new set of the parameterized <a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
|
||
Configurations</a> has been released</b>. In this version:</p>
|
||
|
||
<ul>
|
||
<li>Ping is now allowed between the zones.</li>
|
||
<li>In the three-interface configuration, it is now possible to configure the
|
||
internet services that are to be available to servers in the DMZ. </li>
|
||
</ul>
|
||
|
||
<p><b>11/20/2001 - The current version of Shorewall is 1.1.18. </b></p>
|
||
|
||
<p>In this version:</p>
|
||
|
||
<ul>
|
||
<li>The spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf
|
||
file</li>
|
||
<li>The logic for deleting user-defined chains has been simplified so that it
|
||
avoids a bug in the LRP version of the 'cut' utility.</li>
|
||
<li>The /var/lib/lrpkg/shorwall.conf file has been corrected to properly
|
||
display the NAT entry in that file.</li>
|
||
</ul>
|
||
|
||
<p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj
|
||
Ontkanin</a>, there is now a Shorewall mirror in the Slovak Republic</b>. The website is now mirrored at <a href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall</a>
|
||
and the FTP site is mirrored at <a href="ftp://ftp.nrg.sk/mirror/shorewall">ftp://ftp.nrg.sk/mirror/shorewall</a>.</p>
|
||
|
||
<p><b>11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.</b>
|
||
There are three sample configurations:</p>
|
||
|
||
<ul>
|
||
<li>One Interface -- for a standalone system.</li>
|
||
<li>Two Interfaces -- A masquerading firewall.</li>
|
||
<li>Three Interfaces -- A masquerading firewall with DMZ.</li>
|
||
</ul>
|
||
|
||
|
||
<p>Samples may be downloaded from <a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17">
|
||
ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17</a>
|
||
. See the README file for instructions.</p>
|
||
|
||
<p><b>11/1/2001 - The current version of Shorewall is 1.1.17</b>. I intend
|
||
this to be the last of the 1.1 Shorewall releases.</p>
|
||
|
||
<p> In this version:</p>
|
||
|
||
<ul>
|
||
<li>The handling of <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>
|
||
has been corrected.<2E></li>
|
||
</ul>
|
||
|
||
<p><b>10/22/2001 - The current version of Shorewall is 1.1.16</b>. In this
|
||
version:</p>
|
||
|
||
<ul>
|
||
<li>A new "shorewall show connections" command has been added.</li>
|
||
<li>In the "shorewall monitor" output, the currently tracked
|
||
connections are now shown on a separate page.</li>
|
||
<li>Prior to this release, Shorewall unconditionally added the external IP
|
||
adddress(es) specified in /etc/shorewall/nat. Beginning with version
|
||
1.1.16, a new parameter (<a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)
|
||
may be set to "no" (or "No") to inhibit this behavior.
|
||
This allows IP aliases created using your distribution's network
|
||
configuration tools to be used in static NAT. </li>
|
||
</ul>
|
||
|
||
<p><b>10/15/2001 - The current version of Shorewall is 1.1.15.</b> In this
|
||
version:</p>
|
||
|
||
<ul>
|
||
<li>Support for nested zones has been improved. See <a href="Documentation.htm#Nested">
|
||
the documentation</a>
|
||
for details</li>
|
||
<li>Shorewall now correctly checks the alternate configuration directory for
|
||
the 'zones' file.</li>
|
||
</ul>
|
||
|
||
<p><b>10/4/2001 - The current version of Shorewall is 1.1.14.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li>Shorewall now supports alternate configuration directories. When an
|
||
alternate directory is specified when starting or restarting Shorewall
|
||
(e.g., "shorewall -c /etc/testconf restart"), Shorewall will first
|
||
look for configuration files in the alternate directory then in
|
||
/etc/shorewall. To create an alternate configuration simply:<br>
|
||
1. Create a New Directory<br>
|
||
2. Copy to that directory any of your configuration files that you want to
|
||
change.<br>
|
||
3. Modify the copied files as needed.<br>
|
||
4. Restart Shorewall specifying the new directory.</li>
|
||
