2003-03-23 19:47:54 +01:00
|
|
|
This is a minor release of Shorewall.
|
2003-03-18 16:16:33 +01:00
|
|
|
|
2003-04-13 17:28:32 +02:00
|
|
|
Problems Corrected:
|
2003-03-18 16:16:33 +01:00
|
|
|
|
2003-04-13 17:28:32 +02:00
|
|
|
1) TCP connection requests rejected out of the common chain are now
|
|
|
|
properly rejected with TCP RST; previously, some of these requests
|
|
|
|
were rejeced with an ICMP port-unreachable response.
|
2003-03-18 16:16:33 +01:00
|
|
|
|
2003-04-13 17:28:32 +02:00
|
|
|
2) 'traceroute -I' from behind the firewall previously timed out on the
|
|
|
|
first hop (e.g., to the firewall). This has been worked around.
|
2003-03-18 16:16:33 +01:00
|
|
|
|
2003-04-13 17:28:32 +02:00
|
|
|
New Features:
|
2003-03-18 16:16:33 +01:00
|
|
|
|
2003-04-13 17:28:32 +02:00
|
|
|
1) Where an entry in the/etc/shorewall/hosts file specifies a
|
|
|
|
particular host or network, Shorewall now creates an intermediate
|
|
|
|
chain for handling input from the related zone. This can
|
|
|
|
substantially reduce the number of rules traversed by connections
|
|
|
|
requests from such zones.
|
|
|
|
|
|
|
|
2) Any file may include an INCLUDE directive. An INCLUDE directive
|
|
|
|
consists of the word INCLUDE followed by a file name and causes the
|
|
|
|
contents of the named file to be logically included into the file
|
|
|
|
containing the INCLUDE. File names given in an INCLUDE directive
|
|
|
|
are assumed to reside in /etc/shorewall or in an alternate
|
|
|
|
configuration directory if one has been specified for the command.
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
shorewall/params.mgmt:
|
|
|
|
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
|
|
|
|
TIME_SERVERS=4.4.4.4
|
|
|
|
BACKUP_SERVERS=5.5.5.5
|
|
|
|
----- end params.mgmt -----
|
|
|
|
|
|
|
|
|
|
|
|
shorewall/params:
|
|
|
|
# Shorewall 1.3 /etc/shorewall/params
|
|
|
|
[..]
|
|
|
|
#######################################
|
|
|
|
|
|
|
|
INCLUDE params.mgmt
|
|
|
|
|
|
|
|
# params unique to this host here
|
|
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
|
|
----- end params -----
|
|
|
|
|
|
|
|
|
|
|
|
shorewall/rules.mgmt:
|
|
|
|
ACCEPT net:$MGMT_SERVERS $FW tcp 22
|
|
|
|
ACCEPT $FW net:$TIME_SERVERS udp 123
|
|
|
|
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
|
|
|
|
----- end rules.mgmt -----
|
|
|
|
|
|
|
|
shorewall/rules:
|
|
|
|
# Shorewall version 1.3 - Rules File
|
|
|
|
[..]
|
|
|
|
#######################################
|
|
|
|
|
|
|
|
INCLUDE rules.mgmt
|
|
|
|
|
|
|
|
# rules unique to this host here
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
|
|
----- end rules -----
|
|
|
|
|
|
|
|
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
|
|
|
|
directives are ignored.
|
|
|
|
|
|
|
|
3) Routing traffic from an interface back out that interface continues
|
|
|
|
to be a problem. While I firmly believe that this should never
|
|
|
|
happen, people continue to want to do it. To limit the damage that
|
|
|
|
such nonsense produces, I have added a new 'routeback' option in
|
|
|
|
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
|
|
|
|
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
|
|
|
|
other words, 'routeback' can't be used as an option for a multi-zone
|
|
|
|
interface. The 'routeback' option CAN be specified however on
|
|
|
|
individual group entries in /etc/shorewall/hosts.
|
|
|
|
|
|
|
|
The 'routeback' option is similar to the old 'multi' option with two
|
|
|
|
exceptions:
|
|
|
|
|
|
|
|
a) The option pertains to a particular zone,interface,address tuple.
|
|
|
|
|
|
|
|
b) The option only created infrastructure to pass traffic from
|
|
|
|
(zone,interface,address) tuples back to themselves (the 'multi'
|
|
|
|
option affected all (zone,interface,address) tuples associated with
|
|
|
|
the given 'interface').
|
|
|
|
|
|
|
|
See the 'Upgrade Issues' for information about how this new option
|
|
|
|
may affect your configuration.
|
2003-03-18 16:16:33 +01:00
|
|
|
|
|
|
|
|