2004-09-24 00:58:32 +02:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2003-12-30 02:19:52 +01:00
< html >
< head >
2004-09-24 00:58:32 +02:00
< meta http-equiv = "CONTENT-TYPE" content = "text/html; charset=utf-8" >
2004-04-12 16:16:46 +02:00
< title > Shoreline Firewall (Shorewall) 2.0< / title >
< base target = "_self" >
2004-09-24 00:58:32 +02:00
< meta name = "GENERATOR" content = "OpenOffice.org 1.1.1 (Linux)" >
< meta name = "CREATED" content = "20040920;15031500" >
< meta name = "CHANGED" content = "20040920;15183300" >
2003-12-30 02:19:52 +01:00
< / head >
2004-09-24 00:58:32 +02:00
< body dir = "ltr" lang = "en-US" >
2004-11-19 19:10:17 +01:00
< h1 > Shorewall 2.x< / h1 >
2004-09-24 00:58:32 +02:00
< p > < b > Tom Eastep< / b > < br >
2004-05-28 19:24:32 +02:00
< br >
2004-09-24 00:58:32 +02:00
The information on this site applies only
2004-11-19 19:10:17 +01:00
to 2.x releases of Shorewall. For older versions:< / p >
2004-05-28 19:24:32 +02:00
< ul >
2004-09-24 00:58:32 +02:00
< li >
< p style = "margin-bottom: 0in;" > The 1.4 site is < a
href="http://www.shorewall.net/1.4" target="_top">here.< / a > < / p >
< / li >
< li >
< p style = "margin-bottom: 0in;" > The 1.3 site is < a
href="http://www.shorewall.net/1.3" target="_top">here.< / a > < / p >
< / li >
< li >
< p > The 1.2 site is < a href = "http://shorewall.net/1.2/"
target="_top">here< / a > . < / p >
< / li >
2004-05-28 19:24:32 +02:00
< / ul >
2004-12-05 00:43:38 +01:00
< p > The current 2.0 Stable Release is 2.0.13 -- Here are the < a
href="http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.13/releasenotes.txt">release
2004-09-11 16:31:50 +02:00
notes< / a > .< br >
2004-12-31 20:12:00 +01:00
The current Developement Release is 2.2.0 RC3 -- Here
2004-09-24 00:58:32 +02:00
are the < a
2004-12-31 20:12:00 +01:00
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC3/releasenotes.txt">release
notes< / a > and here are the < a
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-RC3/known_problems.txt">known
problems< / a > .< br >
< / p >
2004-12-29 00:19:15 +01:00
< p > < a
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html">< span
style="font-weight: bold;">Preparing for Shorewall 2.2 -- End of
support life for Shorewall 1.4 is Near! < / span > < / a > < br >
2004-08-14 23:00:08 +02:00
< br >
2004-09-24 00:58:32 +02:00
Copyright © 2001-2004 Thomas M. Eastep< / p >
2004-05-28 19:24:32 +02:00
< p > Permission is granted to copy, distribute and/or modify this
2004-09-24 00:58:32 +02:00
document under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software
Foundation; with no Invariant Sections, with no Front-Cover, and with
no Back-Cover Texts. A copy of the license is included in the section
2004-10-27 15:54:31 +02:00
entitled “< a href = "GnuCopyright.htm" target = "_self" > GNU
2004-09-24 00:58:32 +02:00
Free Documentation License< / a > ”.< / p >
2004-12-31 20:12:00 +01:00
< p > 2004-12-31< / p >
2004-09-24 00:58:32 +02:00
< hr >
2004-05-28 19:24:32 +02:00
< h3 > Table of Contents< / h3 >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 0.42in; margin-bottom: 0in;" > < a href = "#Intro" > Introduction
to Shorewall< / a > < / p >
< p style = "margin-left: 0.83in; margin-bottom: 0in;" > < a href = "#Glossary" > Glossary< / a > < br >
< a href = "#WhatIs" > What
is Shorewall?< / a > < br >
< a href = "#GettingStarted" > Getting Started with
2004-05-28 19:24:32 +02:00
Shorewall< / a > < br >
< a href = "#Info" > Looking for Information?< / a > < br >
2004-09-24 00:58:32 +02:00
< a href = "#Mandrake" > Running
Shorewall on Mandrake® with a two-interface setup?< / a > < br >
< a href = "#License" > License< / a > < / p >
2004-10-25 17:52:26 +02:00
< p style = "margin-bottom: 0in; margin-left: 40px;" > < a href = "#2_0_10" > News< / a > < / p >
2004-12-31 20:12:00 +01:00
< p style = "margin-left: 0.83in; margin-bottom: 0in;" > < a