<li>The rules for allowing/disallowing icmp echo-requests (pings) are now
|
||
moved after rules created when processing the rules file. This allows you to
|
||
add rules that selectively allow/deny ping based on source or destination
|
||
address.</li>
|
||
<li>Rules that specify multiple client ip addresses or subnets no longer cause
|
||
startup failures.</li>
|
||
<li>Zone names in the policy file are now validated against the zones file.</li>
|
||
<li>If you have <a href="Documentation.htm#MangleEnabled">packet mangling</a>
|
||
support enabled, the "<a href="Documentation.htm#Interfaces">norfc1918</a>"
|
||
interface option now logs and drops any incoming packets on the interface
|
||
that have an RFC 1918 destination address.</li>
|
||
</ul>
|
||
|
||
<p><b>9/12/2001 - The current version of Shorewall is 1.1.13</b>. In this version</p>
|
||
|
||
<ul>
|
||
<li>Shell variables can now be used to parameterize Shorewall rules.</li>
|
||
<li>The second column in the hosts file may now contain a comma-separated
|
||
list.<br>
|
||
<br>
|
||
Example:<br>
|
||
sea
|
||
eth0:130.252.100.0/24,206.191.149.0/24</li>
|
||
<li>Handling of multi-zone interfaces has been improved. See the <a href="Documentation.htm#Interfaces">documentation
|
||
for the /etc/shorewall/interfaces file</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>8/28/2001 - The current version of Shorewall is 1.1.12</b>. In this version</p>
|
||
|
||
<ul>
|
||
<li>Several columns in the rules file may now contain comma-separated lists.</li>
|
||
<li>Shorewall is now more rigorous in parsing the options in
|
||
/etc/shorewall/interfaces.</li>
|
||
<li>Complementation using "!" is now supported in rules.</li>
|
||
</ul>
|
||
|
||
<p><b>7/28/2001 - The current version of Shorewall is 1.1.11</b>. In this version</p>
|
||
|
||
<ul>
|
||
<li>A "shorewall refresh" command has been added to allow for
|
||
refreshing the rules associated with the broadcast address on a dynamic
|
||
interface. This command should be used in place of "shorewall
|
||
restart" when the internet interface's IP address changes.</li>
|
||
<li>The /etc/shorewall/start file (if any) is now processed after all
|
||
temporary rules have been deleted. This change prevents the accidental
|
||
removal of rules added during the processing of that file.</li>
|
||
<li>The "dhcp" interface option is now applicable to firewall
|
||
interfaces used by a DHCP server running on the firewall.</li>
|
||
<li>The RPM can now be built from the .tgz file using "rpm -tb" </li>
|
||
</ul>
|
||
|
||
<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li>Shorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding
|
||
may be disabled by specifying IP_FORWARD=Off in
|
||
/etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or
|
||
disable packet forwarding, add IP_FORWARDING=Keep to your
|
||
/etc/shorewall/shorewall.conf file.</li>
|
||
<li>The "shorewall hits" command no longer lists extraneous service
|
||
names in its last report.</li>
|
||
<li>Erroneous instructions in the comments at the head of the firewall script
|
||
have been corrected.</li>
|
||
</ul>
|
||
|
||
<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li>The "tunnels" file <u>really</u> is in the RPM now.</li>
|
||
<li>SNAT can now be applied to port-forwarded connections.</li>
|
||
<li>A bug which would cause firewall start failures in some dhcp configurations
|
||
has been fixed.</li>
|
||
<li>The firewall script now issues a message if you have the name of an
|
||
interface in the second column in an entry in /etc/shorewall/masq and that
|
||
interface is not up.</li>
|
||
<li>You can now configure Shorewall so that it<a href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or
|
||
mangle netfilter modules</a>.</li>
|
||
<li>Thanks to Alex Polishchuk, the "hits" command
|
||
from seawall is now in shorewall.</li>
|
||
<li>Support for <a href="IPIP.htm">IPIP tunnels</a> has been added.</li>
|
||
</ul>
|
||
|
||
<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
|
||
|
||
<ul>
|
||
<li>A typo in the sample rules file has been corrected.</li>
|
||
<li>It is now possible to restrict masquerading by<a href="Documentation.htm#Masq">
|
||
destination host or subnet.</a></li>
|
||
<li>It is now possible to have static <a href="NAT.htm#LocalPackets">NAT rules
|
||
applied to packets originating on the firewall itself</a>.</li>
|
||
</ul>
|
||
|
||
<p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li>The TOS rules are now deleted when the firewall is stopped.</li>
|
||
<li>The .rpm will now install regardless of which version of iptables is
|
||
installed.</li>
|
||
<li>The .rpm will now install without iproute2 being installed.</li>
|
||
<li>The documentation has been cleaned up.</li>
|
||
<li>The sample configuration files included in Shorewall have been formatted
|
||
to 80 columns for ease of editing on a VGA console.</li>
|
||
</ul>
|
||
|
||
<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
|
||
|
||
<ul>
|
||
<li><a href="Documentation.htm#lograte">You may now rate-limit the packet log.</a></li>
|
||
<li><font face="Century Gothic, Arial, Helvetica"> Previous versions of
|
||
Shorewall have an implementation of Static NAT which violates the principle
|
||
of least surprise. NAT only occurs for packets arriving at (DNAT) or
|
||
send from (SNAT) the interface named in the INTERFACE column of
|
||
/etc/shorewall/nat. Beginning with version 1.1.6, NAT effective regardless
|
||
of which interface packets come from or are destined to. To get
|
||
compatibility with prior versions, I have added a new "ALL <a href="NAT.htm#AllInterFaces">"ALL
|
||
INTERFACES" column to /etc/shorewall/nat</a>. By placing
|
||
"no" or "No" in the new column, the NAT behavior of
|
||
prior versions may be retained. </font></li>
|
||
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels where the remote
|
||
gateway is a standalone system has been improved</a>. Previously, it was
|
||
necessary to include an additional rule allowing UDP port 500 traffic to
|
||
pass through the tunnel. Shorewall will now create this rule automatically
|
||
when you place the name of the remote peer's zone in a new GATEWAY ZONE
|
||
column in /etc/shorewall/tunnels. </li>
|
||
</ul>
|
||
|
||
<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li><a href="Documentation.htm#modules">You may now pass parameters when loading
|
||
netfilter modules and you can specify the modules to load.</a></li>
|
||
<li>Compressed modules are now loaded. This requires that you modutils support
|
||
loading compressed modules.</li>
|
||
<li><a href="Documentation.htm#TOS">You may now set the Type of Service (TOS)
|
||
field in packets.</a></li>
|
||
<li>Corrected rules generated for port redirection (again).</li>
|
||
</ul>
|
||
|
||
<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li> <a href="Documentation.htm#Conf">Accepting RELATED connections is now
|
||
optional.</a></li>
|
||
<li>Corrected problem where if "shorewall start" aborted early
|
||
(due to kernel configuration errors for example), superfluous 'sed' error
|
||
messages were reported.</li>
|
||
<li>Corrected rules generated for port redirection.</li>
|
||
<li>The order in which iptables kernel modules are loaded has been
|
||
corrected (Thanks to Mark Pavlidis). </li>
|
||
</ul>
|
||
|
||
<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
|
||
|
||
<ul>
|
||
<li>Correct message issued when Proxy ARP address added (Thanks to Jason Kirtland).</li>
|
||
<li>/tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.</li>
|
||
<li>/etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
|
||
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.</li>
|
||
<li>When a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.</li>
|
||
<li>A problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message
|
||
referring to "common.so" resulted.</li>
|
||
<li>Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.</li>
|
||
<li>The first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".</li>
