diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt
index aebaf9266..9e203511e 100644
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@@ -51,3 +51,6 @@ Changes since 1.4.5
21. Support Linux 2.6 compressed modules.
22. Don't display DHCP message when there are no DHCP interface.
+
+23. Move determine_capabilities call to do_initialize to ensure that
+ MANGLE_ENABLED is set before it is tested.
diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm
index 2d61645c1..24995aeb4 100644
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@@ -5,7 +5,7 @@
-
+
Shorewall News
@@ -16,300 +16,499 @@
-
+
-
+
-
+
-
+
-
+
+
+ |
- |
-
Shorewall News Archive
- |
+
-
+
+
+
-
-
-
+
+7/22/2003 - Shorewall-1.4.6a
+
+Problems Corrected:
+
+
+ - Previously, if TC_ENABLED is set to yes in shorewall.conf then Shorewall
+would fail to start with the error "ERROR: Traffic Control requires Mangle";
+that problem has been corrected.
+
7/20/2003 - Shorewall-1.4.6
-
+
-
+
-
+
Problems Corrected:
+
+
+
+
+ - A problem seen on RH7.3 systems where Shorewall encountered start
+ errors when started using the "service" mechanism has been worked around.
+
+
+ - Where a list of IP addresses appears in the DEST column of a DNAT[-]
+ rule, Shorewall incorrectly created multiple DNAT rules in the nat table
+(one for each element in the list). Shorewall now correctly creates a
+single DNAT rule with multiple "--to-destination" clauses.
+
+
+ - Corrected a problem in Beta 1 where DNS names containing a "-"
+ were mis-handled when they appeared in the DEST column of a rule.
+
+
+ - A number of problems with rule parsing have been corrected. Corrections
+involve the handling of "z1!z2" in the SOURCE column as well as lists in
+the ORIGINAL DESTINATION column.
+
+
+ - The message "Adding rules for DHCP" is now suppressed if there are
+no DHCP rules to add.
+
+
+
+
+
+Migration Issues:
-
+
- - A problem seen on RH7.3 systems where Shorewall encountered start
- errors when started using the "service" mechanism has been worked around.
+ - In earlier versions, an undocumented feature allowed entries in
+the host file as follows:
+
+ z eth1:192.168.1.0/24,eth2:192.168.2.0/24
+
+ This capability was never documented and has been removed in 1.4.6
+ to allow entries of the following format:
+
+ z eth1:192.168.1.0/24,192.168.2.0/24
- - Where a list of IP addresses appears in the DEST column of a DNAT[-]
- rule, Shorewall incorrectly created multiple DNAT rules in the nat table
-(one for each element in the list). Shorewall now correctly creates a
-single DNAT rule with multiple "--to-destination" clauses.
-
-
- - Corrected a problem in Beta 1 where DNS names containing a "-"
-were mis-handled when they appeared in the DEST column of a rule.
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
+ removed from /etc/shorewall/shorewall.conf. These capabilities are now
+automatically detected by Shorewall (see below).
+
+
+
+
+
+New Features:
+
+
+
+
+ - A 'newnotsyn' interface option has been added. This option may
+ be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
+ for packets arriving on the associated interface.
+
+
+ - The means for specifying a range of IP addresses in /etc/shorewall/masq
+ to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled
+for address ranges.
+
+
+ - Shorewall can now add IP addresses to subnets other than the first
+ one on an interface.
+
+
+ - DNAT[-] rules may now be used to load balance (round-robin) over
+a set of servers. Servers may be specified in a range of addresses given
+as <first address>-<last address>.
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
+ have been removed and have been replaced by code that detects whether
+these capabilities are present in the current kernel. The output of the
+ start, restart and check commands have been enhanced to report the outcome:
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+
+ - Support for the Connection Tracking Match Extension has been added.
+ This extension is available in recent kernel/iptables releases and allows
+ for rules which match against elements in netfilter's connection tracking
+ table. Shorewall automatically detects the availability of this extension
+ and reports its availability in the output of the start, restart and check
+ commands.
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall
+ is changed in the following ways:
+
+
+ - To handle 'norfc1918' filtering, Shorewall will not create chains
+ in the mangle table but will rather do all 'norfc1918' filtering in the
+filter table (rfc1918 chain).
+ - Recall that Shorewall DNAT rules generate two netfilter rules;
+ one in the nat table and one in the filter table. If the Connection Tracking
+ Match Extension is available, the rule in the filter table is extended
+to check that the original destination address was the same as specified
+ (or defaulted to) in the DNAT rule.
- - A number of problems with rule parsing have been corrected. Corrections
-involve the handling of "z1!z2" in the SOURCE column as well as lists in
-the ORIGINAL DESTINATION column.
-
-
- - The message "Adding rules for DHCP" is now suppressed if there are
-no DHCP rules to add.
-
-
-
-Migration Issues:
-
-
-
- - In earlier versions, an undocumented feature allowed entries in
-the host file as follows:
-
- z eth1:192.168.1.0/24,eth2:192.168.2.0/24
-
- This capability was never documented and has been removed in 1.4.6
- to allow entries of the following format:
-
- z eth1:192.168.1.0/24,192.168.2.0/24
-
-
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
- removed from /etc/shorewall/shorewall.conf. These capabilities are now
-automatically detected by Shorewall (see below).
-
-
-
-New Features:
-
-
-
-
- - A 'newnotsyn' interface option has been added. This option may
-be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
- for packets arriving on the associated interface.
+
+ - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
+ may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
+
+
+ - An 'ipcalc' command has been added to /sbin/shorewall.
+
+ ipcalc [ <address> <netmask> | <address>/<vlsm>
+ ]
+
+ Examples:
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0/24
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ Warning:
+
+ If your shell only supports 32-bit signed arithmatic (ash or dash),
+ then the ipcalc command produces incorrect information for IP addresses
+ 128.0.0.0-1 and for /1 networks. Bash should produce correct information
+ for all valid IP addresses.
- - The means for specifying a range of IP addresses in /etc/shorewall/masq
- to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
- address ranges.
+ - An 'iprange' command has been added to /sbin/shorewall.
+
-
- - Shorewall can now add IP addresses to subnets other than the first
- one on an interface.
+ iprange <address>-<address>
-
- - DNAT[-] rules may now be used to load balance (round-robin) over
-a set of servers. Servers may be specified in a range of addresses given
-as <first address>-<last address>.
+ This command decomposes a range of IP addressses into a list of
+ network and host addresses. The command can be useful if you need to
+construct an efficient set of rules that accept connections from a range
+of network addresses.
+
+ Note: If your shell only supports 32-bit signed arithmetic (ash
+ or dash) then the range may not span 128.0.0.0.
Example:
- DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+ [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
+ 192.168.1.4/30
+ 192.168.1.8/29
+ 192.168.1.16/28
+ 192.168.1.32/27
+ 192.168.1.64/26
+ 192.168.1.128/25
+ 192.168.2.0/23
+ 192.168.4.0/22
+ 192.168.8.0/22
+ 192.168.12.0/29
+ 192.168.12.8/31
+ [root@gateway root]#
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
- have been removed and have been replaced by code that detects whether
- these capabilities are present in the current kernel. The output of the
- start, restart and check commands have been enhanced to report the outcome:
+ - A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Verifying Configuration...
+ Example:
-
- - Support for the Connection Tracking Match Extension has been added.
- This extension is available in recent kernel/iptables releases and allows
- for rules which match against elements in netfilter's connection tracking
- table. Shorewall automatically detects the availability of this extension
- and reports its availability in the output of the start, restart and
-check commands.
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Connection Tracking Match: Available
- Verifying Configuration...
-
- If this extension is available, the ruleset generated by Shorewall
- is changed in the following ways:
-
- - To handle 'norfc1918' filtering, Shorewall will not create chains
- in the mangle table but will rather do all 'norfc1918' filtering in the
-filter table (rfc1918 chain).
- - Recall that Shorewall DNAT rules generate two netfilter rules;
- one in the nat table and one in the filter table. If the Connection
-Tracking Match Extension is available, the rule in the filter table is extended
- to check that the original destination address was the same as specified
- (or defaulted to) in the DNAT rule.
-
-
-
- - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
- may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
-
-
- - An 'ipcalc' command has been added to /sbin/shorewall.
-
- ipcalc [ <address> <netmask> | <address>/<vlsm>
- ]
-
- Examples:
-
- [root@wookie root]# shorewall ipcalc 192.168.1.0/24
- CIDR=192.168.1.0/24
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- BROADCAST=192.168.1.255
- [root@wookie root]#
-
- [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
- CIDR=192.168.1.0/24
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- BROADCAST=192.168.1.255
- [root@wookie root]#
-
- Warning:
-
- If your shell only supports 32-bit signed arithmatic (ash or dash),
- then the ipcalc command produces incorrect information for IP addresses
- 128.0.0.0-1 and for /1 networks. Bash should produce correct information
- for all valid IP addresses.
-
-
- - An 'iprange' command has been added to /sbin/shorewall.
-
-
- iprange <address>-<address>
-
- This command decomposes a range of IP addressses into a list of
-network and host addresses. The command can be useful if you need to construct
- an efficient set of rules that accept connections from a range of network
- addresses.
-
- Note: If your shell only supports 32-bit signed arithmetic (ash
-or dash) then the range may not span 128.0.0.0.
-
- Example:
-
- [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
- 192.168.1.4/30
- 192.168.1.8/29
- 192.168.1.16/28
- 192.168.1.32/27
- 192.168.1.64/26
- 192.168.1.128/25
- 192.168.2.0/23
- 192.168.4.0/22
- 192.168.8.0/22
- 192.168.12.0/29
- 192.168.12.8/31
- [root@gateway root]#
-
-
- - A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
-
- Example:
-
- foo eth1:192.168.1.0/24,192.168.2.0/24
-
-
- - The "shorewall check" command now includes the chain name when printing
+ foo eth1:192.168.1.0/24,192.168.2.0/24
+
+
+ - The "shorewall check" command now includes the chain name when printing
the applicable policy for each pair of zones.
-
- Example:
-
- Policy for dmz to net is REJECT using chain all2all
-
- This means that the policy for connections from the dmz to the internet
-is REJECT and the applicable entry in the /etc/shorewall/policy was the all->all
-policy.
-
-
- - Support for the 2.6 Kernel series has been added.
-
+
+ Example:
+
+ Policy for dmz to net is REJECT using chain all2all
+
+ This means that the policy for connections from the dmz to the internet
+is REJECT and the applicable entry in the /etc/shorewall/policy was the all->all
+ policy.
+
+
+ - Support for the 2.6 Kernel series has been added.
+
+
+
7/15/2003 - New Mirror in Brazil
-
- Thanks to the folks at securityopensource.org.br, there is now a Shorewall
- mirror in Brazil.
+
+ Thanks to the folks at securityopensource.org.br, there is now a Shorewall
+ mirror in Brazil.
7/15/2003 - Shorewall-1.4.6 RC 1
-
-
+
+
Problems Corrected:
-
-
+
+
- - A problem seen on RH7.3 systems where Shorewall encountered start
+
- A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked around.
+
+
+ - Where a list of IP addresses appears in the DEST column of a DNAT[-]
+ rule, Shorewall incorrectly created multiple DNAT rules in the nat table
+ (one for each element in the list). Shorewall now correctly creates a single
+ DNAT rule with multiple "--to-destination" clauses.
-
- - Where a list of IP addresses appears in the DEST column of a DNAT[-]
- rule, Shorewall incorrectly created multiple DNAT rules in the nat table
- (one for each element in the list). Shorewall now correctly creates a single
- DNAT rule with multiple "--to-destination" clauses.
+
+ - Corrected a problem in Beta 1 where DNS names containing a "-"
+were mis-handled when they appeared in the DEST column of a rule.
- - Corrected a problem in Beta 1 where DNS names containing a "-" were
- mis-handled when they appeared in the DEST column of a rule.
-
-
- - A number of problems with rule parsing have been corrected. Corrections
- involve the handling of "z1!z2" in the SOURCE column as well as lists in
-the ORIGINAL DESTINATION column.
-
-
+ - A number of problems with rule parsing have been corrected. Corrections
+ involve the handling of "z1!z2" in the SOURCE column as well as lists in
+ the ORIGINAL DESTINATION column.
+
+
-
+
+Migration Issues:
+
+
+
+ - In earlier versions, an undocumented feature allowed entries in
+the host file as follows:
+
+ z eth1:192.168.1.0/24,eth2:192.168.2.0/24
+
+ This capability was never documented and has been removed in 1.4.6
+to allow entries of the following format:
+
+ z eth1:192.168.1.0/24,192.168.2.0/24
+
+
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
+removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
+ detected by Shorewall (see below).
+
+
+
+
+New Features:
+
+
+
+ - A 'newnotsyn' interface option has been added. This option may
+be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
+ for packets arriving on the associated interface.
+
+
+ - The means for specifying a range of IP addresses in /etc/shorewall/masq
+ to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
+address ranges.
+
+
+ - Shorewall can now add IP addresses to subnets other than the first
+ one on an interface.
+
+
+ - DNAT[-] rules may now be used to load balance (round-robin) over
+ a set of servers. Servers may be specified in a range of addresses given
+ as <first address>-<last address>.
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
+ have been removed and have been replaced by code that detects whether these
+ capabilities are present in the current kernel. The output of the start,
+ restart and check commands have been enhanced to report the outcome:
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+
+ - Support for the Connection Tracking Match Extension has been added.
+ This extension is available in recent kernel/iptables releases and allows
+ for rules which match against elements in netfilter's connection tracking
+ table. Shorewall automatically detects the availability of this extension
+ and reports its availability in the output of the start, restart and check
+ commands.
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall
+is changed in the following ways:
+
+
+ - To handle 'norfc1918' filtering, Shorewall will not create chains
+ in the mangle table but will rather do all 'norfc1918' filtering in the
+ filter table (rfc1918 chain).
+ - Recall that Shorewall DNAT rules generate two netfilter rules;
+ one in the nat table and one in the filter table. If the Connection Tracking
+ Match Extension is available, the rule in the filter table is extended to
+ check that the original destination address was the same as specified (or
+ defaulted to) in the DNAT rule.
+
+
+
+
+ - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
+ may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
+
+
+ - An 'ipcalc' command has been added to /sbin/shorewall.
+
+ ipcalc [ <address> <netmask> | <address>/<vlsm>
+ ]
+
+ Examples:
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0/24
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
+ CIDR=192.168.1.0/24
+ NETMASK=255.255.255.0
+ NETWORK=192.168.1.0
+ BROADCAST=192.168.1.255
+ [root@wookie root]#
+
+ Warning:
+
+ If your shell only supports 32-bit signed arithmatic (ash or dash),
+then the ipcalc command produces incorrect information for IP addresses
+128.0.0.0-1 and for /1 networks. Bash should produce correct information
+for all valid IP addresses.
+
+
+ - An 'iprange' command has been added to /sbin/shorewall.
+
+ iprange <address>-<address>
+
+ This command decomposes a range of IP addressses into a list of network
+ and host addresses. The command can be useful if you need to construct an
+ efficient set of rules that accept connections from a range of network addresses.
+
+ Note: If your shell only supports 32-bit signed arithmetic (ash or
+dash) then the range may not span 128.0.0.0.
+
+ Example:
+
+ [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
+ 192.168.1.4/30
+ 192.168.1.8/29
+ 192.168.1.16/28
+ 192.168.1.32/27
+ 192.168.1.64/26
+ 192.168.1.128/25
+ 192.168.2.0/23
+ 192.168.4.0/22
+ 192.168.8.0/22
+ 192.168.12.0/29
+ 192.168.12.8/31
+ [root@gateway root]#
+
+
+ - A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
+
+ Example:
+
+ foo eth1:192.168.1.0/24,192.168.2.0/24
+
+
+
+7/7/2003 - Shorewall-1.4.6 Beta 2
+
+Problems Corrected:
+
+
+
+ - A problem seen on RH7.3 systems where Shorewall encountered start
+ errors when started using the "service" mechanism has been worked around.