2005-01-03 22:30:23 +01:00
href="#MandrakeRPMS">Mandrake-specific RPMs available< / a > < br >
< a href = "#Redhat_Fedora" > Redhat/Fedora-specific RPMs available< / a > < br >
2004-12-31 20:12:00 +01:00
< a href = "#2_2_0_RC3" > Shorewall
2.2.0 RC3< / a > < br >
< a href = "#2_2_0_RC2" > Shorewall
2004-12-25 17:09:00 +01:00
2.2.0 RC2< / a > < br >
< a href = "#2_2_0_RC1" > Shorewall
2004-12-23 03:47:44 +01:00
2.2.0 RC1< / a > < br >
< a href = "#2_2_0_Beta8" > Shorewall 2.2.0 Beta 8< / a > < br >
< a href = "#2_2_0_Beta7" > Shorewall 2.2.0 Beta 7< / a > < br >
2004-12-11 17:12:59 +01:00
< a href = "#2_0_13" > Shorewall
2004-12-05 00:43:38 +01:00
2.0.13< / a > < br >
< a href = "#2_0_12" > Shorewall
2.0.12< / a > < br >
< a href = "shorewall_index.htm#2_2_0_Beta6" > Shorewall 2.2.0 Beta 6< / a > < br >
2004-12-01 21:45:51 +01:00
< a href = "#2_2_0_Beta5" > Shorewall 2.2.0 Beta 5< / a > < br >
< a href = "#2_0_11" > Shorewall
2.0.11< / a > < br >
< a href = "#2_2_0_Beta4" > Shorewall 2.2.0 Beta 4< / a > < br >
2004-11-19 19:10:17 +01:00
< a href = "#2_2_0_Beta3" > Shorewall 2.2.0 Beta 3< / a > < br >
< a href = "#2_2_0_Beta2" > Shorewall 2.2.0 Beta 2< / a > < br >
2004-11-09 16:21:55 +01:00
< a href = "#2_0_10" > Shorewall
2004-10-25 17:52:26 +02:00
2.0.10< / a > < br >
< a href = "#2_2_0_Beta1" > Shorewall 2.2.0 Beta 1< / a > < br >
2004-09-24 00:58:32 +02:00
< br >
< / p >
< div style = "margin-left: 40px;" > < a href = "#Leaf" > Leaf< / a > < br >
2004-05-28 19:24:32 +02:00
< / div >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 40px;" > < a href = "#Donations" > Donations< / a > < / p >
2004-05-28 19:24:32 +02:00
< h2 > < a name = "Intro" > < / a > Introduction to Shorewall< / h2 >
< h3 > < a name = "Glossary" > < / a > Glossary< / h3 >
< ul >
2004-09-24 00:58:32 +02:00
< li >
< p style = "margin-bottom: 0in;" > < a href = "http://www.netfilter.org/"
target="_top">Netfilter< / a > - the packet filter facility built into
the 2.4 and later Linux kernels. < / p >
< / li >
< li >
< p style = "margin-bottom: 0in;" > ipchains - the packet filter
facility built into the 2.2 Linux kernels. Also the name of the utility
program used to configure and control that facility. Netfilter can be
used in ipchains compatibility mode. < / p >
< / li >
< li >
< p > iptables - the utility program used to configure and control
Netfilter. The term 'iptables' is often used to refer to the
2004-04-12 16:16:46 +02:00
combination of iptables+Netfilter (with Netfilter not in ipchains
2004-09-24 00:58:32 +02:00
compatibility mode). < / p >
< / li >
2004-05-28 19:24:32 +02:00
< / ul >
< h3 > < a name = "WhatIs" > < / a > What is Shorewall?< / h3 >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 0.42in;" > The Shoreline Firewall, more commonly
known as "Shorewall", is a high-level tool for configuring
Netfilter. You describe your firewall/gateway requirements using
entries in a set of configuration files. Shorewall reads those
configuration files and with the help of the iptables utility,
Shorewall configures Netfilter to match your requirements. Shorewall
can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system. Shorewall
does not use Netfilter's ipchains compatibility mode and can thus
take advantage of Netfilter's < a
2004-04-12 16:16:46 +02:00
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
target="_top">connection
2004-09-24 00:58:32 +02:00
state tracking capabilities< / a > .< br >
2004-05-28 19:24:32 +02:00
< br >
2004-09-24 00:58:32 +02:00
Shorewall is < u > not< / u > a
daemon. Once Shorewall has configured Netfilter, it's job is
complete. After that, there is no Shorewall code running although the
< a href = "starting_and_stopping_shorewall.htm" > /sbin/shorewall program
can be used at any time to monitor the Netfilter firewall< / a > .< / p >
2004-05-28 19:24:32 +02:00
< h3 > < a name = "GettingStarted" > < / a > Getting Started with Shorewall< / h3 >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 0.42in;" > New to Shorewall? Start by selecting
the < a href = "shorewall_quickstart_guide.htm" > QuickStart Guide< / a >
that most closely matches your environment and follow the step by
step instructions.< / p >
2004-05-28 19:24:32 +02:00
< h3 > < a name = "Info" > < / a > Looking for Information?< / h3 >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 0.42in;" > The < a href = "Documentation_Index.html" > Documentation
Index< / a > is a good place to start as is the Quick Search in the
frame above. < / p >
2004-05-28 19:24:32 +02:00
< h3 > < a name = "Mandrake" > < / a > Running Shorewall on Mandrake® with a
two-interface setup?< / h3 >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 0.42in;" > If so, the documentation on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches the
documentation on this site. See the < a href = "two-interface.htm" > Two-interface
QuickStart Guide< / a > for details.< br >
2004-05-28 19:24:32 +02:00
< br >
2004-09-24 00:58:32 +02:00
< b > Update: < / b > I've been
2004-04-12 16:16:46 +02:00
informed by Mandrake Development that this problem has been corrected
2004-09-24 00:58:32 +02:00
in Mandrake 10.0 Final (the problem still exists in the 10.0
Community release).< / p >
2004-05-28 19:24:32 +02:00
< h3 > < a name = "License" > < / a > License< / h3 >
2004-09-24 00:58:32 +02:00
< p style = "margin-left: 0.42in;" > This program is free software; you can
redistribute it and/or modify it under the terms of < a
href="http://www.gnu.org/licenses/gpl.html">Version
2004-04-12 16:16:46 +02:00
2 of the GNU General Public License< / a > as published by the Free
2004-09-24 00:58:32 +02:00
Software Foundation.< / p >
< p style = "margin-left: 0.42in;" > This program is distributed in the
hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more detail.< / p >
< p style = "margin-left: 0.42in;" > You should have received a copy of the
GNU General Public License along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA< / p >
< p style = "margin-left: 0.42in;" > Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU
Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy
of the license is included in the section entitled "GNU Free
Documentation License". < / p >
< hr >
2004-05-28 19:24:32 +02:00
< h2 > < a name = "News" > < / a > News< / h2 >
2005-01-03 22:30:23 +01:00
< span style = "font-weight: bold;" > < a name = "MandrakeRPMS" > < / a > 12/31/2004
- Mandrake-specific 2.2.0 RC3 RPMs available< br >
< br >
< / span > Jack Coates has generously volunteered to provide Shorewall RPMs
for use under Mandrake. You can download Jack's RPMs from < a
target="_top" href="http://www.monkeynoodle.org/tmp/shorewall.spec">http://www.monkeynoodle.org/tmp/< / a > < br >
< br >
2004-12-31 20:12:00 +01:00
< span style = "font-weight: bold;" > < a name = "Redhat_Fedora" > < / a > 12/31/2004
- Redhat/Fedora-specific RPMs available< br >
< / span > < br >
Simon Matter has graciously volunteered to provide RPMs taylored for
2005-01-03 22:30:23 +01:00
Redhat and Fedora. You can download Simon's RPMs from < a target = "_top"
2004-12-31 20:12:00 +01:00
href="http://www.invoca.ch/pub/packages/shorewall/">http://www.invoca.ch/pub/packages/shorewall/< / a > < br >
< br >
Thanks, Simon!< br >
< br >
< span style = "font-weight: bold;" > < a name = "2_2_0_RC3" > < / a > 12/30/2004 -
Shorewall 2.2.0 RC3< br >
< / span > < br >
Problems Corrected:< br >
< ol >
< li > The following error message could appear during "shorewall stop"
or "shorewall clear":< br >
< br >
local: lo:: bad variable name< br >
< br >
< / li >
< li > The rate limiting example in /etc/shorewall/rules has been
changed to use the RATE LIMIT column.< / li >
< li > Entries in /etc/shorewall/masq with the INTERFACE column