|
||
</ul>
|
||
<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
|
||
<ul>
|
||
<li>Port redirection now works again.</li>
|
||
<li>The icmpdef and common chains <a href="Documentation.htm#Icmpdef">may
|
||
now be user-defined</a>.</li>
|
||
<li>The firewall no longer fails to start if "routefilter" is
|
||
specified for an interface that isn't started. A warning message is now
|
||
issued in this case.</li>
|
||
<li>The LRP Version is renamed "shorwall" for 8,3 MSDOS file
|
||
system compatibility.</li>
|
||
<li>A couple of LRP-specific problems were corrected.</li>
|
||
</ul>
|
||
<p><b>4/8/2001 - Shorewall is now affiliated with the <a href="http://leaf.sourceforge.net">Leaf
|
||
Project</a> </b> <a href="http://leaf.sourceforge.net">
|
||
<img border="0" src="images/leaflogo.gif" width="49" height="36"></a></p>
|
||
<p><b>4/5/2001 - The current version of Shorewall is 1.1.1. In this version:</b></p>
|
||
|
||
<ul>
|
||
<li>The common chain is traversed from INPUT, OUTPUT and FORWARD before
|
||
logging occurs</li>
|
||
<li>The source has been cleaned up dramatically</li>
|
||
<li>DHCP DISCOVER packets with RFC1918 source addresses no longer
|
||
generate log messages. Linux DHCP clients generate such packets and it's
|
||
annoying to see them logged. </li>
|
||
</ul>
|
||
<p><b>3/25/2001 - The current version of Shorewall is 1.1.0. In this version:</b></p>
|
||
|
||
<ul>
|
||
<li>Log messages now indicate the packet disposition.</li>
|
||
<li>Error messages have been improved.</li>
|
||
<li>The ability to define zones consisting of an enumerated set of hosts
|
||
and/or subnetworks has been added.</li>
|
||
<li>The zone-to-zone chain matrix is now sparse so that only those chains
|
||
that contain meaningful rules are defined.</li>
|
||
<li>240.0.0.0/4 and 169.254.0.0/16 have been added to the source
|
||
subnetworks whose packets are dropped under the <i>norfc1918</i> interface
|
||
option.</li>
|
||
<li>Exits are now provided for executing an user-defined script when a
|
||
chain is defined, when the firewall is initialized, when the firewall is
|
||
started, when the firewall is stopped and when the firewall is cleared.</li>
|
||
<li>The Linux kernel's route filtering facility can now be specified
|
||
selectively on network interfaces.</li>
|
||
</ul>
|
||
<p><b>3/19/2001 - The current version of Shorewall is 1.0.4. This version:</b></p>
|
||
|
||
<ul>
|
||
<li>Allows user-defined zones. Shorewall now has only one pre-defined
|
||
zone (fw) with the remaining zones being defined in the new configuration
|
||
file /etc/shorewall/zones. The /etc/shorewall/zones file released in this
|
||
version provides behavior that is compatible with Shorewall 1.0.3. </li>
|
||
<li>Adds the ability to specify logging in entries in the
|
||
/etc/shorewall/rules file.</li>
|
||
<li>Correct handling of the icmp-def chain so that only ICMP packets are
|
||
sent through the chain.</li>
|
||
<li>Compresses the output of "shorewall monitor" if awk is
|
||
installed. Allows the command to work if awk isn't installed (although
|
||
it's not pretty).</li>
|
||
</ul>
|
||
<p><b>3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
|
||
release with no new features.</b></p>
|
||
|
||
<ul>
|
||
<li>The PATH variable in the firewall script now includes /usr/local/bin
|
||
and /usr/local/sbin.</li>
|
||
<li>DMZ-related chains are now correctly deleted if the DMZ is deleted.</li>
|
||
<li>The interface OPTIONS for "gw" interfaces are no longer
|
||
ignored.</li>
|
||
</ul>
|
||
<p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
|
||
additional "gw" (gateway) zone for tunnels and it supports IPSEC
|
||
tunnels with end-points on the firewall. There is also a .lrp available now.</b></p>
|
||
|
||
<p><font size="2">Updated 8/13/2002 - <a href="support.htm">Tom
|
||
Eastep</a> </font></p>
|
||
|
||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
|
||
Copyright</font> <20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||
|
||
</body></html> |