+
+
+ - Where a list of IP addresses appears in the DEST column of a DNAT[-]
+ rule, Shorewall incorrectly created multiple DNAT rules in the nat table
+ (one for each element in the list). Shorewall now correctly creates a single
+ DNAT rule with multiple "--to-destination" clauses.
+
+
+ - Corrected a problem in Beta 1 where DNS names containing a "-"
+were mis-handled when they appeared in the DEST column of a rule.
+
+
+
+
Migration Issues:
-
+
- - In earlier versions, an undocumented feature allowed entries in
-the host file as follows:
+ - In earlier versions, an undocumented feature allowed entries in
+ the host file as follows:
z eth1:192.168.1.0/24,eth2:192.168.2.0/24
@@ -319,89 +518,89 @@ the host file as follows:
z eth1:192.168.1.0/24,192.168.2.0/24
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
-removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
- detected by Shorewall (see below).
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
+ removed from /etc/shorewall/shorewall.conf. These capabilities are now
+automatically detected by Shorewall (see below).
-
+
-
+
New Features:
-
-
+
+
- - A 'newnotsyn' interface option has been added. This option may be
- specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
+
- A 'newnotsyn' interface option has been added. This option may
+be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
for packets arriving on the associated interface.
-
-
- - The means for specifying a range of IP addresses in /etc/shorewall/masq
- to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
+
+
+ - The means for specifying a range of IP addresses in /etc/shorewall/masq
+ to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.
-
-
- - Shorewall can now add IP addresses to subnets other than the first
- one on an interface.
-
-
- - DNAT[-] rules may now be used to load balance (round-robin) over
-a set of servers. Servers may be specified in a range of addresses given
+
+
+ - Shorewall can now add IP addresses to subnets other than the first
+ one on an interface.
+
+
+ - DNAT[-] rules may now be used to load balance (round-robin) over
+ a set of servers. Servers may be specified in a range of addresses given
as <first address>-<last address>.
-
- Example:
-
- DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
-
-
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
- have been removed and have been replaced by code that detects whether
-these capabilities are present in the current kernel. The output of the
-start, restart and check commands have been enhanced to report the outcome:
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Verifying Configuration...
-
-
- - Support for the Connection Tracking Match Extension has been added.
- This extension is available in recent kernel/iptables releases and allows
- for rules which match against elements in netfilter's connection tracking
- table. Shorewall automatically detects the availability of this extension
- and reports its availability in the output of the start, restart and check
- commands.
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Connection Tracking Match: Available
- Verifying Configuration...
-
- If this extension is available, the ruleset generated by Shorewall
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
+ have been removed and have been replaced by code that detects whether these
+ capabilities are present in the current kernel. The output of the start,
+ restart and check commands have been enhanced to report the outcome:
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+
+ - Support for the Connection Tracking Match Extension has been added.
+ This extension is available in recent kernel/iptables releases and allows
+ for rules which match against elements in netfilter's connection tracking
+ table. Shorewall automatically detects the availability of this extension
+ and reports its availability in the output of the start, restart and check
+ commands.
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
-
+
- - To handle 'norfc1918' filtering, Shorewall will not create chains
- in the mangle table but will rather do all 'norfc1918' filtering in the
-filter table (rfc1918 chain).
- - Recall that Shorewall DNAT rules generate two netfilter rules;
-one in the nat table and one in the filter table. If the Connection Tracking
- Match Extension is available, the rule in the filter table is extended
-to check that the original destination address was the same as specified
-(or defaulted to) in the DNAT rule.
-
-
-
+ - To handle 'norfc1918' filtering, Shorewall will not create chains
+ in the mangle table but will rather do all 'norfc1918' filtering in the
+ filter table (rfc1918 chain).
+ - Recall that Shorewall DNAT rules generate two netfilter rules;
+ one in the nat table and one in the filter table. If the Connection Tracking
+ Match Extension is available, the rule in the filter table is extended to
+ check that the original destination address was the same as specified (or
+ defaulted to) in the DNAT rule.
+
+
+
- - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
+
- The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
-
- - An 'ipcalc' command has been added to /sbin/shorewall.
+
+ - An 'ipcalc' command has been added to /sbin/shorewall.
- ipcalc [ <address> <netmask> | <address>/<vlsm>
+ ipcalc [ <address> <netmask> | <address>/<vlsm>
]
Examples:
@@ -428,7 +627,7 @@ then the ipcalc command produces incorrect information for IP addresses
for all valid IP addresses.
- - An 'iprange' command has been added to /sbin/shorewall.
+ - An 'iprange' command has been added to /sbin/shorewall.
iprange <address>-<address>
@@ -437,7 +636,7 @@ for all valid IP addresses.
an efficient set of rules that accept connections from a range of network
addresses.
- Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
+ Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.
Example:
@@ -457,1465 +656,1240 @@ addresses.
[root@gateway root]#
- - A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
+ - A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
Example:
- foo eth1:192.168.1.0/24,192.168.2.0/24
-
+ foo eth1:192.168.1.0/24,192.168.2.0/24
+
+
+
-
-7/7/2003 - Shorewall-1.4.6 Beta 2
-
-Problems Corrected:
-
-
-
- - A problem seen on RH7.3 systems where Shorewall encountered start
- errors when started using the "service" mechanism has been worked around.
-
-
- - Where a list of IP addresses appears in the DEST column of a DNAT[-]
- rule, Shorewall incorrectly created multiple DNAT rules in the nat table
- (one for each element in the list). Shorewall now correctly creates a single
- DNAT rule with multiple "--to-destination" clauses.
-
-
- - Corrected a problem in Beta 1 where DNS names containing a "-"
-were mis-handled when they appeared in the DEST column of a rule.
-
-
-
-
-Migration Issues:
-
-
-
- - In earlier versions, an undocumented feature allowed entries in
-the host file as follows:
-
- z eth1:192.168.1.0/24,eth2:192.168.2.0/24
-
- This capability was never documented and has been removed in 1.4.6 to
-allow entries of the following format:
-
- z eth1:192.168.1.0/24,192.168.2.0/24
-
-
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
-removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
- detected by Shorewall (see below).
-
-
-
-
-New Features:
-
-
-
- - A 'newnotsyn' interface option has been added. This option may
-be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
- for packets arriving on the associated interface.
-
-
- - The means for specifying a range of IP addresses in /etc/shorewall/masq
- to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
-address ranges.
-
-
- - Shorewall can now add IP addresses to subnets other than the first
- one on an interface.
-
-
- - DNAT[-] rules may now be used to load balance (round-robin) over
- a set of servers. Servers may be specified in a range of addresses given
- as <first address>-<last address>.
-
- Example:
-
- DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
-
-
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
- have been removed and have been replaced by code that detects whether
-these capabilities are present in the current kernel. The output of the
-start, restart and check commands have been enhanced to report the outcome:
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Verifying Configuration...
-
-
- - Support for the Connection Tracking Match Extension has been added.
- This extension is available in recent kernel/iptables releases and allows
- for rules which match against elements in netfilter's connection tracking
- table. Shorewall automatically detects the availability of this extension
- and reports its availability in the output of the start, restart and check
- commands.
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Connection Tracking Match: Available
- Verifying Configuration...
-
- If this extension is available, the ruleset generated by Shorewall
-is changed in the following ways:
-
-
- - To handle 'norfc1918' filtering, Shorewall will not create chains
- in the mangle table but will rather do all 'norfc1918' filtering in the
- filter table (rfc1918 chain).
- - Recall that Shorewall DNAT rules generate two netfilter rules;
- one in the nat table and one in the filter table. If the Connection Tracking
- Match Extension is available, the rule in the filter table is extended
-to check that the original destination address was the same as specified
-(or defaulted to) in the DNAT rule.
-
-
-
-
- - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
- may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
-
-
- - An 'ipcalc' command has been added to /sbin/shorewall.
-
- ipcalc [ <address> <netmask> | <address>/<vlsm>
- ]
-
- Examples:
-
- [root@wookie root]# shorewall ipcalc 192.168.1.0/24
- CIDR=192.168.1.0/24
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- BROADCAST=192.168.1.255
- [root@wookie root]#
-
- [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
- CIDR=192.168.1.0/24
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- BROADCAST=192.168.1.255
- [root@wookie root]#
-
- Warning:
-
- If your shell only supports 32-bit signed arithmatic (ash or dash), then
- the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
- and for /1 networks. Bash should produce correct information for all valid
- IP addresses.
-
-
- - An 'iprange' command has been added to /sbin/shorewall.
-
- iprange <address>-<address>
-
- This command decomposes a range of IP addressses into a list of network
- and host addresses. The command can be useful if you need to construct an
- efficient set of rules that accept connections from a range of network addresses.
-
- Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
- then the range may not span 128.0.0.0.
-
- Example:
-
- [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
- 192.168.1.4/30
- 192.168.1.8/29
- 192.168.1.16/28
- 192.168.1.32/27
- 192.168.1.64/26
- 192.168.1.128/25
- 192.168.2.0/23
- 192.168.4.0/22
- 192.168.8.0/22
- 192.168.12.0/29
- 192.168.12.8/31
- [root@gateway root]#
-
-
- - A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.
-
- Example:
-
- foo eth1:192.168.1.0/24,192.168.2.0/24
-
-
-
-
-
+
7/4/2003 - Shorewall-1.4.6 Beta 1
-
-Problems Corrected:
-
-
-
- - A problem seen on RH7.3 systems where Shorewall encountered start
- errors when started using the "service" mechanism has been worked around.
-
-
- - Where a list of IP addresses appears in the DEST column of a
-DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
-nat table (one for each element in the list). Shorewall now correctly creates
-a single DNAT rule with multiple "--to-destination" clauses.
-
-
-
-
-New Features:
-
-
-
- - A 'newnotsyn' interface option has been added. This option may
- be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
- for packets arriving on the associated interface.
-
-
- - The means for specifying a range of IP addresses in /etc/shorewall/masq
- to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
-address ranges.
-
-
- - Shorewall can now add IP addresses to subnets other than the
-first one on an interface.
-
-
- - DNAT[-] rules may now be used to load balance (round-robin) over
- a set of servers. Up to 256 servers may be specified in a range of addresses
- given as <first address>-<last address>.
-
- Example:
-
- DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
-
- Note that this capability has previously been available using a combination
- of a DNAT- rule and one or more ACCEPT rules. That technique is still
-preferable for load-balancing over a large number of servers (> 16)
-since specifying a range in the DNAT rule causes one filter table ACCEPT
-rule to be generated for each IP address in the range.
-
-
- - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
- have been removed and have been replaced by code that detects whether
-these capabilities are present in the current kernel. The output of the
-start, restart and check commands have been enhanced to report the outcome:
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Verifying Configuration...
-
-
- - Support for the Connection Tracking Match Extension has been
-added. This extension is available in recent kernel/iptables releases
-and allows for rules which match against elements in netfilter's connection
-tracking table. Shorewall automatically detects the availability of this
-extension and reports its availability in the output of the start, restart
-and check commands.
-
- Shorewall has detected the following iptables/netfilter capabilities:
- NAT: Available
- Packet Mangling: Available
- Multi-port Match: Available
- Connection Tracking Match: Available
- Verifying Configuration...
-
- If this extension is available, the ruleset generated by Shorewall
-is changed in the following ways:
-
-
-
-
-
-
- - To handle 'norfc1918' filtering, Shorewall will not create
-chains in the mangle table but will rather do all 'norfc1918' filtering
-in the filter table (rfc1918 chain).
- - Recall that Shorewall DNAT rules generate two netfilter rules;
- one in the nat table and one in the filter table. If the Connection Tracking
- Match Extension is available, the rule in the filter table is extended
-to check that the original destination address was the same as specified
-(or defaulted to) in the DNAT rule.
-
-
-
-
- - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
- may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
-
-
-
-
-6/17/2003 - Shorewall-1.4.5
-Problems Corrected:
+
Problems Corrected:
- - The command "shorewall debug try <directory>" now correctly
- traces the attempt.
- - The INCLUDE directive now works properly in the zones file;
-previously, INCLUDE in that file was ignored.
- - /etc/shorewall/routestopped records with an empty second column
- are no longer ignored.
+ - A problem seen on RH7.3 systems where Shorewall encountered
+start errors when started using the "service" mechanism has been worked
+around.
+
+
+ - Where a list of IP addresses appears in the DEST column of a
+DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
+nat table (one for each element in the list). Shorewall now correctly creates
+a single DNAT rule with multiple "--to-destination" clauses.
-New Features:
+
New Features:
- - The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
- now contain a list of addresses. If the list begins with "!' then the
-rule will take effect only if the original destination address in the
-connection request does not match any of the addresses listed.
+ - A 'newnotsyn' interface option has been added. This option may
+ be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
+ for packets arriving on the associated interface.
+
+
+ - The means for specifying a range of IP addresses in /etc/shorewall/masq
+ to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
+address ranges.
+
+
+ - Shorewall can now add IP addresses to subnets other than the
+first one on an interface.
+
+
+ - DNAT[-] rules may now be used to load balance (round-robin)
+over a set of servers. Up to 256 servers may be specified in a range of
+addresses given as <first address>-<last address>.
+
+ Example:
+
+ DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+ Note that this capability has previously been available using a combination
+ of a DNAT- rule and one or more ACCEPT rules. That technique is still preferable
+ for load-balancing over a large number of servers (> 16) since specifying
+ a range in the DNAT rule causes one filter table ACCEPT rule to be generated
+ for each IP address in the range.
+
+
+ - The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
+options have been removed and have been replaced by code that detects
+whether these capabilities are present in the current kernel. The output
+of the start, restart and check commands have been enhanced to report the
+outcome:
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Verifying Configuration...
+
+
+ - Support for the Connection Tracking Match Extension has been
+added. This extension is available in recent kernel/iptables releases and
+allows for rules which match against elements in netfilter's connection
+tracking table. Shorewall automatically detects the availability of this
+extension and reports its availability in the output of the start, restart
+and check commands.
+
+ Shorewall has detected the following iptables/netfilter capabilities:
+ NAT: Available
+ Packet Mangling: Available
+ Multi-port Match: Available
+ Connection Tracking Match: Available
+ Verifying Configuration...
+
+ If this extension is available, the ruleset generated by Shorewall
+is changed in the following ways:
+
+
+
+
+
+
+ - To handle 'norfc1918' filtering, Shorewall will not create
+chains in the mangle table but will rather do all 'norfc1918' filtering
+in the filter table (rfc1918 chain).
+ - Recall that Shorewall DNAT rules generate two netfilter rules;
+ one in the nat table and one in the filter table. If the Connection Tracking
+ Match Extension is available, the rule in the filter table is extended to
+ check that the original destination address was the same as specified (or
+ defaulted to) in the DNAT rule.
+
+
+
+
+ - The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
+ may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.
+
-6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8
+6/17/2003 - Shorewall-1.4.5
-The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
- iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
- have been encountered with this set of software. The Shorewall version
- is 1.4.4b plus the accumulated changes for 1.4.5.
+
Problems Corrected:
+
+ - The command "shorewall debug try <directory>" now correctly
+ traces the attempt.
+ - The INCLUDE directive now works properly in the zones file;
+previously, INCLUDE in that file was ignored.
+ - /etc/shorewall/routestopped records with an empty second column
+ are no longer ignored.
+
+
+
+
+New Features:
+
+
+
+ - The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
+ now contain a list of addresses. If the list begins with "!' then the rule
+ will take effect only if the original destination address in the connection
+ request does not match any of the addresses listed.
+
+
+
+6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8
+
+The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
+ iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
+ have been encountered with this set of software. The Shorewall version
+ is 1.4.4b plus the accumulated changes for 1.4.5.
+
+
6/8/2003 - Updated Samples
-
-Thanks to Francesca Smith, the samples have been updated to Shorewall version
-1.4.4.
-
+
+Thanks to Francesca Smith, the samples have been updated to Shorewall
+version 1.4.4.
+
5/29/2003 - Shorewall-1.4.4b
-
-Groan -- This version corrects a problem whereby the --log-level was not
- being set when logging via syslog. The most commonly reported symptom
- was that Shorewall messages were being written to the console even though
+
+
Groan -- This version corrects a problem whereby the --log-level was not
+ being set when logging via syslog. The most commonly reported symptom
+ was that Shorewall messages were being written to the console even though
console logging was correctly configured per FAQ 16.