containing < ifname> :: (e.g., "eth0::") would generate a progress
message but would not generate an iptables rule.< / li >
< li > A misleading typo in /etc/shorewall/tunnels has been corrected.< br >
< / li >
< / ol >
< span style = "font-weight: bold;" > < a name = "2_2_0_RC2" > < / a > 12/24/2004 -
2004-12-25 17:09:00 +01:00
Shorewall 2.2.0 RC2< br >
< br >
< / span > New Features:< br >
< ol >
< li > By popular demand, the default port for Open VPN tunnels is now
1194 (the IANA-reserved port number for Open VPN).< / li >
< / ol >
2004-12-23 03:47:44 +01:00
< span style = "font-weight: bold;" > < a name = "2_2_0_RC1" > < / a > 12/19/2004 -
Shorewall 2.2.0 RC1< br >
< br >
< / span > Problems Corrected:< br >
< ol >
< li > The syntax of the add and delete command has been clarified in
the help summary produced by /sbin/shorewall.< / li >
< / ol >
New Features:< br >
< ol >
< li > TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
type. OpenVPN entries in /etc/shorewall/tunnels have this format:< br >
< br >
openvpn[:{tcp|udp}][:< port> ]
< zone> < gateway> < br >
< br >
Examples:< br >
< pre > openvpn:tcp net 1.2.3.4 # TCP tunnel on port 5000< br > openvpn:3344 net 1.2.3.4 # UDP on port 3344< br > openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455< / pre >
< / li >
< li > A new 'ipsecvpn' script is included in the tarball and in the
RPM. The RPM installs the file in the Documentation directory
(/usr/share/doc/packages/shorewall-2.2.0-0RC1).< br >
< br >
This script is intended for use on Roadwarrior laptops for establishing
an IPSEC SA to/from remote networks. The script has some limitations:< br >
< br >
- Only one instance of the script may be used at a
time.< br >
- Only the first SPD accessed will be instantiated
at the remote gateway. So while the script creates SPDs to/from the
remote gateway and each network listed in the NETWORKS setting at the
front of the script, only one of these may be used at a time.< br >
< / li >
< / ol >
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta8" > < / a > 12/11/2004 -
Shorewall 2.2.0 Beta 8< br >
< br >
< / span > Problems Corrected:< br >
< ol >
< li > A typo in the /etc/shorewall/interfaces file has been corrected.< / li >
< li > Previously, the "add" and "delete" commands were generating
incorrect policy matches when policy match support was available.< / li >
< / ol >
New Features:< br >
< ol >
< li > Recent 2.6 kernels include code that evaluates TCP packets based
on TCP Window analysis. This can cause packets that were previously
classified as NEW or ESTABLISHED to be classified as INVALID.< br >
< br >
The new kernel code can be disabled by including this command in your
/etc/shorewall/init file:< br >
< br >
echo 1 >
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal< br >
< br >
Additional kernel logging about INVALID TCP packets may be obtained by
adding this command to /etc/shorewall/init:< br >
< br >
echo 1 >
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid< br >
< br >
Traditionally, Shorewall has dropped INVALID TCP packets early. The new
DROPINVALID option allows INVALID packets to be passed through the
normal rules chains by setting DROPINVALID=No.< br >
< br >
If not specified or if specified as empty (e.g., DROPINVALID="") then
DROPINVALID=Yes is assumed.< br >
< br >
< / li >
< li > The "shorewall add" and "shorewall delete" commands now accept a
list of hosts to add or delete.< br >
< br >
Examples:< br >
< br >
shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12< br >
shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12< br >
< br >
The above commands may also be written:< br >
< br >
shorewall add eth1:1.2.3.4,2.3.4.5 z12< br >
shorewall delete eth1:1.2.3.4,2.3.4.5 z12< br >
< br >
< / li >
< / ol >
2004-12-11 17:12:59 +01:00
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta7" > < / a > 12/04/2004 -
Shorewall 2.2.0 Beta 7< br >
