2002-11-09 22:34:47 +01:00
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
2003-12-28 23:10:28 +01:00
|
|
|
<meta name="generator" content="HTML Tidy, see www.w3.org">
|
|
|
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
|
|
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
|
|
|
<base target="_self">
|
2002-11-09 22:34:47 +01:00
|
|
|
</head>
|
2003-08-09 19:14:58 +02:00
|
|
|
<body>
|
|
|
|
<div align="center">
|
|
|
|
<center>
|
2003-12-28 23:10:28 +01:00
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
|
|
|
<tbody>
|
|
|
|
<tr>
|
|
|
|
<td width="90%">
|
|
|
|
<h2>Introduction<br>
|
|
|
|
</h2>
|
|
|
|
<ul>
|
|
|
|
<li><a href="http://www.netfilter.org">Netfilter</a> - the
|
|
|
|
packet
|
2003-12-13 01:25:04 +01:00
|
|
|
filter facility built into the 2.4 and later Linux kernels.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>ipchains - the packet filter facility built into the 2.2
|
|
|
|
Linux
|
2003-12-13 01:25:04 +01:00
|
|
|
kernels. Also the name of the utility program used to configure and
|
|
|
|
control that facility. Netfilter can be used in ipchains
|
2003-08-09 19:14:58 +02:00
|
|
|
compatibility mode.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</li>
|
|
|
|
<li>iptables - the utility program used to configure and
|
|
|
|
control
|
2003-12-13 01:25:04 +01:00
|
|
|
Netfilter. The term 'iptables' is often used to refer to the
|
2003-12-03 00:51:46 +01:00
|
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
|
|
compatibility mode).<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</li>
|
|
|
|
</ul>
|
2003-12-03 00:51:46 +01:00
|
|
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
2003-08-09 19:14:58 +02:00
|
|
|
high-level tool for configuring Netfilter. You describe your
|
2003-12-13 01:25:04 +01:00
|
|
|
firewall/gateway requirements using entries in a set of
|
|
|
|
configuration files. Shorewall reads those configuration files and
|
|
|
|
with the help of the iptables utility, Shorewall configures
|
|
|
|
Netfilter to match your requirements. Shorewall can be used on a
|
|
|
|
dedicated firewall system, a multi-function gateway/router/server
|
|
|
|
or on a standalone GNU/Linux system. Shorewall does not use
|
|
|
|
Netfilter's ipchains compatibility mode and can thus take advantage
|
2003-12-28 23:10:28 +01:00
|
|
|
of Netfilter's connection state tracking capabilities.
|
|
|
|
<p>This program is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of <a
|
|
|
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
|
|
|
General
|
2003-12-13 01:25:04 +01:00
|
|
|
Public License</a> as published by the Free Software
|
|
|
|
Foundation.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-08-09 19:14:58 +02:00
|
|
|
This program is distributed in the hope that it will be useful, but
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
2003-12-13 01:25:04 +01:00
|
|
|
General Public License for more details.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
2003-12-28 23:10:28 +01:00
|
|
|
<p> Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation;
|
|
|
|
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled <a>"GNU
|
|
|
|
Free Documentation License"</a>.</p>
|
|
|
|
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
|
|
|
|
<h2>This is the Shorewall 1.4 Web Site</h2>
|
2003-08-09 19:14:58 +02:00
|
|
|
The information on this site applies only to 1.4.x releases of
|
|
|
|
Shorewall. For older versions:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<ul>
|
|
|
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
|
|
|
target="_top">here.</a></li>
|
|
|
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
|
|
|
target="_top">here</a>.<br>
|
|
|
|
</li>
|
|
|
|
</ul>
|
|
|
|
<h2>Getting Started with Shorewall</h2>
|
|
|
|
New to Shorewall? Start by selecting the <a
|
|
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
2003-12-13 01:25:04 +01:00
|
|
|
closely match your environment and follow the step by step
|
|
|
|
instructions.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<h2>Looking for Information?</h2>
|
|
|
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
2003-12-13 01:25:04 +01:00
|
|
|
Index</a> is a good place to start as is the Quick Search in the
|
2003-12-28 23:10:28 +01:00
|
|
|
frame above.
|
|
|
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
2003-12-13 01:25:04 +01:00
|
|
|
If so, the documentation <b></b>on this site will not apply
|
|
|
|
directly to your setup. If you want to use the documentation that
|
|
|
|
you find here, you will want to consider uninstalling what you have
|
|
|
|
and installing a setup that matches the documentation on this site.