-
-
+
+
5/27/2003 - Shorewall-1.4.4a
- The Fireparse --log-prefix fiasco continues. Tuomo Soini has
-pointed out that the code in 1.4.4 restricts the length of short zone
-names to 4 characters. I've produced version 1.4.4a that restores the
-previous 5-character limit by conditionally omitting the log rule number
-when the LOGFORMAT doesn't contain '%d'.
-
+ The Fireparse --log-prefix fiasco continues. Tuomo Soini has
+ pointed out that the code in 1.4.4 restricts the length of short zone
+ names to 4 characters. I've produced version 1.4.4a that restores the
+ previous 5-character limit by conditionally omitting the log rule number
+ when the LOGFORMAT doesn't contain '%d'.
+
5/23/2003 - Shorewall-1.4.4
- I apologize for the rapid-fire releases but since there is
-a potential configuration change required to go from 1.4.3a to 1.4.4,
- I decided to make it a full release rather than just a bug-fix release.
+ I apologize for the rapid-fire releases but since there is
+a potential configuration change required to go from 1.4.3a to 1.4.4,
+ I decided to make it a full release rather than just a bug-fix release.
-
- Problems corrected:
-
+
+ Problems corrected:
+
None.
-
- New Features:
-
+
+ New Features:
+
- - A REDIRECT- rule target has been added. This target behaves
- for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
- nat table REDIRECT rule is added but not the companion filter table
-ACCEPT rule.
-
-
- - The LOGMARKER variable has been renamed LOGFORMAT and
-has been changed to a 'printf' formatting template which accepts three
-arguments (the chain name, logging rule number and the disposition).
-To use LOGFORMAT with fireparse (http://www.fireparse.com), set it
- as:
-
- LOGFORMAT="fp=%s:%d a=%s "
-
- CAUTION: /sbin/shorewall uses the leading part of
- the LOGFORMAT string (up to but not including the first '%') to find
- log messages in the 'show log', 'status' and 'hits' commands. This part
- should not be omitted (the LOGFORMAT should not begin with "%") and
-the leading part should be sufficiently unique for /sbin/shorewall to
-identify Shorewall messages.
-
-
- - When logging is specified on a DNAT[-] or REDIRECT[-]
-rule, the logging now takes place in the nat table rather than in the
-filter table. This way, only those connections that actually undergo
-DNAT or redirection will be logged.
-
-
+ - A REDIRECT- rule target has been added. This target
+behaves for REDIRECT in the same way as DNAT- does for DNAT in that
+the Netfilter nat table REDIRECT rule is added but not the companion
+filter table ACCEPT rule.
+
+
+ - The LOGMARKER variable has been renamed LOGFORMAT and
+ has been changed to a 'printf' formatting template which accepts three
+ arguments (the chain name, logging rule number and the disposition).
+ To use LOGFORMAT with fireparse (http://www.fireparse.com), set it
+ as:
+
+ LOGFORMAT="fp=%s:%d a=%s "
+
+ CAUTION: /sbin/shorewall uses the leading part
+of the LOGFORMAT string (up to but not including the first '%') to
+find log messages in the 'show log', 'status' and 'hits' commands. This
+part should not be omitted (the LOGFORMAT should not begin with "%")
+and the leading part should be sufficiently unique for /sbin/shorewall
+to identify Shorewall messages.
+
+
+ - When logging is specified on a DNAT[-] or REDIRECT[-]
+ rule, the logging now takes place in the nat table rather than in
+the filter table. This way, only those connections that actually undergo
+ DNAT or redirection will be logged.
+
+
-
+
5/20/2003 - Shorewall-1.4.3a
-
- This version primarily corrects the documentation included
+
+ This version primarily corrects the documentation included
in the .tgz and in the .rpm. In addition:
-
+
- - (This change is in 1.4.3 but is not documented) If
-you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall
-will return reject replies as follows:
- a) tcp - RST
- b) udp - ICMP port unreachable
- c) icmp - ICMP host unreachable
- d) Otherwise - ICMP host prohibited
- If you are running earlier software, Shorewall will follow
- it's traditional convention:
- a) tcp - RST
- b) Otherwise - ICMP port unreachable
- - UDP port 135 is now silently dropped in the common.def
- chain. Remember that this chain is traversed just before a DROP or
+
- (This change is in 1.4.3 but is not documented) If
+you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
+return reject replies as follows:
+ a) tcp - RST
+ b) udp - ICMP port unreachable
+ c) icmp - ICMP host unreachable
+ d) Otherwise - ICMP host prohibited
+ If you are running earlier software, Shorewall will follow
+ it's traditional convention:
+ a) tcp - RST
+ b) Otherwise - ICMP port unreachable
+ - UDP port 135 is now silently dropped in the common.def
+ chain. Remember that this chain is traversed just before a DROP or
REJECT policy is enforced.
-
-
+
+
-
+
5/18/2003 - Shorewall 1.4.3
-
- Problems Corrected:
-
-
- - There were several cases where Shorewall would fail
- to remove a temporary directory from /tmp. These cases have been corrected.
- - The rules for allowing all traffic via the loopback
- interface have been moved to before the rule that drops status=INVALID
- packets. This insures that all loopback traffic is allowed even if
-Netfilter connection tracking is confused.
-
-
- New Features:
-
-
- - IPV6-IPV4 (6to4) tunnels are now supported in the
-/etc/shorewall/tunnels file.
- - You may now change the leading portion of
- the --log-prefix used by Shorewall using the LOGMARKER variable in
- shorewall.conf. By default, "Shorewall:" is used.
-
-
-
-
-5/10/2003 - Shorewall Mirror in Asia
-
-
-Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
-
-
-5/8/2003 - Shorewall Mirror in Chile
- Thanks to Darcy Ganga, there is now an HTTP mirror
- in Santiago Chile.
-4/21/2003 - Samples updated for Shorewall version 1.4.2
-
-Thanks to Francesca Smith, the sample configurations are now upgraded
-to Shorewall version 1.4.2.
-
-4/9/2003 - Shorewall 1.4.2
-
-
- Problems Corrected:
-
-
-
-
- - TCP connection requests rejected out of the
- common chain are now properly rejected with TCP RST;
-previously, some of these requests were rejected with an ICMP port-unreachable
-response.
- - 'traceroute -I' from behind the firewall previously
- timed out on the first hop (e.g., to the firewall). This has been
- worked around.
-
-
-
-
-
- New Features:
-
-
- - Where an entry in the/etc/shorewall/hosts file
- specifies a particular host or network, Shorewall now creates
-an intermediate chain for handling input from the related zone.
-This can substantially reduce the number of rules traversed by connections
- requests from such zones.
-
-
- - Any file may include an INCLUDE directive. An
-INCLUDE directive consists of the word INCLUDE followed by a file
-name and causes the contents of the named file to be logically included
-into the file containing the INCLUDE. File names given in an INCLUDE
-directive are assumed to reside in /etc/shorewall or in an alternate
-configuration directory if one has been specified for the command.
-
-
- Examples:
- shorewall/params.mgmt:
- MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
- TIME_SERVERS=4.4.4.4
- BACKUP_SERVERS=5.5.5.5
- ----- end params.mgmt -----
-
-
- shorewall/params:
- # Shorewall 1.3 /etc/shorewall/params
- [..]
- #######################################
-
- INCLUDE params.mgmt
-
- # params unique to this host here
- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE -
-DO NOT REMOVE
- ----- end params -----
-
-
- shorewall/rules.mgmt:
- ACCEPT net:$MGMT_SERVERS $FW tcp
- 22
- ACCEPT $FW net:$TIME_SERVERS udp
- 123
- ACCEPT $FW net:$BACKUP_SERVERS tcp
- 22
- ----- end rules.mgmt -----
-
- shorewall/rules:
- # Shorewall version 1.3 - Rules File
- [..]
- #######################################
-
- INCLUDE rules.mgmt
-
- # rules unique to this host here
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE
--- DO NOT REMOVE
- ----- end rules -----
-
- INCLUDE's may be nested to a level of 3 -- further
- nested INCLUDE directives are ignored with a warning message.
-
-
- - Routing traffic from an interface back out that
- interface continues to be a problem. While I firmly believe that
- this should never happen, people continue to want to do it. To limit
- the damage that such nonsense produces, I have added a new 'routeback'
- option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When
-used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
- '-'; in other words, 'routeback' can't be used as an option for a multi-zone
- interface. The 'routeback' option CAN be specified however on individual
- group entries in /etc/shorewall/hosts.
-
- The 'routeback' option is similar to the old 'multi'
- option with two exceptions:
-
- a) The option pertains to a particular zone,interface,address
- tuple.
-
- b) The option only created infrastructure to pass
- traffic from (zone,interface,address) tuples back to themselves
- (the 'multi' option affected all (zone,interface,address) tuples
- associated with the given 'interface').
-
- See the 'Upgrade Issues'
- for information about how this new option may affect your configuration.
-
-
-
-
-3/24/2003 - Shorewall 1.4.1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
-and removes additional warts.
-
- Problems Corrected:
-
+ Problems Corrected:
+
- - When Shorewall 1.4.0 is run under the ash shell
- (such as on Bering/LEAF), it can attempt to add ECN disabling
-rules even if the /etc/shorewall/ecn file is empty. That problem
-has been corrected so that ECN disabling rules are only added if
-there are entries in /etc/shorewall/ecn.
-
+ - There were several cases where Shorewall would fail
+ to remove a temporary directory from /tmp. These cases have been corrected.
+ - The rules for allowing all traffic via the loopback
+ interface have been moved to before the rule that drops status=INVALID
+ packets. This insures that all loopback traffic is allowed even if
+Netfilter connection tracking is confused.
+
- New Features:
-
-Note: In the list that follows, the term group refers
-to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
-a host address) accessed through a particular interface. Examples:
+ New Features:
+
+
+ - IPV6-IPV4 (6to4) tunnels are now supported in the
+ /etc/shorewall/tunnels file.
+ - You may now change the leading portion
+of the --log-prefix used by Shorewall using the LOGMARKER variable
+in shorewall.conf. By default, "Shorewall:" is used.
+
+
+
+
+5/10/2003 - Shorewall Mirror in Asia
+
+
+Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
+
+
+5/8/2003 - Shorewall Mirror in Chile
+ Thanks to Darcy Ganga, there is now an HTTP mirror
+ in Santiago Chile.
+4/21/2003 - Samples updated for Shorewall version 1.4.2
+
+Thanks to Francesca Smith, the sample configurations are now upgraded to
+Shorewall version 1.4.2.
+
+4/9/2003 - Shorewall 1.4.2
+
+
+ Problems Corrected:
+
+
+
+
+ - TCP connection requests rejected out of the
+ common chain are now properly rejected with TCP RST;
+ previously, some of these requests were rejected with an ICMP port-unreachable
+ response.
+ - 'traceroute -I' from behind the firewall previously
+ timed out on the first hop (e.g., to the firewall). This has been
+ worked around.
-
- eth0:0.0.0.0/0
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
- You can use the "shorewall check" command to see
-the groups associated with each of your zones.
-
-
+
+
+
+
+ New Features:
+
- - Beginning with Shorewall 1.4.1, if a zone Z
-comprises more than one group then if there is no explicit
-Z to Z policy and there are no rules governing traffic from Z to
-Z then Shorewall will permit all traffic between the groups in the
-zone.
- - Beginning with Shorewall 1.4.1, Shorewall will
- never create rules to handle traffic from a group to itself.
- - A NONE policy is introduced in 1.4.1. When a
-policy of NONE is specified from Z1 to Z2:
+ - Where an entry in the/etc/shorewall/hosts file
+ specifies a particular host or network, Shorewall now creates an
+ intermediate chain for handling input from the related zone. This
+ can substantially reduce the number of rules traversed by connections
+ requests from such zones.
+
+
+ - Any file may include an INCLUDE directive. An
+ INCLUDE directive consists of the word INCLUDE followed by a file
+ name and causes the contents of the named file to be logically included
+ into the file containing the INCLUDE. File names given in an INCLUDE
+ directive are assumed to reside in /etc/shorewall or in an alternate
+ configuration directory if one has been specified for the command.
+
+
+ Examples:
+ shorewall/params.mgmt:
+ MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
+ TIME_SERVERS=4.4.4.4
+ BACKUP_SERVERS=5.5.5.5
+ ----- end params.mgmt -----
+
+
+ shorewall/params:
+ # Shorewall 1.3 /etc/shorewall/params
+ [..]
+ #######################################
+
+ INCLUDE params.mgmt
+
+ # params unique to this host here
+ #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE
+- DO NOT REMOVE
+ ----- end params -----
+
+
+ shorewall/rules.mgmt:
+ ACCEPT net:$MGMT_SERVERS $FW tcp
+ 22
+ ACCEPT $FW net:$TIME_SERVERS udp
+ 123
+ ACCEPT $FW net:$BACKUP_SERVERS tcp
+ 22
+ ----- end rules.mgmt -----
+
+ shorewall/rules:
+ # Shorewall version 1.3 - Rules File
+ [..]
+ #######################################
+
+ INCLUDE rules.mgmt
+
+ # rules unique to this host here
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE
+ -- DO NOT REMOVE
+ ----- end rules -----
+
+ INCLUDE's may be nested to a level of 3 -- further
+ nested INCLUDE directives are ignored with a warning message.
+
+
+ - Routing traffic from an interface back out that
+ interface continues to be a problem. While I firmly believe that
+ this should never happen, people continue to want to do it. To
+limit the damage that such nonsense produces, I have added a new
+'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
+ When used in /etc/shorewall/interfaces, the 'ZONE' column may not
+contain '-'; in other words, 'routeback' can't be used as an option
+for a multi-zone interface. The 'routeback' option CAN be specified
+ however on individual group entries in /etc/shorewall/hosts.
+
+ The 'routeback' option is similar to the old 'multi'
+ option with two exceptions:
+
+ a) The option pertains to a particular zone,interface,address
+ tuple.
+
+ b) The option only created infrastructure to
+pass traffic from (zone,interface,address) tuples back to themselves
+ (the 'multi' option affected all (zone,interface,address) tuples
+ associated with the given 'interface').
+
+ See the 'Upgrade Issues'
+ for information about how this new option may affect your configuration.
+
-
-
- - There may be no rules created that govern connections
- from Z1 to Z2.
- - Shorewall will not create any infrastructure
-to handle traffic from Z1 to Z2.
-
- See the upgrade issues
- for a discussion of how these changes may affect your configuration.
+3/24/2003 - Shorewall 1.4.1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+This release follows up on 1.4.0. It corrects a problem introduced in
+1.4.0 and removes additional warts.
+
+ Problems Corrected:
+
+
+
+ - When Shorewall 1.4.0 is run under the ash shell
+ (such as on Bering/LEAF), it can attempt to add ECN disabling rules
+ even if the /etc/shorewall/ecn file is empty. That problem has been
+ corrected so that ECN disabling rules are only added if there are
+ entries in /etc/shorewall/ecn.
+
+
+ New Features:
+
+Note: In the list that follows, the term group refers to
+a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a
+host address) accessed through a particular interface. Examples:
+
+ eth0:0.0.0.0/0
+ eth2:192.168.1.0/24
+ eth3:192.0.2.123
+
+ You can use the "shorewall check" command to see
+the groups associated with each of your zones.
+
+
+
+ - Beginning with Shorewall 1.4.1, if a zone Z
+comprises more than one group then if there is no explicit
+Z to Z policy and there are no rules governing traffic from Z to Z
+then Shorewall will permit all traffic between the groups in the
+zone.
+ - Beginning with Shorewall 1.4.1, Shorewall will
+ never create rules to handle traffic from a group to itself.
+ - A NONE policy is introduced in 1.4.1. When
+a policy of NONE is specified from Z1 to Z2:
+
+
+
+
+ - There may be no rules created that govern connections
+ from Z1 to Z2.
+ - Shorewall will not create any infrastructure
+ to handle traffic from Z1 to Z2.
+
+
+ See the upgrade issues
+ for a discussion of how these changes may affect your configuration.