< / span > < br >
Problems Corrected:< br >
< ol >
< li > The "shorewall add" and "shorewall delete" commands now work in a
bridged environment. The syntax is:< br >
< br >
shorewall
add < interface> [:< port> ]:< address> < zone> < br >
shorewall
delete < interface> [:< port> ]:< address> < zone> < br >
< br >
Examples:< br >
< br >
shorewall
add br0:eth2:192.168.1.3 OK< br >
shorewall
delete br0:eth2:192.168.1.3 OK< br >
< br >
< / li >
< li > Previously, "shorewall save" created an out-of-sequence restore
script. The commands saved in the user's /etc/shorewall/start script
were executed prior to the Netfilter configuration being restored. This
has been corrected so that "shorewall save" now places those commands
at the end of the script.< br >
< br >
To accomplish this change, the "restore base" file
(/var/lib/shorewall/restore-base) has been split into two files:< br >
< br >
/var/lib/shorewall/restore-base -- commands to be executed before
Netfilter the configuration is restored.< br >
< br >
/var/lib/shorewall/restore-tail -- commands to be executed after the
Netfilter configuration is restored.< br >
< br >
< / li >
< li > Previously, traffic from the firewall to a dynamic zone member
host did not need to match the interface specified when the host was
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
the fw-> Z policies and rules. This has been corrected.< / li >
< li > Shorewall uses the temporary chain 'fooX1234' to probe iptables
for detrmining which features are supported. Previously, if that chain
happened to exist when Shorewall was run, capabilities were
mis-detected.< / li >
< / ol >
New Features:< br >
< ol >
< li > You can now use the "shorewall show zones" command to display the
current contents of the zones. This is particularly useful if you use
dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).< br >
< br >
Example:< br >
< br >
ursa:/etc/shorewall #
shorewall show zones< br >
Shorewall-2.2.0-Beta7 Zones
at ursa - Sat Nov 27 11:18:25 PST 2004< br >
< br >
loc< br >
eth0:192.168.1.0/24< br >
eth1:1.2.3.4< br >
net< br >
eth0:0.0.0.0/0< br >
WiFi< br >
eth1:0.0.0.0/0< br >
sec< br >
eth1:0.0.0.0/0< br >
< br >
ursa:/etc/shorewall #< br >
< br >
< / li >
< li > Variable expansion may now be used with the INCLUDE directive.< br >
< br >
Example:< br >
< br >
/etc/shorewall/params< br >
< br >
FILE=/etc/foo/bar< br >
< br >
Any other config file:< br >
< br >
INCLUDE $FILE< br >
< br >
< / li >
< li > The output of "shorewall status" now includes the results of "ip
-stat link ls". This helps diagnose performance problems caused by link
errors.< / li >
< li > Previously, when rate-limiting was specified in
/etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded
the specified rate was silently dropped. Now, if a log< br >
level is given in the entry (LEVEL column) then drops are logged at
that level at a rate of 5/min with a burst of 5.< br >
< / li >
< / ol >
2004-12-05 00:43:38 +01:00
< span style = "font-weight: bold;" > < a name = "2_0_13" > < / a > 12/02/2004 -
Shorewall 2.0.13< br >
< br >
< / span > Problems Corrected:< br >
< ol >
< li > A typo in /usr/share/shorewall/firewall caused the "shorewall
add" to issue an error message:< br >
< pre class = "programlisting" > /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found< / pre >
< / li >
< / ol >
< span style = "font-weight: bold;" > < a name = "2_0_12" > < / a > 12/01/2004 -
Shorewall 2.0.12< br >
< / span > < br >
Problems Corrected:< br >
< ol >
< li > A typo in shorewall.conf (NETNOTSYN) has been corrected.< / li >
< li > The "shorewall add" and "shorewall delete" commands now work in a
bridged environment. The syntax is:< br >
< br >
shorewall add
< interface> [:< bridge port> ][:< address> ] < zone> < br >
shorewall delete
< interface> [:< bridge port> ][:< address> ] < zone> < br >
< br >
Examples:< br >
< br >