|
|
|
|
See the <a href="two-interface.htm">Two-interface QuickStart
|
2003-12-28 23:10:28 +01:00
|
|
|
Guide</a> for details.
|
|
|
|
<h2><b>News</b></h2>
|
|
|
|
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
|
|
|
|
On-line</b> <b><img alt="(New)" src="images/new10.gif"
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
|
|
|
|
</b></p>
|
|
|
|
<p>Our high-capacity server has been restored to service --
|
|
|
|
please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
|
|
|
|
find any problems.<br>
|
|
|
|
</p>
|
|
|
|
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
|
|
src="images/new10.gif" alt="(New)" title=""><br>
|
|
|
|
</b></p>
|
|
|
|
<div style="margin-left: 40px;"><a
|
|
|
|
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
|
|
|
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
|
|
|
</div>
|
|
|
|
<p>Problems Corrected since version 1.4.8:<br>
|
|
|
|
</p>
|
|
|
|
<ol>
|
|
|
|
<li>There has been a low continuing level of confusion over the
|
2003-12-13 01:25:04 +01:00
|
|
|
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
|
|
|
|
confusion, all instances of "Static NAT" have been replaced with
|
|
|
|
"One-to-one NAT" in the documentation and configuration files.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>The description of NEWNOTSYN in shorewall.conf has been
|
2003-12-09 19:32:39 +01:00
|
|
|
reworded for clarity.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
|
|
|
|
will
|
2003-12-13 01:25:04 +01:00
|
|
|
no longer produce an error if they attempt to add a rule that would
|
|
|
|
override a NONE policy. The logic for expanding these wild-card
|
2003-12-09 19:32:39 +01:00
|
|
|
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
|
|
|
|
policy.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
<p>Migration Issues:<br>
|
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
None.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
New Features:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</p>
|
|
|
|
<ol>
|
|
|
|
<li>To cut down on the number of "Why are these ports closed
|
|
|
|
rather
|
2003-12-13 01:25:04 +01:00
|
|
|
than stealthed?" questions, the SMB-related rules in
|
|
|
|
/etc/shorewall/common.def have been changed from 'reject' to
|
|
|
|
'DROP'.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>For easier identification, packets logged under the
|
|
|
|
'norfc1918'
|
2003-12-13 01:25:04 +01:00
|
|
|
interface option are now logged out of chains named 'rfc1918'.
|
|
|
|
Previously, such packets were logged under chains named
|
2003-12-09 19:32:39 +01:00
|
|
|
'logdrop'.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>Distributors and developers seem to be regularly inventing
|
|
|
|
new
|
2003-12-13 01:25:04 +01:00
|
|
|
naming conventions for kernel modules. To avoid the need to change
|
|
|
|
Shorewall code for each new convention, the MODULE_SUFFIX option
|
|
|
|
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
|
|
|
|
suffix for module names in your particular distribution. If
|
|
|
|
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
|
|
|
|
list "o gz ko o.gz".<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
To see what suffix is used by your distribution:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
All of the files listed should have the same suffix (extension).
|
|
|
|
Set MODULE_SUFFIX to that suffix.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
Examples:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
If all files end in ".kzo" then set
|
|
|
|
MODULE_SUFFIX="kzo"<br>
|
|
|
|
If all files end in ".kz.o" then set
|
|
|
|
MODULE_SUFFIX="kz.o"</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>Support for user defined rule ACTIONS has been implemented
|
2003-12-09 19:32:39 +01:00
|
|
|
through two new files:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
/etc/shorewall/action.template - For each user defined
|
|
|
|
<action>, copy this file to
|
|
|
|
/etc/shorewall/action.<action> and add the appropriate rules
|
|
|
|
for that <action>. Once an <action> has been defined,
|
|
|
|
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
|
|
|
|
in /etc/shorewall/rules.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
Example: You want an action that logs a packet at the 'info' level
|
|
|
|
and accepts the connection.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
In /etc/shorewall/actions, you would add:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
LogAndAccept<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-09 19:32:39 +01:00
|
|
|
You would then copy /etc/shorewall/action.template to
|
|
|
|
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
|
|
|
rules:<br>
|
|
|
|
LOG:info<br>
|
|
|
|
ACCEPT</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
</ol>
|
|
|
|
<p><b>12/03/2003 - Support Torch Passed</b> <b><img
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
|
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
2003-12-13 01:25:04 +01:00
|
|
|
Effective today, I am reducing my participation in the day-to-day
|
|
|
|
support of Shorewall. As part of this shift to community-based
|
2003-12-28 23:10:28 +01:00
|
|
|
Shorewall support a new <a
|
|
|
|
href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
|
2003-12-13 01:25:04 +01:00
|
|
|
Newbies mailing list</a> has been established to field questions
|
|
|
|
and problems from new users. I will not monitor that list
|
|
|
|
personally. I will continue my active development of Shorewall and
|
|
|
|
will be available via the development list to handle development
|
2003-12-28 23:10:28 +01:00
|
|
|
issues -- Tom.