+
3/17/2003 - Shorewall 1.4.0
-Shorewall 1.4 represents the next step in the evolution of
-Shorewall. The main thrust of the initial release is simply to
+ Shorewall 1.4 represents the next step in the evolution of
+Shorewall. The main thrust of the initial release is simply to
remove the cruft that has accumulated in Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the
- iproute package ('ip' utility).
-
- Function from 1.3 that has been omitted
+
+ IMPORTANT: Shorewall 1.4.0 requires
+the iproute package ('ip' utility).
+
+ Function from 1.3 that has been omitted
from this version include:
-
+
- - The MERGE_HOSTS variable in shorewall.conf
- is no longer supported. Shorewall 1.4 behavior is the same as
-1.3 with MERGE_HOSTS=Yes.
-
-
- - Interface names of the form <device>:<integer>
- in /etc/shorewall/interfaces now generate an error.
-
-
- - Shorewall 1.4 implements behavior consistent
- with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate
- an error at startup as will specification of the 'noping'
-or 'filterping' interface options.
-
-
- - The 'routestopped' option in the /etc/shorewall/interfaces
- and /etc/shorewall/hosts files is no longer supported and
-will generate an error at startup if specified.
-
-
- - The Shorewall 1.2 syntax for DNAT and
- REDIRECT rules is no longer accepted.
-
-
- - The ALLOWRELATED variable in shorewall.conf
- is no longer supported. Shorewall 1.4 behavior is the same as
- 1.3 with ALLOWRELATED=Yes.
-
-
- - The icmp.def file has been removed.
-
-
-
- Changes for 1.4 include:
-
-
- - The /etc/shorewall/shorewall.conf file
- has been completely reorganized into logical sections.
-
-
- - LOG is now a valid action for a rule
- (/etc/shorewall/rules).
-
-
- - The firewall script and version file
- are now installed in /usr/share/shorewall.
-
-
- - Late arriving DNS replies are now silently
- dropped in the common chain by default.
-
-
- - In addition to behaving like OLD_PING_HANDLING=No,
- Shorewall 1.4 no longer unconditionally accepts outbound
-ICMP packets. So if you want to 'ping' from the firewall, you
-will need the appropriate rule or policy.
-
-
- - CONTINUE is now a valid action for a rule
-(/etc/shorewall/rules).
-
-
- - 802.11b devices with names of the form wlan<n>
- now support the 'maclist' option.
-
-
- - Explicit Congestion Notification (ECN - RFC
- 3168) may now be turned off on a host or network basis using the
- new /etc/shorewall/ecn file. To use this facility:
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-
- - The /etc/shorewall/params file is now processed
- first so that variables may be used in the /etc/shorewall/shorewall.conf
- file.
-
-
- - Shorewall now gives a more helpful
- diagnostic when the 'ipchains' compatibility kernel module is
-loaded and a 'shorewall start' command is issued.
-
-
- - The SHARED_DIR variable has been removed from
- shorewall.conf. This variable was for use by package maintainers
- and was not documented for general use.
-
-
- - Shorewall now ignores 'default' routes when
- detecting masq'd networks.
-
-
-
-3/10/2003 - Shoreall 1.3.14a
-
-A roleup of the following bug fixes and other updates:
-
-
- - There is an updated rfc1918 file that reflects
- the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
-
-
-
-
- - The documentation for the routestopped file
-claimed that a comma-separated list could appear in the second
-column while the code only supported a single host or network address.
- - Log messages produced by 'logunclean' and 'dropunclean'
- were not rate-limited.
- - 802.11b devices with names of the form wlan<n>
- don't support the 'maclist' interface option.
- - Log messages generated by RFC 1918 filtering
- are not rate limited.
- - The firewall fails to start in the case where
- you have "eth0 eth1" in /etc/shorewall/masq and the default route
- is through eth1
-
-
-
-2/8/2003 - Shoreawall 1.3.14
-
-New features include
-
-
- - An OLD_PING_HANDLING option has
-been added to shorewall.conf. When set to Yes, Shorewall
-ping handling is as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp
-echo (ping) is handled via rules and policies just like
-any other connection request. The FORWARDPING=Yes option
-in shorewall.conf and the 'noping' and 'filterping' options in
- /etc/shorewall/interfaces will all generate an error.
-
-
- - It is now possible to direct Shorewall
- to create a "label" such as "eth0:0" for IP addresses
-that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
- This is done by specifying the label instead of just the interface
- name:
-
- a) In the INTERFACE column of
-/etc/shorewall/masq
- b) In the INTERFACE column of
-/etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names
- of the form $DEV.$VID (e.g., eth0.0)
+ - The MERGE_HOSTS variable in shorewall.conf
+ is no longer supported. Shorewall 1.4 behavior is the same as
+ 1.3 with MERGE_HOSTS=Yes.
- - In /etc/shorewall/tcrules, the MARK
- value may be optionally followed by ":" and either 'F' or 'P'
- to designate that the marking will occur in the FORWARD or PREROUTING
- chains respectively. If this additional specification is omitted,
- the chain used to mark packets will be determined by the setting
- of the MARK_IN_FORWARD_CHAIN option in Interface names of the form <device>:<integer>
+ in /etc/shorewall/interfaces now generate an error.
+
+
+ - Shorewall 1.4 implements behavior
+consistent with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes
+will generate an error at startup as will specification of
+the 'noping' or 'filterping' interface options.
+
+
+ - The 'routestopped' option in the /etc/shorewall/interfaces
+ and /etc/shorewall/hosts files is no longer supported and
+will generate an error at startup if specified.
+
+
+ - The Shorewall 1.2 syntax for DNAT
+and REDIRECT rules is no longer accepted.
+
+
+ - The ALLOWRELATED variable in shorewall.conf
+ is no longer supported. Shorewall 1.4 behavior is the same
+as 1.3 with ALLOWRELATED=Yes.
+
+
+ - The icmp.def file has been removed.
+
+
+
+ Changes for 1.4 include:
+
+
+ - The /etc/shorewall/shorewall.conf
+file has been completely reorganized into logical sections.
+
+
+ - LOG is now a valid action for a rule
+ (/etc/shorewall/rules).
+
+
+ - The firewall script and version file
+ are now installed in /usr/share/shorewall.
+
+
+ - Late arriving DNS replies are now
+silently dropped in the common chain by default.
+
+
+ - In addition to behaving like OLD_PING_HANDLING=No,
+ Shorewall 1.4 no longer unconditionally accepts outbound ICMP
+ packets. So if you want to 'ping' from the firewall, you will
+ need the appropriate rule or policy.
+
+
+ - CONTINUE is now a valid action for a rule
+ (/etc/shorewall/rules).
+
+
+ - 802.11b devices with names of the form wlan<n>
+ now support the 'maclist' option.
+
+
+ - Explicit Congestion Notification (ECN -
+RFC 3168) may now be turned off on a host or network basis using
+the new /etc/shorewall/ecn file. To use this facility:
+
+ a) You must be running kernel 2.4.20
+ b) You must have applied the patch in
+ http://www.shorewall/net/pub/shorewall/ecn/patch.
+ c) You must have iptables 1.2.7a installed.
+
+
+ - The /etc/shorewall/params file is now processed
+ first so that variables may be used in the /etc/shorewall/shorewall.conf
+ file.
+
+
+ - Shorewall now gives a more helpful
+ diagnostic when the 'ipchains' compatibility kernel module is
+loaded and a 'shorewall start' command is issued.
+
+
+ - The SHARED_DIR variable has been removed
+from shorewall.conf. This variable was for use by package maintainers
+ and was not documented for general use.
+
+
+ - Shorewall now ignores 'default' routes when
+ detecting masq'd networks.
+
+
+
+3/10/2003 - Shoreall 1.3.14a
+
+A roleup of the following bug fixes and other updates:
+
+
+ - There is an updated rfc1918 file that reflects
+ the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
+
+
+
+
+ - The documentation for the routestopped file
+ claimed that a comma-separated list could appear in the second
+ column while the code only supported a single host or network
+address.
+ - Log messages produced by 'logunclean' and
+'dropunclean' were not rate-limited.
+ - 802.11b devices with names of the form wlan<n>
+ don't support the 'maclist' interface option.
+ - Log messages generated by RFC 1918 filtering
+ are not rate limited.
+ - The firewall fails to start in the case where
+ you have "eth0 eth1" in /etc/shorewall/masq and the default route
+ is through eth1
+
+
+
+2/8/2003 - Shoreawall 1.3.14
+
+New features include
+
+
+ - An OLD_PING_HANDLING option has
+ been added to shorewall.conf. When set to Yes, Shorewall
+ ping handling is as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp
+echo (ping) is handled via rules and policies just like
+any other connection request. The FORWARDPING=Yes option in
+shorewall.conf and the 'noping' and 'filterping' options in
+ /etc/shorewall/interfaces will all generate an error.
+
+
+ - It is now possible to direct Shorewall
+ to create a "label" such as "eth0:0" for IP addresses that
+ it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
+ This is done by specifying the label instead of just the interface
+ name:
+
+ a) In the INTERFACE column of
+ /etc/shorewall/masq
+ b) In the INTERFACE column of
+ /etc/shorewall/nat
+
+ - Support for OpenVPN Tunnels.
+
+
+ - Support for VLAN devices with
+names of the form $DEV.$VID (e.g., eth0.0)
+
+
+ - In /etc/shorewall/tcrules, the MARK
+ value may be optionally followed by ":" and either 'F' or
+'P' to designate that the marking will occur in the FORWARD
+or PREROUTING chains respectively. If this additional specification
+ is omitted, the chain used to mark packets will be determined by
+the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
-
-
- - When an interface name is entered
- in the SUBNET column of the /etc/shorewall/masq file, Shorewall
- previously masqueraded traffic from only the first subnet
- defined on that interface. It did not masquerade traffic from:
-
- a) The subnets associated with
+
+
+ - When an interface name is entered
+ in the SUBNET column of the /etc/shorewall/masq file,
+Shorewall previously masqueraded traffic from only the first
+subnet defined on that interface. It did not masquerade traffic
+from:
+
+ a) The subnets associated with
other addresses on the interface.
- b) Subnets accessed through local
- routers.
-
- Beginning with Shorewall 1.3.14,
-if you enter an interface name in the SUBNET column, shorewall
- will use the firewall's routing table to construct the masquerading/SNAT
+ b) Subnets accessed through
+local routers.
+
+ Beginning with Shorewall 1.3.14,
+ if you enter an interface name in the SUBNET column, shorewall
+ will use the firewall's routing table to construct the masquerading/SNAT
rules.
-
- Example 1 -- This is how it works
+
+ Example 1 -- This is how it works
in 1.3.14.
-
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14,
- if you have multiple local subnets connected to an interface
- that is specified in the SUBNET column of an /etc/shorewall/masq
- entry, your /etc/shorewall/masq file will need changing. In
- most cases, you will simply be able to remove redundant entries.
- In some cases though, you might want to change from using the interface
- name to listing specific subnetworks if the change described above
- will cause masquerading to occur on subnetworks that you don't wish
-to masquerade.
-
- Example 2 -- Suppose that your current
- config is as follows:
-
+
+ When upgrading to Shorewall 1.3.14,
+ if you have multiple local subnets connected to an interface
+ that is specified in the SUBNET column of an /etc/shorewall/masq
+ entry, your /etc/shorewall/masq file will need changing.
+ In most cases, you will simply be able to remove redundant entries.
+ In some cases though, you might want to change from using the interface
+ name to listing specific subnetworks if the change described above
+ will cause masquerading to occur on subnetworks that you don't wish
+ to masquerade.
+
+ Example 2 -- Suppose that your
+current config is as follows:
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry
+
+ In this case, the second entry
in /etc/shorewall/masq is no longer required.
-
- Example 3 -- What if your current
+
+ Example 3 -- What if your current
configuration is like this?
-
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want
+
+ In this case, you would want
to change the entry in /etc/shorewall/masq to:
-
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
-
-
- 2/5/2003 - Shorewall Support included
- in Webmin 1.060
+
-Webmin version 1.060 now has Shorewall support included as standard. See
- http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1
+
+
+
+ 2/5/2003 - Shorewall Support included
+ in Webmin 1.060
+Webmin version 1.060 now has Shorewall support included as standard. See
+ http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1
+
+
Includes the Beta 2 content plus support for OpenVPN tunnels.
-
+
1/28/2003 - Shorewall 1.3.14-Beta2
-
-Includes the Beta 1 content plus restores VLAN device names of the form
+
+
Includes the Beta 1 content plus restores VLAN device names of the form
$dev.$vid (e.g., eth0.1)
-
-1/25/2003 - Shorewall 1.3.14-Beta1
-
-
-The Beta includes the following changes:
+
1/25/2003 - Shorewall 1.3.14-Beta1
-
+
+The Beta includes the following changes:
+
+
+
- - An OLD_PING_HANDLING option
- has been added to shorewall.conf. When set to Yes, Shorewall
+
- An OLD_PING_HANDLING option
+ has been added to shorewall.conf. When set to Yes, Shorewall
ping handling is as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp
-echo (ping) is handled via rules and policies just like
-any other connection request. The FORWARDPING=Yes option
-in shorewall.conf and the 'noping' and 'filterping' options in
- /etc/shorewall/interfaces will all generate an error.
-
-
- - It is now possible to direct
- Shorewall to create a "label" such as "eth0:0" for IP addresses
- that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
- This is done by specifying the label instead of just the interface
- name:
-
- a) In the INTERFACE column of
-/etc/shorewall/masq
- b) In the INTERFACE column of
-/etc/shorewall/nat
-
- - When an interface name is
-entered in the SUBNET column of the /etc/shorewall/masq
- file, Shorewall previously masqueraded traffic from only
-the first subnet defined on that interface. It did not masquerade
- traffic from:
-
- a) The subnets associated with
+
+ When OLD_PING_HANDLING=No, icmp
+echo (ping) is handled via rules and policies just like
+any other connection request. The FORWARDPING=Yes option in
+shorewall.conf and the 'noping' and 'filterping' options in
+ /etc/shorewall/interfaces will all generate an error.
+
+
+ - It is now possible to direct
+ Shorewall to create a "label" such as "eth0:0" for IP
+addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
+ This is done by specifying the label instead of just the interface
+ name:
+
+ a) In the INTERFACE column of
+ /etc/shorewall/masq
+ b) In the INTERFACE column of
+ /etc/shorewall/nat
+
+ - When an interface name is
+entered in the SUBNET column of the /etc/shorewall/masq
+file, Shorewall previously masqueraded traffic from only the
+first subnet defined on that interface. It did not masquerade
+ traffic from:
+
+ a) The subnets associated with
other addresses on the interface.
- b) Subnets accessed through local
- routers.
-
- Beginning with Shorewall 1.3.14,
-if you enter an interface name in the SUBNET column, shorewall
- will use the firewall's routing table to construct the masquerading/SNAT
+ b) Subnets accessed through
+local routers.
+
+ Beginning with Shorewall 1.3.14,
+ if you enter an interface name in the SUBNET column, shorewall
+ will use the firewall's routing table to construct the masquerading/SNAT
rules.
-
- Example 1 -- This is how it works
+
+ Example 1 -- This is how it works
in 1.3.14.
-
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14,
- if you have multiple local subnets connected to an interface
- that is specified in the SUBNET column of an /etc/shorewall/masq
- entry, your /etc/shorewall/masq file will need changing. In
- most cases, you will simply be able to remove redundant entries.
- In some cases though, you might want to change from using the interface
- name to listing specific subnetworks if the change described above
- will cause masquerading to occur on subnetworks that you don't wish
-to masquerade.
-
- Example 2 -- Suppose that your current
- config is as follows:
-
+
+ When upgrading to Shorewall 1.3.14,
+ if you have multiple local subnets connected to an interface
+ that is specified in the SUBNET column of an /etc/shorewall/masq
+ entry, your /etc/shorewall/masq file will need changing.
+ In most cases, you will simply be able to remove redundant entries.
+ In some cases though, you might want to change from using the interface
+ name to listing specific subnetworks if the change described above
+ will cause masquerading to occur on subnetworks that you don't wish
+ to masquerade.
+
+ Example 2 -- Suppose that your
+current config is as follows:
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry
+
+ In this case, the second entry
in /etc/shorewall/masq is no longer required.