shorewall add br0:eth2:192.168.1.3 OK< br >
shorewall delete br0:eth2:192.168.1.3 OK< br >
< br >
< / li >
< li > Previously, "shorewall save" created an out-of-sequence restore
script. The commands saved in the user's /etc/shorewall/start script
were executed prior to the Netfilter configuration being restored. This
has been corrected so that "shorewall save" now places those commands
at the end of the script.< br >
< br >
To accomplish this change, the "restore base" file
(/var/lib/shorewall/restore-base) has been split into two files:< br >
< br >
/var/lib/shorewall/restore-base -- commands to be executed
before the Netfilter configuration is restored.< br >
< br >
/var/lib/shorewall/restore-tail -- commands to be executed
after the Netfilter configuration is restored.< br >
< br >
< / li >
< li > Previously, traffic from the firewall to a dynamic zone member
host did not need to match the interface specified when the host was
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
the fw-> Z policies and rules. This has been corrected.< / li >
< / ol >
New Features:< br >
< ol >
< li > Variable expansion may now be used with the INCLUDE directive.< br >
< br >
Example:< br >
< br >
/etc/shorewall/params< br >
< br >
FILE=/etc/foo/bar< br >
< br >
Any other config file:< br >
< br >
INCLUDE $FILE< br >
< / li >
< / ol >
2004-12-01 21:45:51 +01:00
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta6" > < / a > 11/26/2004 -
Shorewall 2.2.0 Beta 6< br >
< br >
< / span > Beta 5 was more or less DOA. Here's Beta 6.< br >
< br >
Problems Corrected:< br >
< ol >
< li > Fixed a number of problems associated with not having an IPTABLES
value assigned in shorewall.conf< / li >
< li > Corrected a 'duplicate chain' error on "shorewall add" when the
'mss' option is present in /etc/shorewall/ipsec.< br >
< / li >
< / ol >
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta5" > < / a > 11/26/2004 -
Shorewall 2.2.0 Beta 5< br >
< / span > < br >
Problems corrected:< br >
< ol >
< li > A typo in shorewall.conf (NETNOTSYN) has been corrected.< / li >
< / ol >
New Features:< br >
< ol >
< li > For consistency, the CLIENT PORT(S) column in the tcrules file
has been renamed SOURCE PORT(S).< / li >
< li > The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now
shown in the output of "shorewall status".< / li >
< li > A new IPTABLES option has been added to shorewall.conf. IPTABLES
can be used to designate the iptables executable to be used by
Shorewall. If not specified, the iptables executable determined by the
PATH setting is used.< br >
< / li >
< / ol >
< span style = "font-weight: bold;" > < a name = "2_0_11" > < / a > 11/23/2004 -
2004-12-05 00:43:38 +01:00
Shorewall 2.0.11< br >
2004-12-01 21:45:51 +01:00
< / span > < br >
Problems corrected:< br >
< ol >
< li > The INSTALL file now include special instructions for Slackware
users.< / li >
< li > The bogons file has been updated.< / li >
< li > Service names are replaced by port numbers in /etc/shorewall/tos.< / li >
< li > A typo in the install.sh file that caused an error during a new
install has been corrected.< / li >
< / ol >
New Features:< br >
< ol >
< li > The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).< br >
< / li >
< / ol >
2004-11-19 19:10:17 +01:00
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta4" > < / a > 11/19/2004 -
Shorewall 2.2.0 Beta 4< br >
< / span > < br >
Problems Corrected:< br >
< ol >
< li > A cut and paste error resulted in some nonsense in the
description of the IPSEC column in /etc/shorewall/masq.< / li >
< li > A typo in /etc/shorewall/rules has been corrected.< / li >
< li > The bogons file has been updated.< / li >
< li > The "shorewall add" command previously reported success but did
nothing -- now it works.< / li >
< / ol >
New Features:< br >
< ol >
< li > The AllowNNTP action now allows NNTP over SSL/TLS (NNTPS).< br >