|
|
|
|
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
|
|
src="images/new10.gif" alt="(New)" title=""></b> <b></b></p>
|
2003-12-13 01:25:04 +01:00
|
|
|
Given the small number of new features and the relatively few lines
|
|
|
|
of code that were changed, there will be no Beta for 1.4.8.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
|
|
|
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
|
|
|
<br>
|
|
|
|
</b> Problems Corrected since version 1.4.7:<br>
|
|
|
|
</p>
|
|
|
|
<ol>
|
|
|
|
<li>Tuomo Soini has supplied a correction to a problem that
|
|
|
|
occurs
|
2003-12-03 00:51:46 +01:00
|
|
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
|
|
|
fails with:<br>
|
|
|
|
<br>
|
|
|
|
local: --limit: bad variable name<br>
|
|
|
|
iptables v1.2.8: Couldn't load match
|
|
|
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
cannot open shared object file: No such file or
|
|
|
|
directory<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
Try `iptables -h' or 'iptables --help' for more
|
|
|
|
information.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
|
|
|
to
|
2003-12-13 01:25:04 +01:00
|
|
|
use the multiport match iptables facility on ICMP rules.<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
Example of rule that previously caused "shorewall
|
|
|
|
start" to fail:<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
|
|
|
ACCEPT loc $FW
|
|
|
|
icmp 0,8,11,12<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Previously, if the following error message was issued,
|
2003-12-03 00:51:46 +01:00
|
|
|
Shorewall was left in an inconsistent state.<br>
|
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
Error: Unable to determine the routes through
|
|
|
|
interface xxx<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
|
|
|
been
|
2003-12-13 01:25:04 +01:00
|
|
|
corrected.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
2003-12-13 01:25:04 +01:00
|
|
|
optimization involved creating a chain named "<zone>_frwd"
|
|
|
|
for most zones defined using the /etc/shorewall/hosts file. It has
|
|
|
|
since been discovered that in many cases these new chains contain
|
|
|
|
redundant rules and that the "optimization" turns out to be less
|
|
|
|
than optimal. The implementation has now been corrected.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
|
|
|
or
|
2003-12-03 00:51:46 +01:00
|
|
|
":P", the ":F" or ":P" was previously only applied to the first
|
2003-12-13 01:25:04 +01:00
|
|
|
Netfilter rule generated by the entry. It is now applied to all
|
|
|
|
entries.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>An incorrect comment concerning Debian's use of the
|
|
|
|
SUBSYSLOCK
|
2003-12-13 01:25:04 +01:00
|
|
|
option has been removed from shorewall.conf.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>Previously, neither the 'routefilter' interface option nor
|
|
|
|
the
|
2003-12-13 01:25:04 +01:00
|
|
|
ROUTE_FILTER parameter were working properly. This has been
|
|
|
|
corrected (thanks to Eric Bowles for his analysis and patch). The
|
|
|
|
definition of the ROUTE_FILTER option has changed however.
|
|
|
|
Previously, ROUTE_FILTER=Yes was documented as enabling route
|
|
|
|
filtering on all interfaces (which didn't work). Beginning with
|
|
|
|
this release, setting ROUTE_FILTER=Yes will enable route filtering
|
|
|
|
of all interfaces brought up while Shorewall is started. As a
|
|
|
|
consequence, ROUTE_FILTER=Yes can coexist with the use of the
|
|
|
|
'routefilter' option in the interfaces file.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>If MAC verification was enabled on an interface with a /32
|
2003-12-13 01:25:04 +01:00
|
|
|
address and a broadcast address then an error would occur during
|
|
|
|
startup.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
</ol>
|
2003-12-03 00:51:46 +01:00
|
|
|
Migration Issues:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<ol>
|
|
|
|
<li>The definition of the ROUTE_FILTER option in shorewall.conf
|
|
|
|
has
|
2003-12-13 01:25:04 +01:00
|
|
|
changed as described in item 8) above.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</li>
|
|
|
|
</ol>
|
2003-12-03 00:51:46 +01:00
|
|
|
New Features:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<ol>
|
|
|
|
<li>A new QUEUE action has been introduced for rules. QUEUE
|
|
|
|
allows
|
2003-12-13 01:25:04 +01:00
|
|
|
you to pass connection requests to a user-space filter such as
|
|
|
|
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
|
|
|
|
for effective filtering of p2p applications such as Kazaa. For
|
2003-12-03 00:51:46 +01:00
|
|
|
example, to use ftwall to filter P2P clients in the 'loc' zone, you
|
|
|
|
would add the following rules:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
QUEUE loc
|
|
|
|
net tcp<br>
|
|
|
|
QUEUE loc
|
|
|
|
net udp<br>
|
|
|
|
QUEUE loc
|
|
|
|
fw udp<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
You would normally want to place those three rules BEFORE any
|
|
|
|
ACCEPT rules for loc->net udp or tcp.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
|
|
|
Shorewall will only pass connection requests (SYN packets) to user
|
|
|
|
space. This is for compatibility with ftwall.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>A BLACKLISTNEWNONLY option has been added to
|
|
|
|
shorewall.conf.
|
2003-12-13 01:25:04 +01:00
|
|
|
When this option is set to "Yes", the blacklists (dynamic and
|
|
|
|
static) are only consulted for new connection requests. When set to
|
|
|
|
"No" (the default if the variable is not set), the blacklists are
|
|
|
|
consulted on every packet.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
Setting this option to "No" allows blacklisting to stop existing
|
|
|
|
connections from a newly blacklisted host but is more expensive in
|
|
|
|
terms of packet processing time. This is especially true if the
|
|
|
|
blacklists contain a large number of entries.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>Chain names used in the /etc/shorewall/accounting file may
|
|
|
|
now
|
2003-12-13 01:25:04 +01:00
|
|
|
begin with a digit ([0-9]) and may contain embedded dashes
|
|
|
|
("-").</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
</ol>
|
|
|
|
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
|
|
|
|
bag
|
|
|
|
awards</b> <b><img
|
|
|
|
style="border: 0px solid ; width: 50px; height: 80px;"
|
|
|
|
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
|
2003-12-13 01:25:04 +01:00
|
|
|
1.4.7c released.</b></p>
|
2003-12-28 23:10:28 +01:00
|
|
|
<ol>
|
|
|
|
<li>The saga with "<zone>_frwd" chains continues. The
|
|
|
|
1.4.7c
|
2003-12-13 01:25:04 +01:00
|
|
|
script produces a ruleset that should work for everyone even if it
|
|
|
|
is not quite optimal. My apologies for this ongoing mess.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
</ol>
|
|
|
|
<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img
|
|
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
|
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
|
|
|
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
|
|
|
</p>
|
|
|
|
<ol>
|
|
|
|
<li>The fix for problem 5 in 1.4.7a was wrong with the result
|
|
|
|
that
|
2003-12-13 01:25:04 +01:00
|
|
|
"<zone>_frwd" chains might contain too few rules. That wrong
|
|
|
|
code is corrected in this release.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</li>
|
|
|
|
</ol>
|
|
|
|
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
|
|
|
|
<p>This is a bugfix rollup of the following problem
|
2003-12-13 01:25:04 +01:00
|
|
|
corrections:<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
</p>
|
|
|
|
<ol>
|
|
|
|
<li>Tuomo Soini has supplied a correction to a problem that
|
|
|
|
occurs
|
2003-12-03 00:51:46 +01:00
|
|
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
|
|
|