-
- Example 3 -- What if your current
+
+ Example 3 -- What if your current
configuration is like this?
-
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want
+
+ In this case, you would want
to change the entry in /etc/shorewall/masq to:
-
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
-
+
-
+
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
- the PDF may be downloaded from
+
+Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
+ the PDF may be downloaded from
- ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
1/17/2003 - shorewall.net has MOVED
-
+
Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and
-ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
-big thanks to Alex for making this happen.
-
+ href="http://www.rettc.com">Rett Consulting, www.shorewall.net and ftp.shorewall.net
+are now hosted on a system in Bellevue, Washington. A big thanks to Alex
+for making this happen.
+
-
+
1/13/2003 - Shorewall 1.3.13
-
+
-
+
Just includes a few things that I had on the burner:
-
+
-
+
- - A new 'DNAT-' action has
- been added for entries in the /etc/shorewall/rules file.
- DNAT- is intended for advanced users who wish to minimize the
- number of rules that connection requests must traverse.
-
- A Shorewall DNAT rule actually
- generates two iptables rules: a header rewriting rule
-in the 'nat' table and an ACCEPT rule in the 'filter' table.
- A DNAT- rule only generates the first of these rules. This
-is handy when you have several DNAT rules that would generate the
- same ACCEPT rule.
-
- Here are three rules from
-my previous rules file:
-
- DNAT net dmz:206.124.146.177
+ - A new 'DNAT-' action
+has been added for entries in the /etc/shorewall/rules
+ file. DNAT- is intended for advanced users who wish to
+minimize the number of rules that connection requests must
+traverse.
+
+ A Shorewall DNAT rule actually
+ generates two iptables rules: a header rewriting rule
+ in the 'nat' table and an ACCEPT rule in the 'filter' table.
+ A DNAT- rule only generates the first of these rules. This
+ is handy when you have several DNAT rules that would generate
+the same ACCEPT rule.
+
+ Here are three rules from
+ my previous rules file:
+
+ DNAT net dmz:206.124.146.177
tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177
+ DNAT net dmz:206.124.146.177
tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177
+ ACCEPT net dmz:206.124.146.177
tcp www,smtp,ftp,...
-
- These three rules ended up
- generating _three_ copies of
-
- ACCEPT net dmz:206.124.146.177
- tcp smtp
-
- By writing the rules this
-way, I end up with only one copy of the ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177
+
+ These three rules ended
+up generating _three_ copies of
+
+ ACCEPT net dmz:206.124.146.177
+ tcp smtp
+
+ By writing the rules this
+ way, I end up with only one copy of the ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177
tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177
+ DNAT- net dmz:206.124.146.177
tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177
+ ACCEPT net dmz:206.124.146.177
tcp www,smtp,ftp,....
-
-
- - The 'shorewall check'
-command now prints out the applicable policy between
+
+
+ - The 'shorewall check'
+command now prints out the applicable policy between
each pair of zones.
-
-
- - A new CLEAR_TC option
-has been added to shorewall.conf. If this option is set
-to 'No' then Shorewall won't clear the current traffic control
- rules during [re]start. This setting is intended for use by
-people that prefer to configure traffic shaping when the network
- interfaces come up rather than when the firewall is started. If
-that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No
-and do not supply an /etc/shorewall/tcstart file. That way, your
-traffic shaping rules can still use the 'fwmark' classifier based
-on packet marking defined in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable
- has been added that allows distribution packagers to
-easily move the shared directory (default /usr/lib/shorewall).
- Users should never have a need to change the value of this
-shorewall.conf setting.
-
+
+
+ - A new CLEAR_TC option
+has been added to shorewall.conf. If this option is set
+to 'No' then Shorewall won't clear the current traffic control
+ rules during [re]start. This setting is intended for use by people
+ that prefer to configure traffic shaping when the network interfaces
+come up rather than when the firewall is started. If that is what
+you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
+ an /etc/shorewall/tcstart file. That way, your traffic shaping
+ rules can still use the 'fwmark' classifier based on packet marking
+ defined in /etc/shorewall/tcrules.
+
+
+ - A new SHARED_DIR variable
+ has been added that allows distribution packagers to easily
+ move the shared directory (default /usr/lib/shorewall).
+ Users should never have a need to change the value of this shorewall.conf
+ setting.
+
-
+
-
-1/6/2003 - BURNOUT
-
+
+1/6/2003 - BURNOUT
+
-
-Until further notice, I will not be involved in either Shorewall Development
+
+
Until further notice, I will not be involved in either Shorewall Development
or Shorewall Support
-
+
-Tom Eastep
-
+
-
+
12/30/2002 - Shorewall Documentation in PDF Format
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
- the PDF may be downloaded from
+
+Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
+ the PDF may be downloaded from
-
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+
-
+
12/27/2002 - Shorewall 1.3.12 Released
-
+
Features include:
-
+
-
+
- - "shorewall refresh"
-now reloads the traffic shaping rules (tcrules and
-tcstart).
- - "shorewall debug [re]start"
- now turns off debugging after an error occurs. This
- places the point of the failure near the end of the trace
- rather than up in the middle of it.
- - "shorewall [re]start"
- has been speeded up by more than 40% with my configuration.
- Your milage may vary.
- - A "shorewall show classifiers"
- command has been added which shows the current packet
- classification filters. The output from this command
- is also added as a separate page in "shorewall monitor"
- - ULOG (must be all caps)
- is now accepted as a valid syslog level and causes
-the subject packets to be logged using the ULOG target rather
- than the LOG target. This allows you to run ulogd (available
- from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages "shorewall refresh"
+ now reloads the traffic shaping rules (tcrules
+and tcstart).
+ - "shorewall debug [re]start"
+ now turns off debugging after an error occurs. This
+ places the point of the failure near the end of the trace
+ rather than up in the middle of it.
+ - "shorewall [re]start"
+ has been speeded up by more than 40% with my configuration.
+ Your milage may vary.
+ - A "shorewall show
+classifiers" command has been added which shows
+the current packet classification filters. The output from
+this command is also added as a separate page in "shorewall
+ monitor"
+ - ULOG (must be all
+caps) is now accepted as a valid syslog level and
+ causes the subject packets to be logged using the ULOG target
+ rather than the LOG target. This allows you to run ulogd
+ (available from http://www.gnumonks.org/projects/ulogd)
+ and log all Shorewall messages to a separate log file.
- - If you are running
-a kernel that has a FORWARD chain in the mangle table
- ("shorewall show mangle" will show you the chains in the
- mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in
- shorewall.conf. This allows
-for marking input packets based on their destination even when
- you are using Masquerading or SNAT.
- - I have cluttered up
-the /etc/shorewall directory with empty 'init', 'start',
- 'stop' and 'stopped' files. If you already have a file with
- one of these names, don't worry -- the upgrade process won't
- overwrite your file.
- - I have added a new
+
- If you are running
+a kernel that has a FORWARD chain in the mangle table
+ ("shorewall show mangle" will show you the chains in the
+mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in
+ shorewall.conf. This allows for
+ marking input packets based on their destination even when
+ you are using Masquerading or SNAT.
+ - I have cluttered up
+ the /etc/shorewall directory with empty 'init',
+ 'start', 'stop' and 'stopped' files. If you already have
+a file with one of these names, don't worry -- the upgrade
+ process won't overwrite your file.
+ - I have added a new
RFC1918_LOG_LEVEL variable to shorewall.conf. This variable
- specifies the syslog level at which packets are logged
-as a result of entries in the /etc/shorewall/rfc1918 file.
- Previously, these packets were always logged at the 'info'
- level.
-
+ href="Documentation.htm#Conf">shorewall.conf. This variable
+ specifies the syslog level at which packets are logged
+as a result of entries in the /etc/shorewall/rfc1918 file.
+ Previously, these packets were always logged at the 'info'
+ level.
+
-
+
-
+
12/20/2002 - Shorewall 1.3.12 Beta 3
-
- This version corrects a
-problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
- was set to anything but ULOG, the firewall would fail to
+
+ This version corrects a
+problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
+ was set to anything but ULOG, the firewall would fail to
start and "shorewall refresh" would also fail.
-
+
12/20/2002 - Shorewall 1.3.12 Beta 2
-
-The first public Beta version of Shorewall 1.3.12 is now available (Beta
+
+
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available only to a limited audience).
-
- Features include:
+
+ Features include:
-
+
- - "shorewall refresh"
- now reloads the traffic shaping rules (tcrules
-and tcstart).
- - "shorewall debug
- [re]start" now turns off debugging after an error
- occurs. This places the point of the failure near the end of
- the trace rather than up in the middle of it.
- - "shorewall [re]start"
- has been speeded up by more than 40% with my configuration.
+
- "shorewall refresh"
+ now reloads the traffic shaping rules (tcrules and
+ tcstart).
+ - "shorewall debug
+ [re]start" now turns off debugging after an error
+ occurs. This places the point of the failure near the end
+of the trace rather than up in the middle of it.
+ - "shorewall [re]start"
+ has been speeded up by more than 40% with my configuration.
Your milage may vary.
- - A "shorewall show
- classifiers" command has been added which shows
-the current packet classification filters. The output from
- this command is also added as a separate page in "shorewall
+
- A "shorewall
+show classifiers" command has been added which shows
+ the current packet classification filters. The output
+from this command is also added as a separate page in "shorewall
monitor"
- - ULOG (must be
-all caps) is now accepted as a valid syslog level
-and causes the subject packets to be logged using the ULOG target
- rather than the LOG target. This allows you to run ulogd (available
- from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages ULOG (must be
+all caps) is now accepted as a valid syslog level and
+ causes the subject packets to be logged using the ULOG target
+ rather than the LOG target. This allows you to run ulogd (available
+ from http://www.gnumonks.org/projects/ulogd)
+ and log all Shorewall messages to a separate log file.
- - If you are running
- a kernel that has a FORWARD chain in the mangle table
- ("shorewall show mangle" will show you the chains in the
-mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
- This allows for marking input packets based on their destination
- even when you are using Masquerading or SNAT.
- - I have cluttered
- up the /etc/shorewall directory with empty 'init',
- 'start', 'stop' and 'stopped' files. If you already have a file
- with one of these names, don't worry -- the upgrade process
- won't overwrite your file.
+ - If you are running
+ a kernel that has a FORWARD chain in the mangle
+table ("shorewall show mangle" will show you the chains in
+ the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in
+shorewall.conf. This allows for marking input packets based
+ on their destination even when you are using Masquerading
+ or SNAT.
+ - I have cluttered
+ up the /etc/shorewall directory with empty 'init',
+ 'start', 'stop' and 'stopped' files. If you already have
+a file with one of these names, don't worry -- the upgrade process
+ won't overwrite your file.
-
+
- You may download the
-Beta from:
+ You may download the
+ Beta from:
-
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
+
-
+
12/12/2002 - Mandrake Multi Network Firewall 
-
- Shorewall is at the
- center of MandrakeSoft's recently-announced Multi
- Network Firewall (MNF) product. Here is the
+
+ Shorewall is at
+the center of MandrakeSoft's recently-announced Multi
+ Network Firewall (MNF) product. Here is the
press
- release.
+ href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
+ release.
-
+
12/7/2002 - Shorewall Support for Mandrake 9.0
-
-Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
- I have installed 9.0 on one of my systems and
-I am now in a position to support Shorewall users who
-run Mandrake 9.0.
+
+Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
+ I have installed 9.0 on one of my systems and
+ I am now in a position to support Shorewall users who
+ run Mandrake 9.0.
-
+
12/6/2002 - Debian 1.3.11a Packages Available
-
-
-
-
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-
-12/3/2002 - Shorewall 1.3.11a
-
-
-This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
- excluded subnets (e.g., "DNAT foo!bar ...").
-Current 1.3.11 users who don't need rules of this
-type need not upgrade to 1.3.11.
-
-
-11/24/2002 - Shorewall 1.3.11
-
-
-In this version:
-
-
-
- - A 'tcpflags'
- option has been added to entries in /etc/shorewall/interfaces.
- This option causes Shorewall to make a set of sanity check on TCP
- packet header flags.
- - It is now
- allowed to use 'all' in the SOURCE or DEST column in
- a rule. When used,
- 'all' must appear by itself (in may not be qualified) and it does
-not enable intra-zone traffic. For example, the rule
-
- ACCEPT loc
- all tcp 80
-
- does not enable
- http traffic from 'loc' to 'loc'.
- - Shorewall's
- use of the 'echo' command is now compatible with bash
- clones such as ash and dash.
- - fw->fw
- policies now generate a startup error. fw->fw rules
- generate a warning and are ignored
-
-
-
-
-
-11/14/2002 - Shorewall Documentation in PDF Format
-
-
-Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
- the PDF may be downloaded from
-
-
- ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
-
-
-11/09/2002 - Shorewall is Back at SourceForge
-
-
-
-
-The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
-
-
-
-11/09/2002 - Shorewall 1.3.10
-
-
-In this version:
-
-
-
-
-
-10/24/2002 - Shorewall is now in Gentoo Linux
-
- Alexandru
- Hartmann reports that his Shorewall package is now
- a part of the Gentoo Linux
-distribution. Thanks Alex!
-
-
-10/23/2002 - Shorewall 1.3.10 Beta 1
- In this
- version:
+
+Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+
+
+12/3/2002 - Shorewall 1.3.11a
+
+
+This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
+ excluded subnets (e.g., "DNAT foo!bar ...").
+ Current 1.3.11 users who don't need rules of this
+ type need not upgrade to 1.3.11.
+
+
+11/24/2002 - Shorewall 1.3.11
+
+
+In this version:
+
+
+
+ - A 'tcpflags'
+ option has been added to entries in /etc/shorewall/interfaces.
+ This option causes Shorewall to make a set of sanity check on TCP
+ packet header flags.
+ - It is
+now allowed to use 'all' in the SOURCE or DEST column
+ in a rule. When
+used, 'all' must appear by itself (in may not be qualified) and
+it does not enable intra-zone traffic. For example, the rule
+
+
+ ACCEPT loc
+ all tcp 80
+
+ does not enable
+ http traffic from 'loc' to 'loc'.
+ - Shorewall's
+ use of the 'echo' command is now compatible with
+ bash clones such as ash and dash.
+ - fw->fw
+ policies now generate a startup error. fw->fw
+ rules generate a warning and are ignored
+
+
+
+
+
+11/14/2002 - Shorewall Documentation in PDF Format
+
+
+Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
+ the PDF may be downloaded from
+
+
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
+
+
+11/09/2002 - Shorewall is Back at SourceForge
+
+
+
+
+The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
+
+
+
+
+11/09/2002 - Shorewall 1.3.10
+
+
+In this version:
+
+
- You
may now define the contents
- of a zone dynamically with the "shorewall add" and
- "shorewall delete" commands. These commands are
- expected to be used primarily within FreeS/Wan updown
- scripts.
+ of a zone dynamically with the "shorewall add" and
+ "shorewall delete" commands. These commands are
+ expected to be used primarily within FreeS/Wan updown
+ scripts.
- Shorewall
can now do MAC verification
- on ethernet segments. You can specify the set of
-allowed MAC addresses on the segment and you can optionally
- tie each MAC address to one or more IP addresses.
+ on ethernet segments. You can specify the set of allowed MAC addresses
+ on the segment and you can optionally tie each MAC address to
+ one or more IP addresses.
- PPTP
Servers and Clients running on the firewall system
may now be defined in the /etc/shorewall/tunnels
@@ -1929,1212 +1903,1273 @@ PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
- The
main firewall script is now /usr/lib/shorewall/firewall.
- The script in /etc/init.d/shorewall is very small and
-uses /sbin/shorewall to do the real work. This change
-makes custom distributions such as for Debian and for
-Gentoo easier to manage since it is /etc/init.d/shorewall
- that tends to have distribution-dependent code.
+ The script in /etc/init.d/shorewall is very small and
+uses /sbin/shorewall to do the real work. This change
+makes custom distributions such as for Debian and for
+Gentoo easier to manage since it is /etc/init.d/shorewall
+ that tends to have distribution-dependent code
- You may
-download the Beta from:
-
+
+10/24/2002 - Shorewall is now in Gentoo Linux
+
+ Alexandru
+ Hartmann reports that his Shorewall package is now
+ a part of the Gentoo Linux distribution.