< / li >
< / ol >
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta3" > < / a > 11/09/2004 -
Shorewall 2.2.0 Beta 3< br >
< / span > < br >
Problems Corrected:< br >
< ol >
< li > Missing '#' in the rfc1918 file has been corrected.< / li >
< li > The INSTALL file now includes special instructions for Slackware
users.< / li >
< / ol >
New Features:< br >
< ol >
< li > In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may
now appear in the DEST column as in:< br >
< pre > #MARK/ SOURCE DEST PROTO PORT(S)< br > #CLASSIFY< br > 1:30 - eth0 tcp 25< / pre >
< / li >
< / ol >
2004-11-09 16:21:55 +01:00
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta2" > < / a > 11/02/2004 -
Shorewall 2.2.0 Beta 2< br >
< br >
< / span > Problems Corrected:< br >
< ol >
< li > The "shorewall check" command results in the (harmless) error
message:< br >
< br >
/usr/share/shorewall/firewall: line 2753:< br >
check_dupliate_zones: command not found< br >
< br >
< / li >
< li > The AllowNTP standard action now allows outgoing responses to
broadcasts.< / li >
< li > A clarification has been added to the hosts file's description of
the 'ipsec' option pointing out that the option is redundent if the
zone named in the ZONE column has been designated an IPSEC zone in the
/etc/shorewall/ipsec file.< span style = "font-weight: bold;" > < / span > < / li >
< / ol >
New Features:< br >
< ol >
< li > The SUBNET column in /etc/shorewall/rfc1918 has been renamed
SUBNETS and it is now possible to specify a list of addresses in that
column.< br >
< / li >
< / ol >
2004-10-25 17:52:26 +02:00
< span style = "font-weight: bold;" > < a name = "2_0_10" > < / a > 10/25/2004 -
Shorewall 2.0.10< br >
2004-09-11 16:31:50 +02:00
< / span > < br >
Problems Corrected:< br >
< ol >
2004-10-25 17:52:26 +02:00
< li > The GATEWAY column was previously ignored in 'pptpserver' entries
in /etc/shorewall/tunnels.< / li >
< li > When log rule numbers are included in the LOGFORMAT, duplicate
rule numbers could previously be generated.< / li >
< li > The /etc/shorewall/tcrules file now includes a note to the effect
that rule evaluation continues after a match.< / li >
2004-10-27 15:54:31 +02:00
< li > The error message produced if Shorewall couldn't obtain the
routes
2004-10-25 17:52:26 +02:00
through an interface named in the SUBNET column of /etc/shorewall/masq
was less than helpful since it didn't include the interface name.< br >
2004-08-07 05:33:54 +02:00
< / li >
< / ol >
2004-10-25 17:52:26 +02:00
New Features:< br >
2004-05-28 19:24:32 +02:00
< ol >
2004-10-25 17:52:26 +02:00
< li > The "shorewall status" command has been enhanced to include the
values of key /proc settings:< br >
< br >
Example from a two-interface firewall:< br >
< br >
/proc< br >
< br >
/proc/sys/net/ipv4/ip_forward = 1< br >
/proc/sys/net/ipv4/conf/all/proxy_arp = 0< br >
/proc/sys/net/ipv4/conf/all/arp_filter = 0< br >
/proc/sys/net/ipv4/conf/all/rp_filter = 0< br >
/proc/sys/net/ipv4/conf/default/proxy_arp = 0< br >
/proc/sys/net/ipv4/conf/default/arp_filter = 0< br >
/proc/sys/net/ipv4/conf/default/rp_filter = 0< br >
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0< br >
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0< br >
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0< br >
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0< br >
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0< br >
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0< br >
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0< br >
/proc/sys/net/ipv4/conf/lo/arp_filter = 0< br >
/proc/sys/net/ipv4/conf/lo/rp_filter = 0< br >
2004-09-24 00:58:32 +02:00
< / li >
2004-05-28 19:24:32 +02:00
< / ol >
2004-07-03 00:42:04 +02:00
< br >
2004-10-25 17:52:26 +02:00
< span style = "font-weight: bold;" > < a name = "2_2_0_Beta1" > < / a > 10/24/2004 -
Shorewall 2.2.0 Beta1< br >
2004-07-03 00:42:04 +02:00
< br >
2004-10-25 17:52:26 +02:00
< / span > The first beta in the 2.2 series is now available. Download
location is:< br >
2004-07-03 00:42:04 +02:00
< br >
2004-10-25 17:52:26 +02:00
< div style = "margin-left: 40px;" > < a
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1">http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1< / a > < br >
< a target = "_top"
href="ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1">ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1< / a > < br >
< / div >
< p > The features available in this release and the migration
considerations are covered in the < a
href="http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1/releasenotes.txt">release
notes< / a > . Highlights include:< br >
< / p >
2004-05-28 19:24:32 +02:00
< ol >
2004-10-25 17:52:26 +02:00
< li > The behavior produced by specifying a log level in an action
invocation is now much more rational. Previously, all packets sent to
the action were logged; now each rule within the invoked action behaves
as if logging had been specified on it.< / li >
< li > Support for the 2.6 Kernel's native IPSEC implementation is now
available.< / li >
< li > Support for ipp2p is included.< / li >
< li > Support for the iptables CONNMARK facility is now included in
Shorewall.< / li >
< li > A new LOGALLNEW option facilitates problem analysis.< / li >
< li > Users with a large static blacklist can now defer loading the
blacklist until after the rest of the ruleset has been enabled. Doing
so can decrease substantially the amount of time that connections are
disabled during < span style = "font-weight: bold;" > shorewall [re]start< / span > .< / li >
< li > Support for the iptables 'iprange match' feature has been
enabled. Users whose kernel and iptables contain this feature can use
ip address ranges in most places in their Shorewall configuration where
a CIDR netowrk can be used.< / li >
< li > Accepting of source routing and martian logging may now be
enabled/disabled on each interface.< / li >
< li > Shorewall now supports the CLASSIFY iptable target.< / li >
2004-05-28 19:24:32 +02:00
< / ol >
< p > < a href = "News.htm" > More News< / a > < / p >
2004-09-24 00:58:32 +02:00
< hr >
< h2 > < a name = "Leaf" > < / a > Leaf< / h2 >
< p > < a href = "http://leaf.sourceforge.net/" target = "_top" > < font
color="#000000">< img src = "images/leaflogo.gif" name = "Graphic1"
alt="(Leaf Logo)" align="bottom" border="1" height="39" width="52">< / font > < / a >
LEAF is an open source project which provides a Firewall/router on a
floppy, CD or CF. Several LEAF distributions including Bering and
Bering-uClibc use Shorewall as their Netfilter configuration tool.< / p >
< hr >
2004-08-07 05:33:54 +02:00
< h2 > < a name = "Donations" > < / a > Donations< / h2 >
2004-09-24 00:58:32 +02:00
< p align = "left" > < a href = "http://www.alz.org/" target = "_top" > < font
color="#000000">< img src = "images/alz_logo2.gif" name = "Graphic2"
alt="(Alzheimer's Association Logo)" align="right" border="1"
height="63" width="303">< / font > < / a > < a href = "http://www.starlight.org/"
target="_top">< font color = "#000000" > < img src = "images/newlog.gif"
name="Graphic3" alt="(Starlight Foundation Logo)" align="right"
border="1" height="105" width="62">< / font > < / a > < font size = "4" > Shorewall
is free but if you try it and find it useful, please consider making
a donation to the < a href = "http://www.alz.org/" target = "_top" > Alzheimer's
Association< / a > or to the < a href = "http://www.starlight.org/"
target="_top">Starlight
Children's Foundation< / a > .< / font > < / p >
< p align = "left" > < font size = "4" > Thanks< / font > < / p >
< p align = "left" > < br >
2004-05-28 19:24:32 +02:00
< br >
2004-09-24 00:58:32 +02:00
< / p >
2004-04-12 16:16:46 +02:00
< / body >
2003-12-30 02:19:52 +01:00
< / html >