fails with:<br>
|
2003-08-09 19:14:58 +02:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
local: --limit: bad variable name<br>
|
|
|
|
iptables v1.2.8: Couldn't load match
|
|
|
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
cannot open shared object file: No such file or
|
|
|
|
directory<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
Try `iptables -h' or 'iptables --help' for more
|
|
|
|
information.<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
|
|
|
to
|
2003-12-13 01:25:04 +01:00
|
|
|
use the multiport match iptables facility on ICMP rules.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
2003-12-13 01:25:04 +01:00
|
|
|
Example of rule that previously caused "shorewall
|
|
|
|
start" to fail:<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
|
|
|
|
ACCEPT loc $FW
|
|
|
|
icmp 0,8,11,12<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Previously, if the following error message was issued,
|
2003-12-03 00:51:46 +01:00
|
|
|
Shorewall was left in an inconsistent state.<br>
|
2003-10-07 00:38:40 +02:00
|
|
|
<br>
|
2003-12-03 00:51:46 +01:00
|
|
|
Error: Unable to determine the routes through
|
|
|
|
interface xxx<br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<br>
|
|
|
|
</li>
|
|
|
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
|
|
|
been
|
2003-12-13 01:25:04 +01:00
|
|
|
corrected.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
2003-12-13 01:25:04 +01:00
|
|
|
optimization involved creating a chain named "<zone>_frwd"
|
|
|
|
for most zones defined using the /etc/shorewall/hosts file. It has
|
|
|
|
since been discovered that in many cases these new chains contain
|
|
|
|
redundant rules and that the "optimization" turns out to be less
|
|
|
|
than optimal. The implementation has now been corrected.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
|
|
|
or
|
2003-12-03 00:51:46 +01:00
|
|
|
":P", the ":F" or ":P" was previously only applied to the first
|
2003-12-13 01:25:04 +01:00
|
|
|
Netfilter rule generated by the entry. It is now applied to all
|
|
|
|
entries.</li>
|
2003-12-28 23:10:28 +01:00
|
|
|
</ol>
|
|
|
|
<p><b><a href="News.htm">More News</a></b></p>
|
|
|
|
<b></b>
|
|
|
|
<h2><b></b></h2>
|
|
|
|
<b></b>
|
|
|
|
<p><a href="http://leaf.sourceforge.net" target="_top"><img
|
|
|
|
border="0" src="images/leaflogo.gif" width="49" height="36"
|
|
|
|
alt="(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
|
2003-12-13 01:25:04 +01:00
|
|
|
(router/firewall/gateway on a floppy, CD or compact flash)
|
|
|
|
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
|
2003-12-28 23:10:28 +01:00
|
|
|
Kernel-2.4.20. You can find their work at: <a
|
|
|
|
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
|
|
|
|
<b>Congratulations to Jacques and Eric on the recent release of
|
2003-12-13 01:25:04 +01:00
|
|
|
Bering 1.2!!!</b> <br>
|
2003-12-28 23:10:28 +01:00
|
|
|
<h1 align="center"><b><a href="http://www.sf.net"><img
|
|
|
|
align="left" alt="SourceForge Logo"
|
|
|
|
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3"></a></b></h1>
|
|
|
|
<b></b>
|
|
|
|
<h4><b></b></h4>
|
|
|
|
<b></b>
|
|
|
|
<h2><b>This site is hosted by the generous folks at <a
|
|
|
|
href="http://www.sf.net">SourceForge.net</a></b></h2>
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
<h2><b><a name="Donations"></a>Donations</b></h2>
|
|
|
|
<b></b></td>
|
|
|
|
</tr>
|
|
|
|
</tbody>
|
2002-12-28 16:38:03 +01:00
|
|
|
</table>
|
2003-08-09 19:14:58 +02:00
|
|
|
</center>
|
|
|
|
</div>
|
2003-12-28 23:10:28 +01:00
|
|
|
<table border="0" cellpadding="5" cellspacing="0"
|
|
|
|
style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
|
2003-12-03 00:51:46 +01:00
|
|
|
id="AutoNumber2">
|
2003-12-28 23:10:28 +01:00
|
|
|
<tbody>
|
|
|
|
<tr>
|
|
|
|
<td style="width: 100%; margin-top: 1px;">
|
|
|
|
<p align="center"><a href="http://www.starlight.org"><img
|
|
|
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
|
|
|
hspace="10" alt="Starlight Foundation Logo"></a></p>
|
|
|
|
<p align="center"><font size="4" color="#ffffff"><br>
|
|
|
|
<font size="+2">Shorewall is free but if you try it and find it
|
|
|
|
useful, please consider making a donation to <a
|
|
|
|
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
2003-08-09 19:14:58 +02:00
|
|
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
2003-12-28 23:10:28 +01:00
|
|
|
</td>
|
|
|
|
</tr>
|
|
|
|
</tbody>
|
2003-01-14 18:18:42 +01:00
|
|
|
</table>
|
2003-12-28 23:10:28 +01:00
|
|
|
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom
|
2003-12-13 01:25:04 +01:00
|
|
|
Eastep</a></font><br>
|
2003-07-19 17:07:31 +02:00
|
|
|
</p>
|
2002-11-09 22:34:47 +01:00
|
|
|
</body>
|
|
|
|
</html>
|