+ Thanks Alex!
+
+
+10/23/2002 - Shorewall 1.3.10 Beta 1
+ In this
+ version:
+
+
+
+ You may
+ download the Beta from:
+
+
+
-
+
10/10/2002 - Debian 1.3.9b Packages Available
-
+
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
10/9/2002 - Shorewall 1.3.9b
- This release
- rolls up fixes to the installer and to the firewall
+ This release
+ rolls up fixes to the installer and to the firewall
script.
-
+
10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall
- and server here at shorewall.net are now running
- RedHat release 8.0.
+
+ The
+firewall and server here at shorewall.net are now
+running RedHat release 8.0.
-
- 9/30/2002
+
+ 9/30/2002
- Shorewall 1.3.9a
- Roles
-up the fix for broken tunnels.
-
-
-9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There
-is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
- -- copy that file to /usr/lib/shorewall/firewall.
+ Roles
+ up the fix for broken tunnels.
+9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There
+ is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
+ -- copy that file to /usr/lib/shorewall/firewall.
+
+
9/28/2002 - Shorewall 1.3.9
+
In this version:
-
+
+
- - DNS Names
- are now allowed in Shorewall config files (although I recommend
-against using them).
+ - DNS Names
+ are now allowed in Shorewall config files (although I recommend against
+ using them).
- - The connection SOURCE may now be qualified
-by both interface and IP address in a The connection SOURCE may now be qualified
+ by both interface and IP address in a Shorewall rule.
- - Shorewall startup is now disabled after initial
- installation until the file /etc/shorewall/startup_disabled
- is removed. This avoids nasty surprises during
- reboot for users who install Shorewall but don't configure
+
- Shorewall startup is now disabled after initial
+ installation until the file /etc/shorewall/startup_disabled
+ is removed. This avoids nasty surprises during
+ reboot for users who install Shorewall but don't configure
it.
- - The
- 'functions' and 'version' files and the 'firewall'
- symbolic link have been moved from /var/lib/shorewall
- to /usr/lib/shorewall to appease the LFS police at
- Debian.
-
+
+ - The 'functions' and 'version' files and the
+ 'firewall' symbolic link have been moved from /var/lib/shorewall
+ to /usr/lib/shorewall to appease the LFS police
+at Debian.
+
+
+
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+
+
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored
-
+
- 
- A couple of recent configuration changes at www.shorewall.net
- broke the Search facility:
+ A couple of recent configuration changes at www.shorewall.net
+ broke the Search facility:
-
-
+
+
-
+
- - Mailing List Archive Search was not available.
+ - Mailing List Archive Search was not available.
- - The Site Search index was incomplete
+ - The Site Search index was incomplete
- - Only one page of matches was presented.
+ - Only one page of matches was presented.
-
+
+
-
+
- Hopefully these problems are now corrected.
-
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Hopefully these problems are now corrected.
+
+
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored
-
-
- A couple of recent configuration changes at www.shorewall.net
- had the negative effect of breaking the Search
- facility:
-
-
-
-
-
- - Mailing List Archive Search was not available.
-
- - The Site Search index was incomplete
-
- - Only one page of matches was presented.
-
-
-
-
-
- Hopefully these problems are now corrected.
-
-
-
-9/18/2002 - Debian 1.3.8 Packages Available
-
+ A couple of recent configuration changes at www.shorewall.net
+ had the negative effect of breaking the Search
+ facility:
+
+
+
+ - Mailing List Archive Search was not available.
+
+ - The Site Search index was incomplete
+
+ - Only one page of matches was presented.
+
+
+
+
+
+ Hopefully these problems are now corrected.
+
+
+
+9/18/2002 - Debian 1.3.8 Packages Available
+
+
+
+
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/16/2002 - Shorewall 1.3.8
-
+
In this version:
-
+
-
+
- - A NEWNOTSYN
- option has been added to shorewall.conf. This option determines
- whether Shorewall accepts TCP packets
- which are not part of an established connection and
+
- A NEWNOTSYN
+ option has been added to shorewall.conf. This option determines
+ whether Shorewall accepts TCP packets
+which are not part of an established connection and
that are not 'SYN' packets (SYN flag on and ACK flag off).
- - The need for the 'multi' option to communicate
- between zones za and zb on the same interface
- is removed in the case where the chain 'za2zb' and/or
- 'zb2za' exists. 'za2zb' will exist if:
+ - The need for the 'multi' option to communicate
+ between zones za and zb on the same interface
+ is removed in the case where the chain 'za2zb' and/or
+ 'zb2za' exists. 'za2zb' will exist if:
-
+
- - There is a policy for za to zb; or
-
+ - There is a policy for za to zb; or
+
- - There is at least one rule for za to
+
- There is at least one rule for za to
zb.
-
+
-
+
-
+
- - The /etc/shorewall/blacklist file now contains
- three columns. In addition to the SUBNET/ADDRESS
- column, there are optional PROTOCOL and PORT columns
-to block only certain applications from the blacklisted
- addresses.
+ - The /etc/shorewall/blacklist file now contains
+ three columns. In addition to the SUBNET/ADDRESS
+ column, there are optional PROTOCOL and PORT columns to
+ block only certain applications from the blacklisted addresses.
-
+
-
+
-
+
9/11/2002 - Debian 1.3.7c Packages Available
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/2/2002 - Shorewall 1.3.7c
-
-This is a role up of a fix for "DNAT" rules where the source zone is $FW
- (fw).
+
+This is a role up of a fix for "DNAT" rules where the source zone is $FW
+ (fw).
-
+
8/31/2002 - I'm not available
-
-I'm currently on vacation -- please respect my need for a couple of
- weeks free of Shorewall problem reports.
+
+I'm currently on vacation -- please respect my need for a couple of
+weeks free of Shorewall problem reports.
-
+
-Tom
-
+
8/26/2002 - Shorewall 1.3.7b
-
-This is a role up of the "shorewall refresh" bug fix and the change which
- reverses the order of "dhcp" and "norfc1918"
- checking.
+
+This is a role up of the "shorewall refresh" bug fix and the change which
+ reverses the order of "dhcp" and
+"norfc1918" checking.
-
+
8/26/2002 - French FTP Mirror is Operational
-
+
ftp://france.shorewall.net/pub/mirrors/shorewall
- is now available.
+ href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall
+ is now available.
-
+
8/25/2002 - Shorewall Mirror in France
-
-Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
- at Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
+ at http://france.shorewall.net.
-
+
8/25/2002 - Shorewall 1.3.7a Debian Packages Available
-
-Lorenzo Martignoni reports that the packages for version 1.3.7a are available
- at Lorenzo Martignoni reports that the packages for version 1.3.7a are available
+ at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
-8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
- -- Shorewall 1.3.7a released![]()
8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
+ -- Shorewall 1.3.7a released
-
+
-
-1.3.7a corrects problems occurring in rules file processing when starting
- Shorewall 1.3.7.
+
+1.3.7a corrects problems occurring in rules file processing when starting
+ Shorewall 1.3.7.
-
+
8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
-
+
Features in this release include:
-
+
-
-I would like to thank John Distler for his valuable input regarding TCP
- SYN and ICMP treatment in Shorewall.
- That input has led to marked improvement in
- Shorewall in the last two releases.
+
+I would like to thank John Distler for his valuable input regarding TCP
+ SYN and ICMP treatment in Shorewall.
+ That input has led to marked improvement
+in Shorewall in the last two releases.
-
+
8/13/2002 - Documentation in the CVS Repository
-
-The Shorewall-docs project now contains just the HTML and image files -
-the Frontpage files have been removed.
+
+The Shorewall-docs project now contains just the HTML and image files
+- the Frontpage files have been removed.
-
+
8/7/2002 - STABLE branch added to CVS Repository
-
-This branch will only be updated after I release a new version of Shorewall
- so you can always update from this
- branch to get the latest stable tree.
+
+This branch will only be updated after I release a new version of Shorewall
+ so you can always update from this
+ branch to get the latest stable tree.
-
-8/7/2002 - Upgrade Issues section added
- to the Errata Page
+
+8/7/2002 - Upgrade Issues section
+added to the Errata Page
-
-Now there is one place to go to look for issues involved with upgrading
- to recent versions of Shorewall.
+
+Now there is one place to go to look for issues involved with upgrading
+ to recent versions of Shorewall.
-
+
8/7/2002 - Shorewall 1.3.6
-
+
This is primarily a bug-fix rollup with a couple of new features:
-
+
-
+
7/30/2002 - Shorewall 1.3.5b Released
-
+
This interim release:
-
+
-
+
7/29/2002 - New Shorewall Setup Guide Available
-
+
The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm.
- The guide is intended for use by people
- who are setting up Shorewall to manage multiple
- public IP addresses and by people who want to learn
- more about Shorewall than is described in the single-address
- guides. Feedback on the new guide is welcome.
+ href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm.
+ The guide is intended for use by
+people who are setting up Shorewall to manage
+multiple public IP addresses and by people who want
+to learn more about Shorewall than is described in the
+ single-address guides. Feedback on the new guide is
+welcome.
-
+
7/28/2002 - Shorewall 1.3.5 Debian Package Available
-
-Lorenzo Martignoni reports that the packages are version 1.3.5a and are
- available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are
+ available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/27/2002 - Shorewall 1.3.5a Released
-
+
This interim release restores correct handling of REDIRECT rules.
-
+
7/26/2002 - Shorewall 1.3.5 Released
-
-This will be the last Shorewall release for a while. I'm going to be
- focusing on rewriting a lot of the documentation.
+
+This will be the last Shorewall release for a while. I'm going to be
+focusing on rewriting a lot of the documentation.
-
+
In this version:
-
+
- - Empty and invalid source and destination
- qualifiers are now detected in the rules file.
- It is a good idea to use the 'shorewall check' command
- before you issue a 'shorewall restart' command be be
- sure that you don't have any configuration problems
- that will prevent a successful restart.
+ - Empty and invalid source and destination
+ qualifiers are now detected in the rules
+file. It is a good idea to use the 'shorewall check'
+ command before you issue a 'shorewall restart' command
+be be sure that you don't have any configuration problems
+ that will prevent a successful restart.
- - Added MERGE_HOSTS variable in
- shorewall.conf
- to provide saner behavior of the /etc/shorewall/hosts
+
- Added MERGE_HOSTS variable in
+ shorewall.conf
+to provide saner behavior of the /etc/shorewall/hosts
file.
- - The time that the counters were last reset
- is now displayed in the heading of the 'status'
+
- The time that the counters were last reset
+ is now displayed in the heading of the 'status'
and 'show' commands.
- - A proxyarp option has been
- added for entries in /etc/shorewall/interfaces.
- This option facilitates Proxy ARP sub-netting as described
+
- A proxyarp option has been
+ added for entries in /etc/shorewall/interfaces.
+ This option facilitates Proxy ARP sub-netting as described
in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
- Specifying the proxyarp option for
- an interface causes Shorewall to set
-/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+ href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/).
+ Specifying the proxyarp option
+for an interface causes Shorewall to set
+ /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
- - The Samples have been updated to reflect
- the new capabilities in this release.
-
-
-
-
+ The Samples have been updated to reflect
+ the new capabilities in this release.
+
+
+
+
7/16/2002 - New Mirror in Argentina
-
-Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
- Argentina. Thanks Buanzo!!!
+
+Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
+ Argentina. Thanks Buanzo!!!
-
+
7/16/2002 - Shorewall 1.3.4 Released
-
+
In this version:
-
+
- - A new
- /etc/shorewall/routestopped file
-has been added. This file is intended to eventually
-replace the routestopped option in the
- /etc/shorewall/interface and /etc/shorewall/hosts
- files. This new file makes remote firewall administration
- easier by allowing any IP or subnet to be enabled
- while Shorewall is stopped.
+ - A new
+ /etc/shorewall/routestopped file
+ has been added. This file is intended to eventually
+ replace the routestopped option in the
+ /etc/shorewall/interface and /etc/shorewall/hosts
+ files. This new file makes remote firewall administration
+ easier by allowing any IP or subnet to be enabled
+ while Shorewall is stopped.
- - An /etc/shorewall/stopped extension script has been
- added. This script is invoked after Shorewall
- has stopped.
+ - An /etc/shorewall/stopped extension script has been
+ added. This script is invoked after Shorewall
+ has stopped.
- - A DETECT_DNAT_ADDRS option
- has been added to /etc/shoreall/shorewall.conf.
- When this option is selected, DNAT rules
-only apply when the destination address
- is the external interface's primary IP address.
+ - A DETECT_DNAT_ADDRS option
+ has been added to /etc/shoreall/shorewall.conf.
+ When this option is selected, DNAT rules only
+ apply when the destination address is the
+ external interface's primary IP address.
- - The QuickStart
- Guide has been broken into three
- guides and has been almost entirely rewritten.
+ - The QuickStart
+ Guide has been broken into three
+ guides and has been almost entirely rewritten.
- - The Samples have been updated to reflect
- the new capabilities in this release.
-
-
-
-
+ The Samples have been updated to reflect
+ the new capabilities in this release.
+
+
+
+
7/8/2002 - Shorewall 1.3.3 Debian Package Available
-
+
Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/6/2002 - Shorewall 1.3.3 Released
-
+
In this version:
-
+
- - Entries in /etc/shorewall/interface that
- use the wildcard character ("+") now have the "multi"
- option assumed.
+ - Entries in /etc/shorewall/interface that
+ use the wildcard character ("+") now have the
+"multi" option assumed.
- - The 'rfc1918' chain in the mangle table
- has been renamed 'man1918' to make log messages
- generated from that chain distinguishable from those
+
- The 'rfc1918' chain in the mangle table
+ has been renamed 'man1918' to make log messages
+ generated from that chain distinguishable from those
generated by the 'rfc1918' chain in the filter table.
- - Interface names appearing in the hosts
- file are now validated against the interfaces
+
- Interface names appearing in the hosts
+ file are now validated against the interfaces
file.
- - The TARGET column in the rfc1918 file is
- now checked for correctness.
+ - The TARGET column in the rfc1918 file is
+ now checked for correctness.
- - The chain structure in the nat table has
- been changed to reduce the number of rules that
- a packet must traverse and to correct problems with
+
- The chain structure in the nat table has
+ been changed to reduce the number of rules that
+a packet must traverse and to correct problems with
NAT_BEFORE_RULES=No
- - The "hits" command has been enhanced.
-
-
-
-
+ The "hits" command has been enhanced.
+
+
+
+
6/25/2002 - Samples Updated for 1.3.2
-
-The comments in the sample configuration files have been updated to reflect
- new features introduced in Shorewall
- 1.3.2.
+
+The comments in the sample configuration files have been updated to reflect
+ new features introduced in Shorewall
+ 1.3.2.
-
+
6/25/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/19/2002 - Documentation Available in PDF Format
-
-Thanks to Mike Martinez, the Shorewall Documentation is now available for
- download in Adobe
- PDF format.
+
+Thanks to Mike Martinez, the Shorewall Documentation is now available
+for download in Adobe PDF format.
-
+
6/16/2002 - Shorewall 1.3.2 Released
-
+
In this version:
-
+
-
+
6/6/2002 - Why CVS Web access is Password Protected
-
-Last weekend, I installed the CVS Web package to provide brower-based access
- to the Shorewall CVS repository. Since then, I have had several instances
-where my server was almost unusable due to the high load generated by website
-copying tools like HTTrack and WebStripper. These mindless tools:
+
+Last weekend, I installed the CVS Web package to provide brower-based
+access to the Shorewall CVS repository. Since then, I have had several
+instances where my server was almost unusable due to the high load generated
+by website copying tools like HTTrack and WebStripper. These mindless tools:
-
+
- - Ignore robot.txt files.
+ - Ignore robot.txt files.
- - Recursively copy everything that they find.
+ - Recursively copy everything that they find.
- - Should be classified as weapons rather than
- tools.
-
-
-
-
+ Should be classified as weapons rather
+than tools.
-These tools/weapons are particularly damaging when combined with CVS Web
- because they doggedly follow every
- link in the cgi-generated HTML resulting in
- 1000s of executions of the cvsweb.cgi script. Yesterday,
- I spend several hours implementing measures to block
- these tools but unfortunately, these measures resulted
- in my server OOM-ing under even moderate load.
+
-
-Until I have the time to understand the cause of the OOM (or until I buy
- more RAM if that is what is required),
- CVS Web access will remain Password Protected.
-
+
+These tools/weapons are particularly damaging when combined with CVS Web
+ because they doggedly follow every
+ link in the cgi-generated HTML resulting
+ in 1000s of executions of the cvsweb.cgi script.
+ Yesterday, I spend several hours implementing measures
+ to block these tools but unfortunately, these measures
+ resulted in my server OOM-ing under even moderate
+load.
-
+
+Until I have the time to understand the cause of the OOM (or until I buy
+ more RAM if that is what is required),
+ CVS Web access will remain Password Protected.
+
+
+
+
6/5/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/2/2002 - Samples Corrected
-
-The 1.3.0 samples configurations had several serious problems that prevented
- DNS and SSH from working properly.
- These problems have been corrected in the
- 1.3.1 samples.
+
+The 1.3.0 samples configurations had several serious problems that prevented
+ DNS and SSH from working properly.
+ These problems have been corrected in the
+ 1.3.1 samples.
-
+
6/1/2002 - Shorewall 1.3.1 Released
-
+
Hot on the heels of 1.3.0, this release:
-
+
- - Corrects a serious problem with "all
- <zone> CONTINUE" policies. This
- problem is present in all versions of Shorewall that
- support the CONTINUE policy. These previous versions
- optimized away the "all2<zone>" chain
-and replaced it with the "all2all" chain with the usual result
-that a policy of REJECT was enforced rather than the intended
- CONTINUE policy.
+ - Corrects a serious problem with "all
+ <zone> CONTINUE" policies. This
+ problem is present in all versions of Shorewall that
+ support the CONTINUE policy. These previous versions
+ optimized away the "all2<zone>"
+ chain and replaced it with the "all2all" chain with the usual
+ result that a policy of REJECT was enforced rather than the
+intended CONTINUE policy.
- - Adds an /etc/shorewall/rfc1918
- file for defining the exact behavior of theAdds an /etc/shorewall/rfc1918
+ file for defining the exact behavior of the 'norfc1918' interface option.
-
+
-
+
5/29/2002 - Shorewall 1.3.0 Released
-
-In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
- includes:
+
+In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
+ includes:
-
+
- - A 'filterping' interface option that allows
- ICMP echo-request (ping) requests addressed
- to the firewall to be handled by entries in /etc/shorewall/rules
+
- A 'filterping' interface option that allows
+ ICMP echo-request (ping) requests addressed
+ to the firewall to be handled by entries in /etc/shorewall/rules
and /etc/shorewall/policy.
-
+
-
+
5/23/2002 - Shorewall 1.3 RC1 Available
-
-In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
- incorporates the following:
+
+In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
+ incorporates the following:
-
+
- - Support for the /etc/shorewall/whitelist
- file has been withdrawn. If you need whitelisting,
- see these
- instructions.
+ - Support for the /etc/shorewall/whitelist
+ file has been withdrawn. If you need whitelisting,
+ see these
+ instructions.
-
+
-
+
5/19/2002 - Shorewall 1.3 Beta 2 Available
-
-In addition to the changes in Beta 1, this release which carries the
- designation 1.2.91 adds:
+
+In addition to the changes in Beta 1, this release which carries the
+designation 1.2.91 adds:
-
+
-
+
5/17/2002 - Shorewall 1.3 Beta 1 Available
-
-Beta 1 carries the version designation 1.2.90 and implements the following
- features:
+
+Beta 1 carries the version designation 1.2.90 and implements the following
+ features:
-
+
- - Simplified rule syntax which makes the
-intent of each rule clearer and hopefully makes
+
- Simplified rule syntax which makes the
+ intent of each rule clearer and hopefully makes
Shorewall easier to learn.
- - Upward compatibility with 1.2 configuration
- files has been maintained so that current users
- can migrate to the new syntax at their convenience.
+ - Upward compatibility with 1.2 configuration
+ files has been maintained so that current
+users can migrate to the new syntax at their convenience.
- - WARNING: Compatibility
- with the old parameterized sample configurations has NOT
- been maintained. Users still running those configurations
- should migrate to the new sample configurations
+
- WARNING: Compatibility
+ with the old parameterized sample configurations has
+NOT been maintained. Users still running those configurations
+ should migrate to the new sample configurations
before upgrading to 1.3 Beta 1.
-
+
-
+
5/4/2002 - Shorewall 1.2.13 is Available
-
+
In this version:
-
+
+ The order in which port forwarding DNAT
+ and Static DNAT can now be reversed so
+that port forwarding rules can override the contents
+ of /etc/shorewall/nat.
+
+
+
+
+
4/30/2002 - Shorewall Debian News
-
-Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian
-Testing Branch and the Debian
-Unstable Branch.
+
+Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
+Debian
+ Testing Branch and the Debian
+ Unstable Branch.
-
+
4/20/2002 - Shorewall 1.2.12 is Available
-
+
- - The 'try' command works again
+ - The 'try' command works again
- - There is now a single RPM that also works
- with SuSE.
-
-
-
-
+ There is now a single RPM that also works
+ with SuSE.
+
+
+
+
4/17/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that:
-
+
+ Shorewall 1.2.11 is in the Debian
+ Unstable Branch
+
+
+
+
Thanks, Lorenzo!
-
+
4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
-
-Thanks to Stefan Mohr, there
- is now a Shorewall 1.2.11
+
+Thanks to Stefan Mohr, there
+ is now a Shorewall 1.2.11
SuSE RPM available.
-
+
4/13/2002 - Shorewall 1.2.11 Available
-
+
In this version:
-
+
- - The 'try' command now accepts an optional
- timeout. If the timeout is given in the command,
- the standard configuration will automatically be
- restarted after the new configuration has been running
- for that length of time. This prevents a remote admin
- from being locked out of the firewall in the case where
- the new configuration starts but prevents access.
+ - The 'try' command now accepts an optional
+ timeout. If the timeout is given in the command,
+ the standard configuration will automatically be
+ restarted after the new configuration has been running
+ for that length of time. This prevents a remote admin
+ from being locked out of the firewall in the case where
+ the new configuration starts but prevents access.
- - Kernel route filtering may now be enabled
- globally using the new ROUTE_FILTER parameter
+
- Kernel route filtering may now be enabled
+ globally using the new ROUTE_FILTER parameter
in /etc/shorewall/shorewall.conf.
- - Individual IP source addresses and/or subnets
+
- Individual IP source addresses and/or subnets
may now be excluded from masquerading/SNAT.
- - Simple "Yes/No" and "On/Off" values are
- now case-insensitive in /etc/shorewall/shorewall.conf.
+ - Simple "Yes/No" and "On/Off" values are
+ now case-insensitive in /etc/shorewall/shorewall.conf.
-
+
-
+
4/13/2002 - Hamburg Mirror now has FTP
-
+
Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
- Thanks Stefan!
+ href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall.
+ Thanks Stefan!
-
+
4/12/2002 - New Mirror in Hamburg
-
-Thanks to Stefan Mohr, there
- is now a mirror of the Shorewall website
- at http://germany.shorewall.net.
-
+
+Thanks to Stefan Mohr, there
+ is now a mirror of the Shorewall
+website at http://germany.shorewall.net.
+
-
+
4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
-
-Version 1.1 of the QuickStart
- Guide is now available. Thanks
- to those who have read version 1.0 and offered
- their suggestions. Corrections have also been made
- to the sample scripts.
+
+Version 1.1 of the QuickStart
+ Guide is now available. Thanks
+ to those who have read version 1.0 and offered
+ their suggestions. Corrections have also been made
+ to the sample scripts.
-
+
4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
-
-Version 1.0 of the QuickStart
- Guide is now available. This Guide
- and its accompanying sample configurations
- are expected to provide a replacement for the recently
- withdrawn parameterized samples.
+
+Version 1.0 of the QuickStart
+ Guide is now available. This
+Guide and its accompanying sample configurations
+ are expected to provide a replacement for the recently
+ withdrawn parameterized samples.
-
+
4/8/2002 - Parameterized Samples Withdrawn
-
+
Although the parameterized
- samples have allowed people to
- get a firewall up and running quickly, they
- have unfortunately set the wrong level of expectation
- among those who have used them. I am therefore
- withdrawing support for the samples and I am recommending
- that they not be used in new Shorewall installations.
+ href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized
+ samples have allowed people
+to get a firewall up and running quickly,
+ they have unfortunately set the wrong level of expectation
+ among those who have used them. I am therefore
+ withdrawing support for the samples and I am recommending
+ that they not be used in new Shorewall installations.
-
+
4/2/2002 - Updated Log Parser
-
-John Lodge has provided an updated
- version of his CGI-based log parser
- with corrected date handling.
+
+John Lodge has provided an updated
+ version of his CGI-based log parser
+ with corrected date handling.
-
+
3/30/2002 - Shorewall Website Search Improvements
-
-The quick search on the home page now excludes the mailing list archives.
- The Extended
- Search allows excluding the archives
- or restricting the search to just the archives. An archive
- search form is also available on the mailing list information
- page.
+
+The quick search on the home page now excludes the mailing list archives.
+ The Extended
+ Search allows excluding the archives
+ or restricting the search to just the archives. An archive
+ search form is also available on the mailing list information
+ page.
-
+
3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
-
+
+ Shorewall 1.2.9 is now in the Debian
+ Unstable Distribution.
+
+
+
+
3/25/2002 - Log Parser Available
-
+
John Lodge has provided a CGI-based log parser for Shorewall. Thanks
- John.
+ href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks
+ John.
-
+
3/20/2002 - Shorewall 1.2.10 Released
-
+
In this version:
-
+
- - A "shorewall try" command has been added
- (syntax: shorewall try <configuration
- directory>). This command attempts "shorewall
- -c <configuration directory> start"
- and if that results in the firewall being stopped due
- to an error, a "shorewall start" command is executed.
- The 'try' command allows you to create a new configuration and attempt
- to start it; if there is an error that leaves your
-firewall in the stopped state, it will automatically be restarted
- using the default configuration (in /etc/shorewall).
+ - A "shorewall try" command has been added
+ (syntax: shorewall try <configuration
+ directory>). This command attempts "shorewall
+ -c <configuration directory> start"
+ and if that results in the firewall being stopped due
+ to an error, a "shorewall start" command is executed.
+The 'try' command allows you to create a new configuration and attempt
+ to start it; if there is an error that leaves your firewall
+ in the stopped state, it will automatically be restarted
+ using the default configuration (in /etc/shorewall).
- - A new variable ADD_SNAT_ALIASES has been
- added to /etc/shorewall/shorewall.conf.
- If this variable is set to "Yes", Shorewall
- will automatically add IP addresses listed
- in the third column of the
- /etc/shorewall/masq file.
+ - A new variable ADD_SNAT_ALIASES has been
+ added to /etc/shorewall/shorewall.conf.
+ If this variable is set to "Yes", Shorewall
+ will automatically add IP addresses listed
+ in the third column of the
+ /etc/shorewall/masq file.
- - Copyright notices have been added to the
- documenation.
-
-
-
-
+ Copyright notices have been added to the
+ documenation.
+
+
+
+
3/11/2002 - Shorewall 1.2.9 Released
-
+
In this version:
-
+
-
+
3/1/2002 - 1.2.8 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/25/2002 - New Two-interface Sample
-
-I've enhanced the two interface sample to allow access from the firewall
- to servers in the local zone -
+
+I've enhanced the two interface sample to allow access from the firewall
+ to servers in the local zone -
http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
-
+
2/23/2002 - Shorewall 1.2.8 Released
-
-Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
- problems associated with the lock file used to prevent multiple state-changing
- operations from occuring simultaneously.
- My apologies for any inconvenience my carelessness
- may have caused.
+
+Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
+ problems associated with the lock file used to prevent multiple state-changing
+ operations from occuring simultaneously.
+ My apologies for any inconvenience my
+ carelessness may have caused.
-
+
2/22/2002 - Shorewall 1.2.7 Released
-
+
In this version:
-
+
- - UPnP probes (UDP destination port 1900)
- are now silently dropped in the common
- chain
+ - UPnP probes (UDP destination port 1900)
+ are now silently dropped in the common
+ chain
- - RFC 1918 checking in the mangle table has
- been streamlined to no longer require packet
- marking. RFC 1918 checking in the filter table has
- been changed to require half as many rules as previously.
+ - RFC 1918 checking in the mangle table has
+ been streamlined to no longer require packet
+ marking. RFC 1918 checking in the filter table has
+ been changed to require half as many rules as previously.
- - A 'shorewall check' command has been added
- that does a cursory validation of the zones, interfaces,
- hosts, rules and policy files.
+ - A 'shorewall check' command has been added
+ that does a cursory validation of the zones,
+ interfaces, hosts, rules and policy files.
-
+
-
+
2/18/2002 - 1.2.6 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/8/2002 - Shorewall 1.2.6 Released
-
+
In this version:
-
+
- - $-variables may now be used anywhere in
+
- $-variables may now be used anywhere in
the configuration files except /etc/shorewall/zones.
- - The interfaces and hosts files now have
- their contents validated before any changes
-are made to the existing Netfilter configuration. The
-appearance of a zone name that isn't defined in /etc/shorewall/zones
- causes "shorewall start" and "shorewall restart"
- to abort without changing the Shorewall state.
- Unknown options in either file cause a warning to be issued.
+ - The interfaces and hosts files now have
+ their contents validated before any changes are
+ made to the existing Netfilter configuration. The appearance
+ of a zone name that isn't defined in /etc/shorewall/zones
+ causes "shorewall start" and "shorewall restart"
+ to abort without changing the Shorewall state.
+ Unknown options in either file cause a warning to be issued.
- - A problem occurring when BLACKLIST_LOGLEVEL
- was not set has been corrected.
-
-
-
-
+ A problem occurring when BLACKLIST_LOGLEVEL
+ was not set has been corrected.
+
+
+
+
2/4/2002 - Shorewall 1.2.5 Debian Package Available
-
+
see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/1/2002 - Shorewall 1.2.5 Released
-
-Due to installation problems with Shorewall 1.2.4, I have released Shorewall
+
+
Due to installation problems with Shorewall 1.2.4, I have released Shorewall
1.2.5. Sorry for the rapid-fire development.
-
+
In version 1.2.5:
-
+
- - The installation problems have been corrected.
+ - The installation problems have been corrected.
- - SNAT is now supported.
+ - SNAT is now supported.
- - A "shorewall version" command has been added
+ - A "shorewall version" command has been
+added
- - The default value of the STATEDIR variable
- in /etc/shorewall/shorewall.conf has been changed
- to /var/lib/shorewall in order to conform to the
- GNU/Linux File Hierarchy Standard, Version 2.2.
-
-
-
-
+ The default value of the STATEDIR variable
+ in /etc/shorewall/shorewall.conf has been
+changed to /var/lib/shorewall in order to conform
+to the GNU/Linux File Hierarchy Standard, Version
+ 2.2.
-1/28/2002 - Shorewall 1.2.4 Released
-
-
-
-
-
- - The "fw" zone may
- now be given a different name.
-
- - You may now place end-of-line comments
-(preceded by '#') in any of the configuration
- files
-
- - There is now protection against against
- two state changing operations occuring concurrently.
- This is implemented using the 'lockfile' utility
- if it is available (lockfile is part of procmail);
- otherwise, a less robust technique is used. The lockfile
- is created in the STATEDIR defined in /etc/shorewall/shorewall.conf
- and has the name "lock".
-
- - "shorewall start" no longer fails if "detect"
- is specified in /etc/shorewall/interfaces
- for an interface with subnet mask 255.255.255.255.
-
-
-
-
+
+1/28/2002 - Shorewall 1.2.4 Released
+
+
+
+
+
+ - The "fw" zone may
+ now be given a different name.
+
+ - You may now place end-of-line comments
+ (preceded by '#') in any of the configuration
+ files
+
+ - There is now protection against against
+ two state changing operations occuring concurrently.
