shorewall_code/STABLE/releasenotes.txt

This is a minor release of Shorewall that has a couple of new features.

New features include:

1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
   set to Yes, Shorewall ping handling is as it has always been (see
   http://www.shorewall.net/ping.html).

   When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
   policies just like any other connection request. The FORWARDPING
   option in shorewall.conf is ignored and the 'noping' and
   'filterping' options in /etc/shorewall/interfaces will generate an
   error.

2) It is now possible to direct Shorewall to create a "label" such as
   "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
   and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
   instead of just the interface name:

   a) In the INTERFACE column of /etc/shorewall/masq
   b) In the INTERFACE column of /etc/shorewall/nat

3) The ability to name your VLAN interfaces using the $dev.$vid
   convention (e.g., "eth0.0") has been restored. This capability was
   inadvertently broken in version 1.3.12.

4) Support has been added for defining OpenVPN tunnels in the
   /etc/shorewall/tunnels file.

5) When an interface name is entered in the SUBNET column of the
   /etc/shorewall/masq file, Shorewall previously masqueraded traffic
   from only the first subnet defined on that interface. It did not
   masquerade traffic from:

   a) The subnets associated with other addresses on the interface.
   b) Subnets accessed through local routers.

   Beginning with Shorewall 1.3.14, if you enter an interface name in
   the SUBNET column, shorewall will use the firewall's routing table
   to construct the masquerading/SNAT rules.

   Example 1 -- This is how it works in 1.3.14.
   
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]# shorewall start
   ...
   Masqueraded Subnets and Hosts:
       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
   Processing /etc/shorewall/tos...

   When upgrading to Shorewall 1.3.14, if you have multiple local
   subnets connected to an interface that is specified in the SUBNET
   column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
   file will need changing. In most cases, you will simply be able to
   remove redundant entries. In some cases though, you might want to change
   from using the interface name to listing specific subnetworks if the
   change described above will cause masquerading to occur on
   subnetworks that you don't wish to masquerade.

   Example 2 -- Suppose that your current config is as follows:
   
   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   eth0			   192.168.10.0/24	   206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#

   In this case, the second entry in /etc/shorewall/masq is no longer
   required.

   Example 3 -- What if your current configuration is like this?

   [root@gateway test]# cat /etc/shorewall/masq
   #INTERFACE              SUBNET                  ADDRESS
   eth0                    eth2                    206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
   
   [root@gateway test]# ip route show dev eth2
   192.168.1.0/24  scope link
   192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
   [root@gateway test]#

   In this case, you would want to change the entry in
   /etc/shorewall/masq to:

   #INTERFACE              SUBNET                  ADDRESS
   eth0                    192.168.1.0/24          206.124.146.176
   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Changes for 1.3.11 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@341 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2002-11-24 21:12:22 +01:00			`This is a minor release of Shorewall that has a couple of new features.`
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2002-08-07 16:28:04 +02:00
			`New features include:`

Shoreawall 1.3.14 Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-02-08 21:48:47 +01:00			`1) An OLD_PING_HANDLING option has been added to shorewall.conf. When`
			`set to Yes, Shorewall ping handling is as it has always been (see`
			`http://www.shorewall.net/ping.html).`

			`When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and`
			`policies just like any other connection request. The FORWARDPING`
			`option in shorewall.conf is ignored and the 'noping' and`
			`'filterping' options in /etc/shorewall/interfaces will generate an`
			`error.`

			`2) It is now possible to direct Shorewall to create a "label" such as`
			`"eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes`
			`and ADD_SNAT_ALIASES=Yes. This is done by specifying the label`
			`instead of just the interface name:`

			`a) In the INTERFACE column of /etc/shorewall/masq`
			`b) In the INTERFACE column of /etc/shorewall/nat`

			`3) The ability to name your VLAN interfaces using the $dev.$vid`
			`convention (e.g., "eth0.0") has been restored. This capability was`
			`inadvertently broken in version 1.3.12.`

			`4) Support has been added for defining OpenVPN tunnels in the`
			`/etc/shorewall/tunnels file.`

			`5) When an interface name is entered in the SUBNET column of the`
			`/etc/shorewall/masq file, Shorewall previously masqueraded traffic`
			`from only the first subnet defined on that interface. It did not`
			`masquerade traffic from:`

			`a) The subnets associated with other addresses on the interface.`
			`b) Subnets accessed through local routers.`

			`Beginning with Shorewall 1.3.14, if you enter an interface name in`
			`the SUBNET column, shorewall will use the firewall's routing table`
			`to construct the masquerading/SNAT rules.`

			`Example 1 -- This is how it works in 1.3.14.`

			`[root@gateway test]# cat /etc/shorewall/masq`
			`#INTERFACE SUBNET ADDRESS`
			`eth0 eth2 206.124.146.176`
			`#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE`
Changes for 1.3.13 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-01-14 21:32:45 +01:00
Shoreawall 1.3.14 Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-02-08 21:48:47 +01:00			`[root@gateway test]# ip route show dev eth2`
			`192.168.1.0/24 scope link`
			`192.168.10.0/24 proto kernel scope link src 192.168.10.254`

			`[root@gateway test]# ip route show dev eth2`
			`192.168.1.0/24 scope link`
			`192.168.10.0/24 proto kernel scope link src 192.168.10.254`
			`[root@gateway test]# shorewall start`
			`...`
			`Masqueraded Subnets and Hosts:`
			`To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176`
			`To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176`
			`Processing /etc/shorewall/tos...`

			`When upgrading to Shorewall 1.3.14, if you have multiple local`
			`subnets connected to an interface that is specified in the SUBNET`
			`column of an /etc/shorewall/masq entry, your /etc/shorewall/masq`
			`file will need changing. In most cases, you will simply be able to`
			`remove redundant entries. In some cases though, you might want to change`
			`from using the interface name to listing specific subnetworks if the`
			`change described above will cause masquerading to occur on`
			`subnetworks that you don't wish to masquerade.`
Changes for 1.3.13 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-01-14 21:32:45 +01:00
Shoreawall 1.3.14 Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-02-08 21:48:47 +01:00			`Example 2 -- Suppose that your current config is as follows:`

			`[root@gateway test]# cat /etc/shorewall/masq`
			`#INTERFACE SUBNET ADDRESS`
			`eth0 eth2 206.124.146.176`
			`eth0 192.168.10.0/24 206.124.146.176`
			`#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE`
Changes for 1.3.13 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-01-14 21:32:45 +01:00
Shoreawall 1.3.14 Changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2003-02-08 21:48:47 +01:00			`[root@gateway test]# ip route show dev eth2`
			`192.168.1.0/24 scope link`
			`192.168.10.0/24 proto kernel scope link src 192.168.10.254`
			`[root@gateway test]#`

			`In this case, the second entry in /etc/shorewall/masq is no longer`
			`required.`

			`Example 3 -- What if your current configuration is like this?`

			`[root@gateway test]# cat /etc/shorewall/masq`
			`#INTERFACE SUBNET ADDRESS`
			`eth0 eth2 206.124.146.176`
			`#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE`

			`[root@gateway test]# ip route show dev eth2`
			`192.168.1.0/24 scope link`
			`192.168.10.0/24 proto kernel scope link src 192.168.10.254`
			`[root@gateway test]#`

			`In this case, you would want to change the entry in`
			`/etc/shorewall/masq to:`

			`#INTERFACE SUBNET ADDRESS`
			`eth0 192.168.1.0/24 206.124.146.176`
			`#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE`