shorewall_code/Shorewall2/releasenotes.txt

Shorewall 2.0.1-RC2

----------------------------------------------------------------------
Problems Corrected since 2.0.0

1) Using actions in the manner recommended in the documentation
   results in a Warning that the rule is a policy.

2) When a zone on a single interface is defined using
   /etc/shorewall/hosts, superfluous rules are generated in the
   <zone>_frwd chain.

3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and
   IPSEC has been corrected. Thanks Sean!!!

Problems Corrected since 2.0.1 RC1

1) Although the release notes listed a set of new options available in
   the /etc/shorewall/hosts file, those options were not accepted.

2) The 'nobogons' interface option didn't work.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:

1) The function of 'norfc1918' is now split between that option and a
   new 'nobogons' option.

   The rfc1918 file released with Shorewall now contains entries for
   only those three address ranges reserved by RFC 1918. A 'nobogons'
   interface option has been added which handles bogon source
   addresses (those which are reserved by the IANA, those reserved for
   DHCP auto-configuration and the class C test-net reserved for
   testing and documentation examples). This will allow users to
   perform RFC 1918 filtering without having to deal with out
   of date data from IANA. Those who are willing to update their
   /usr/share/shorewall/bogons file regularly can specify the
   'nobogons' option in addition to 'norfc1918'.

   The level at which bogon packets are logged is specified in the new
   BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not
   specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then
   bogon packets whose TARGET is 'logdrop' in
   /usr/share/shorewall/bogons are logged at the 'info' level.

New Features:

1) Support for Bridging Firewalls has been added. For details, see

   http://shorewall.net/bridge.html

2) Support for NETMAP has been added. NETMAP allows NAT to be defined
   between two network:

	   a.b.c.1    -> x.y.z.1
	   a.b.c.2    -> x.y.z.2
	   a.b.c.3    -> x.y.z.3
	   ...	   

   http://shorewall.net/netmap.html

3) The /sbin/shorewall program now accepts a "-x" option to cause
   iptables to print out the actual packet and byte counts rather than
   abbreviated counts such as "13MB".

   Commands affected by this are:

	    shorewall -x show [ <chain>[ <chain> ...] ]
	    shorewall -x show tos|mangle
	    shorewall -x show nat
	    shorewall -x status
	    shorewall -x monitor [ <interval> ]

4) Shorewall now traps two common zone definition errors:

   - Including the firewall zone in a /etc/shorewall/hosts record.
   - Defining an interface for a zone in both /etc/shorewall/interfaces
     and /etc/shorewall/hosts.

   In the second case, the following will appear during "shorewall
   [re]start" or "shorewall check":

   Determining Hosts in Zones...
      ...
      Error: Invalid zone definition for zone <name of zone>
   Terminated

5) To support bridging, the following options have been added to
   entries in /etc/shorewall/hosts:

	   norfc1918
	   nobogons
	   blacklist
	   tcpflags
	   nosmurfs
	   newnotsyn

   With the exception of 'newnotsyn', these options are only
   useful when the entry refers to a bridge port.

   Example:
   
   #ZONE   HOST(S)	OPTIONS
   net	   br0:eth0	norfc1918,nobogons,blacklist,tcpflags,nosmurfs