shorewall_code/Shorewall-docs/seattlefirewall_index.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                     
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
                                     
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                     
  <meta name="ProgId" content="FrontPage.Editor.Document">
                                             <base target="_self">   
  <meta name="Microsoft Theme" content="none">
</head>
  <body>
                                             
<table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
         <tbody>
    <tr>
           <td width="100%">           
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img border="0"
 src="images/washington.jpg" align="right" width="100" height="82">
      <img border="0" src="images/washington.jpg" align="left"
 width="100" height="82">
      </a></i></font><font color="#ffffff">Shorewall 1.3 - <font
 size="4">"<i>iptables made easy"</i></font></font></h1>
           </td>
         </tr>
       
  </tbody>
</table>
                                              
<div align="center">         
<center>         
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
           <tbody>
    <tr>
             <td width="90%">                                           
  
      <h2 align="left">What is it?</h2>
                                              
      <p>The Shoreline Firewall, more commonly known as "Shorewall",<2C> is
a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
                                             
      <p>This program is free software; you can redistribute it and/or modify
it        under the terms of <a
 href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
General Public License</a> as published by the Free Software        Foundation.<br>
          <br>
           This program is distributed in the hope that it will be useful,
but        WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
       or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
       for more details.<br>
          <br>
           You should have received a copy of the GNU General Public License
       along with this program; if not, write to the Free Software Foundation,
       Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
                                             
      <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
                                                                 
      <p><EFBFBD><a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
      </a>Jacques        Nilo and Eric Wolzak have a LEAF distribution called
      <i>Bering</i> that        features Shorewall-1.3.3 and Kernel-2.4.18.
You can find their work at:   <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                                                 
      <h2>News</h2>
                                 
      <p><b>9/16/2002 - Shorewall 1.3.8<EFBFBD></b><b><img border="0"
 src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
 height="12">
 </b></p>
 
      <p>In this version:<br>
 </p>
 
      <ul>
        <li>A NEWNOTSYN option has been added to shorewall.conf. This option
determines whether Shorewall accepts TCP packets which are not part of an
established connection and that are not 'SYN' packets (SYN flag on and ACK
flag off).</li>
        <li>The need for the 'multi' option to communicate between zones
za and zb on the same interface is removed in the case where the chain 'za2zb'
and/or 'zb2za' exists. 'za2zb' will exist if:</li>
        <ul>
          <li>       
            <blockquote>There is a policy for za to zb; or</blockquote>
     </li>
          <li>       
            <blockquote>There is at least one rule for za to zb.</blockquote>
     </li>
        </ul>
      </ul>
 
      <ul>
        <li>The /etc/shorewall/blacklist file now contains three columns.
In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and
PORT columns to block only certain applications from the blacklisted addresses.<br>
   </li>
      </ul>
 
      <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
                                 
      <p>Apt-get sources listed at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                 
      <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
                                 
      <p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW   (fw).</p>
                                 
      <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
                                 
      <p>This is a role up of the "shorewall refresh" bug fix and the change
which   reverses the order of "dhcp" and "norfc1918" checking.</p>
                                 
      <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
                                 
      <p><a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
                                 
      <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
                                 
      <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored   at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
                                 
      <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
                                 
      <p>Lorenzo Martignoni reports that the packages for version 1.3.7a
 are available at <a
 href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                 
      <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
its Author   -- Shorewall 1.3.7a released  <img border="0"
 src="images/j0233056.gif" width="50" height="80" align="middle">
      </b></p>
                                 
      <p>1.3.7a corrects problems occurring in  rules file processing when
starting Shorewall   1.3.7.</p>
                                 
      <p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
                                 
      <p>Features in this release include:</p>
                                      
      <ul>
         <li>The 'icmp.def' file is now empty! The rules in that file were
         required in ipchains firewalls but are not required in Shorewall.
Users          who have ALLOWRELATED=No in <a
 href="Documentation.htm#Conf">         shorewall.conf</a> should see the
          <a href="errata.htm#Upgrade">Upgrade          Issues</a>.</li>
         <li>A 'FORWARDPING' option has been added to         <a
 href="Documentation.htm#Conf">shorewall.conf</a>. The effect of        
 setting this variable to Yes is the same as the effect of adding an    
     ACCEPT rule for ICMP echo-request in         <a
 href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.     
    Users who have such a rule in icmpdef are encouraged to switch to   
      FORWARDPING=Yes.</li>
         <li>The loopback CLASS A Network (127.0.0.0/8) has been added to
the          rfc1918 file.</li>
         <li>Shorewall now works with iptables 1.2.7.</li>
         <li>The documentation and Web site no longer use FrontPage themes.</li>
       
      </ul>
                                 
      <p>I would like to thank John Distler for his valuable input regarding
TCP SYN   and ICMP treatment in Shorewall. That input has led to marked improvement
in   Shorewall in the last two releases.</p>
                                 
      <p><b>8/13/2002 - Documentation in the <a target="_top"
 href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">  CVS Repository</a></b></p>
                                 
      <p>The Shorewall-docs project now contains just the HTML and image
files - the   Frontpage files have been removed.</p>
                                 
      <p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
 target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">  CVS
Repository</a></b></p>
                                 
      <p>This branch will only be updated after I release a new version of
Shorewall   so you can always update from this branch to get the latest stable
tree.</p>
                                 
      <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
added   to the <a href="errata.htm">Errata Page</a></b></p>
                                 
      <p>Now there is one place to go to look for issues involved with upgrading
to   recent versions of Shorewall.</p>
                                 
      <p><b>8/7/2002 - Shorewall 1.3.6</b></p>
                                 
      <p>This is primarily a bug-fix rollup with a couple of new features:</p>
                                 
      <ul>
    <li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
          </a>    including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
    <li>Shorewall will now DROP TCP packets that are not part of or related
to an     existing connection and that are not SYN packets. These "New not
SYN" packets     may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
    <li>The processing of "New not SYN" packets may be extended by commands
in     the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
script</a>.</li>
  
      </ul>
                                                             
      <p><a href="News.htm">More News</a></p>
                                                                 
      <h2><a name="Donations"></a>Donations</h2>
                                                </td>
             <td width="88" bgcolor="#4b017c" valign="top"
 align="center">             <a href="http://sourceforge.net">M</a></td>
           </tr>
         
  </tbody>
</table>
         </center>
       </div>
                                     
<table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
    <tbody>
    <tr>
      <td width="100%" style="margin-top: 1px;">      
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
      <img border="4" src="images/newlog.gif" width="57" height="100"
 align="right" hspace="10">
      </a></p>
      
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if       you try it and find it useful, please consider making a donation
to       <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
      </td>
    </tr>
  
  </tbody>
</table>
                              
<p><font size="2">Updated       9/16/2002 - <a href="support.htm">Tom Eastep</a> 
     </font>                                                            
        </p>
                                                            <br>
</body>
</html>