+ This is implemented using the 'lockfile' utility
+ if it is available (lockfile is part of procmail);
+ otherwise, a less robust technique is used. The lockfile
+ is created in the STATEDIR defined in /etc/shorewall/shorewall.conf
+ and has the name "lock".
+
+ - "shorewall start" no longer fails if "detect"
+ is specified in /etc/shorewall/interfaces
+ for an interface with subnet mask 255.255.255.255.
+
+
+
+
+
+
+
1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
1/20/2002 - Corrected firewall script available
-
-Corrects a problem with BLACKLIST_LOGLEVEL. See the
+
+Corrects a problem with BLACKLIST_LOGLEVEL. See the
errata for details.
-
+
1/19/2002 - Shorewall 1.2.3 Released
-
+
This is a minor feature and bugfix release. The single new feature is:
-
+
- - Support for TCP MSS Clamp to PMTU -- This
- support is usually required when the internet
- connection is via PPPoE or PPTP and may be enabled
- using the CLAMPMSS
- option in /etc/shorewall/shorewall.conf.
+ - Support for TCP MSS Clamp to PMTU -- This
+ support is usually required when the internet
+ connection is via PPPoE or PPTP and may be enabled
+ using the CLAMPMSS
+ option in /etc/shorewall/shorewall.conf.
-
+
-
+
The following problems were corrected:
-
+
- - The "shorewall status" command no longer
- hangs.
+ - The "shorewall status" command no longer
+ hangs.
- - The "shorewall monitor" command now displays
+
- The "shorewall monitor" command now displays
the icmpdef chain
- - The CLIENT PORT(S) column in tcrules is
-no longer ignored
+ - The CLIENT PORT(S) column in tcrules is
+ no longer ignored
-
+
-
+
1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
-
-Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
- that includes Shorewall 1.2.2. See
-http://leaf.sourceforge.net/devel/jnilo
+
+
Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
+ that includes Shorewall 1.2.2. See
+http://leaf.sourceforge.net/devel/jnilo
for details.
-
+
1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
- Shorewall Debian package is now available.
- There is a link to Lorenzo's site from the
-Shorewall download page.
+ href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni, a 1.2.2
+ Shorewall Debian package is now available.
+ There is a link to Lorenzo's site from the
+ Shorewall download page.
-
+
1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores
- the "shorewall status" command to health.
+ href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores
+ the "shorewall status" command to
+health.
-
+
1/8/2002 - Shorewall 1.2.2 Released
-
+
In version 1.2.2
-
+
- - Support for IP blacklisting has been added
+
- Support for IP blacklisting has been added
+
-
-
+
- - You specify whether you want packets
- from blacklisted hosts dropped or rejected
- using the BLACKLIST_DISPOSITION
- setting in /etc/shorewall/shorewall.conf
+ - You specify whether you want packets
+ from blacklisted hosts dropped or rejected
+ using the BLACKLIST_DISPOSITION
+ setting in /etc/shorewall/shorewall.conf
- - You specify whether you want packets
- from blacklisted hosts logged and at what
- syslog level using the BLACKLIST_LOGLEVEL
- setting in /etc/shorewall/shorewall.conf
+ - You specify whether you want packets
+ from blacklisted hosts logged and at what
+ syslog level using the BLACKLIST_LOGLEVEL
+ setting in /etc/shorewall/shorewall.conf
- - You list the IP addresses/subnets that
- you wish to blacklist in You list the IP addresses/subnets that
+ you wish to blacklist in /etc/shorewall/blacklist
- - You specify the interfaces you want
- checked against the blacklist using the
- new "blacklist"
- option in /etc/shorewall/interfaces.
+ - You specify the interfaces you want
+ checked against the blacklist using the
+ new "blacklist"
+ option in /etc/shorewall/interfaces.
- - The black list is refreshed from /etc/shorewall/blacklist
- by the "shorewall refresh" command.
+ - The black list is refreshed from /etc/shorewall/blacklist
+ by the "shorewall refresh" command.
-
+
-
+
- - Use of TCP RST replies has been expanded
+
- Use of TCP RST replies has been expanded
-
+
- - TCP connection requests rejected because
- of a REJECT policy are now replied with a
- TCP RST packet.
+ - TCP connection requests rejected because
+ of a REJECT policy are now replied with a
+TCP RST packet.
- - TCP connection requests rejected because
- of a protocol=all rule in /etc/shorewall/rules
+
- TCP connection requests rejected because
+ of a protocol=all rule in /etc/shorewall/rules
are now replied with a TCP RST packet.
@@ -3486,842 +3524,853 @@ no longer ignored
-
+
-
+
- A LOGFILE
- specification has been added to /etc/shorewall/shorewall.conf.
- LOGFILE is used to tell the /sbin/shorewall program
-where to look for Shorewall messages.
+ A LOGFILE
+ specification has been added to /etc/shorewall/shorewall.conf.
+ LOGFILE is used to tell the /sbin/shorewall program
+ where to look for Shorewall messages.
-
+
-
+
1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates
- to the previously-released samples.
-There are two new rules added:
+ target="_blank">version 1.2.0) released. These are minor updates
+ to the previously-released samples.
+ There are two new rules added:
-
+
- - Unless you have explicitly enabled Auth
-connections (tcp port 113) to your firewall, these
- connections will be REJECTED rather than DROPPED.
- This speeds up connection establishment to some servers.
+ - Unless you have explicitly enabled Auth
+ connections (tcp port 113) to your firewall, these
+ connections will be REJECTED rather than DROPPED.
+ This speeds up connection establishment to some servers.
- - Orphan DNS replies are now silently dropped.
+ - Orphan DNS replies are now silently dropped.
-
+
-
+
See the README file for upgrade instructions.
-
+
1/1/2002 - Shorewall Mailing List Moving
-
-The Shorewall mailing list hosted at
- Sourceforge is moving to Shorewall.net.
- If you are a current subscriber to the list
- at Sourceforge, please see these instructions.
- If you would like to subscribe to the
-new list, visit The Shorewall mailing list hosted at
+ Sourceforge is moving to Shorewall.net.
+ If you are a current subscriber to the list
+ at Sourceforge, please see these instructions.
+ If you would like to subscribe to the
+ new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
-
+
12/31/2001 - Shorewall 1.2.1 Released
-
+
In version 1.2.1:
-
+
-
-12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing
-1.2 on 12/21/2001
+
+12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist
+releasing 1.2 on 12/21/2001
-
+
Version 1.2 contains the following new features:
-
+
-
-For the next month or so, I will continue to provide corrections to version
- 1.1.18 as necessary so that current
- version 1.1.x users will not be forced into
- a quick upgrade to 1.2.0 just to have access to bug
-fixes.
+
+For the next month or so, I will continue to provide corrections to version
+ 1.1.18 as necessary so that current
+ version 1.1.x users will not be forced into
+ a quick upgrade to 1.2.0 just to have access to bug fixes.
-
-For those of you who have installed one of the Beta RPMS, you will need
- to use the "--oldpackage" option when
- upgrading to 1.2.0:
+
+For those of you who have installed one of the Beta RPMS, you will need
+ to use the "--oldpackage" option
+when upgrading to 1.2.0:
-
-
+
+
-
+
rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
+
-
-12/19/2001 - Thanks to Steve
- Cowles, there is now a Shorewall
- mirror in Texas. This web site is mirrored
- at http://www.infohiiway.com/shorewall
+
+
12/19/2001 - Thanks to Steve
+ Cowles, there is now a Shorewall
+ mirror in Texas. This web site is mirrored
+ at http://www.infohiiway.com/shorewall
and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
-
+
11/30/2001 - A new set of the parameterized Sample
-Configurations has been released. In this version:
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
+ Configurations has been released. In this version:
-
+
- - Ping is now allowed between the zones.
+ - Ping is now allowed between the zones.
- - In the three-interface configuration, it
- is now possible to configure the internet services
+
- In the three-interface configuration, it
+ is now possible to configure the internet services
that are to be available to servers in the DMZ.
-
+
-
+
11/20/2001 - The current version of Shorewall is 1.1.18.
-
+
In this version:
-
+
- - The spelling of ADD_IP_ALIASES has been
-corrected in the shorewall.conf file
+ - The spelling of ADD_IP_ALIASES has been
+ corrected in the shorewall.conf file
- - The logic for deleting user-defined chains
- has been simplified so that it avoids a bug in
- the LRP version of the 'cut' utility.
+ - The logic for deleting user-defined chains
+ has been simplified so that it avoids a bug in
+the LRP version of the 'cut' utility.
- - The /var/lib/lrpkg/shorwall.conf file has
- been corrected to properly display the NAT
- entry in that file.
+ - The /var/lib/lrpkg/shorwall.conf file has
+ been corrected to properly display the NAT
+entry in that file.
-
+
-
-11/19/2001 - Thanks to Juraj
- Ontkanin, there is now a
-Shorewall mirror in the Slovak Republic.
- The website is now mirrored at http://www.nrg.sk/mirror/shorewall
+
+
11/19/2001 - Thanks to Juraj
+ Ontkanin, there is now a
+Shorewall mirror in the Slovak Republic.
+ The website is now mirrored at http://www.nrg.sk/mirror/shorewall
and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
-
-11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
+
+
11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
There are three sample configurations:
-
+
- - One Interface -- for a standalone system.
+ - One Interface -- for a standalone system.
- - Two Interfaces -- A masquerading firewall.
+ - Two Interfaces -- A masquerading firewall.
- - Three Interfaces -- A masquerading firewall
+
- Three Interfaces -- A masquerading firewall
with DMZ.
-
+
-
+
Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
. See the README file for instructions.
-
-11/1/2001 - The current version of Shorewall is 1.1.17. I intend
- this to be the last of the
+
+
11/1/2001 - The current version of Shorewall is 1.1.17. I intend
+ this to be the last of the
1.1 Shorewall releases.
-
+
In this version:
-
+
-
-10/22/2001 - The current version of Shorewall is 1.1.16. In this
+
+
10/22/2001 - The current version of Shorewall is 1.1.16. In this
version:
-
+
- - A new "shorewall show connections" command
- has been added.
+ - A new "shorewall show connections" command
+ has been added.
- - In the "shorewall monitor" output, the currently
- tracked connections are now shown on a separate
- page.
+ - In the "shorewall monitor" output, the
+currently tracked connections are now shown
+ on a separate page.
- - Prior to this release, Shorewall unconditionally
- added the external IP adddress(es) specified
- in /etc/shorewall/nat. Beginning with version
- 1.1.16, a new parameter (ADD_IP_ALIASES)
- may be set to "no" (or "No") to inhibit
- this behavior. This allows IP aliases created
-using your distribution's network configuration
- tools to be used in static NAT.
+ - Prior to this release, Shorewall unconditionally
+ added the external IP adddress(es) specified
+ in /etc/shorewall/nat. Beginning with version
+ 1.1.16, a new parameter (ADD_IP_ALIASES)
+ may be set to "no" (or "No") to inhibit
+ this behavior. This allows IP aliases created
+ using your distribution's network configuration
+ tools to be used in static NAT.
-
+
-
-10/15/2001 - The current version of Shorewall is 1.1.15. In this
+
+
10/15/2001 - The current version of Shorewall is 1.1.15. In this
version:
-
+
- - Support for nested zones has been improved.
- See the documentation
- for details
+ - Support for nested zones has been improved.
+ See the documentation
+ for details
- - Shorewall now correctly checks the alternate
+
- Shorewall now correctly checks the alternate
configuration directory for the 'zones' file.
-
+
-
-10/4/2001 - The current version of Shorewall is 1.1.14. In this
- version
+
+10/4/2001 - The current version of Shorewall is 1.1.14. In this
+ version
-
+
- - Shorewall now supports alternate configuration
- directories. When an alternate directory is
- specified when starting or restarting Shorewall
- (e.g., "shorewall -c /etc/testconf restart"), Shorewall
- will first look for configuration files in the alternate
- directory then in /etc/shorewall. To create an
-alternate configuration simply:
+ - Shorewall now supports alternate configuration
+ directories. When an alternate directory
+ is specified when starting or restarting Shorewall
+ (e.g., "shorewall -c /etc/testconf restart"), Shorewall
+ will first look for configuration files in the alternate
+ directory then in /etc/shorewall. To create an alternate
+ configuration simply:
- 1. Create a New Directory
+ 1. Create a New Directory
- 2. Copy to that directory any of your configuration
+ 2. Copy to that directory any of your configuration
files that you want to change.
- 3. Modify the copied files as needed.
+ 3. Modify the copied files as needed.
- 4. Restart Shorewall specifying the new directory.
+ 4. Restart Shorewall specifying the new directory.
- - The rules for allowing/disallowing icmp
- echo-requests (pings) are now moved after rules
- created when processing the rules file. This allows
- you to add rules that selectively allow/deny ping based
- on source or destination address.
+ - The rules for allowing/disallowing icmp
+ echo-requests (pings) are now moved after rules
+ created when processing the rules file. This allows
+ you to add rules that selectively allow/deny ping
+based on source or destination address.
- - Rules that specify multiple client ip addresses
- or subnets no longer cause startup failures.
+ - Rules that specify multiple client ip addresses
+ or subnets no longer cause startup failures.
- - Zone names in the policy file are now validated
- against the zones file.
+ - Zone names in the policy file are now validated
+ against the zones file.
- - If you have packet mangling
- support enabled, the "norfc1918" interface
-option now logs and drops any incoming packets on the interface
- that have an RFC 1918 destination address.
+ - If you have packet mangling
+ support enabled, the "norfc1918"
+interface option now logs and drops any incoming packets on
+the interface that have an RFC 1918 destination address.
-
+
-
-9/12/2001 - The current version of Shorewall is 1.1.13. In this
- version
+
+9/12/2001 - The current version of Shorewall is 1.1.13. In this
+ version
-
+
-
-8/28/2001 - The current version of Shorewall is 1.1.12. In this
- version
+
+8/28/2001 - The current version of Shorewall is 1.1.12. In this
+ version
-
+
- - Several columns in the rules file may now
+
- Several columns in the rules file may now
contain comma-separated lists.
- - Shorewall is now more rigorous in parsing
- the options in /etc/shorewall/interfaces.
+ - Shorewall is now more rigorous in parsing
+ the options in /etc/shorewall/interfaces.
- - Complementation using "!" is now supported
- in rules.
+ - Complementation using "!" is now supported
+ in rules.
-
+
-
-7/28/2001 - The current version of Shorewall is 1.1.11. In this
- version
+
+7/28/2001 - The current version of Shorewall is 1.1.11. In this
+ version
-
+
- - A "shorewall refresh" command has been added
- to allow for refreshing the rules associated
- with the broadcast address on a dynamic interface.
- This command should be used in place of "shorewall
- restart" when the internet interface's IP address changes.
+ - A "shorewall refresh" command has been
+added to allow for refreshing the rules associated
+ with the broadcast address on a dynamic interface.
+ This command should be used in place of "shorewall
+ restart" when the internet interface's IP address changes.
- - The /etc/shorewall/start file (if any) is
- now processed after all temporary rules have
- been deleted. This change prevents the accidental
- removal of rules added during the processing of that
- file.
+ - The /etc/shorewall/start file (if any)
+is now processed after all temporary rules have
+ been deleted. This change prevents the accidental
+ removal of rules added during the processing of that
+ file.
- - The "dhcp" interface option is now applicable
- to firewall interfaces used by a DHCP server
+
- The "dhcp" interface option is now applicable
+ to firewall interfaces used by a DHCP server
running on the firewall.
- - The RPM can now be built from the .tgz file
- using "rpm -tb"
+ - The RPM can now be built from the .tgz
+file using "rpm -tb"
-
+
-
-7/6/2001 - The current version of Shorewall is 1.1.10. In this version
+
+7/6/2001 - The current version of Shorewall is 1.1.10. In this
+version
-
+
- - Shorewall now enables Ipv4 Packet Forwarding
- by default. Packet forwarding may be disabled
- by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
- If you don't want Shorewall to enable or
- disable packet forwarding, add IP_FORWARDING=Keep
-to your /etc/shorewall/shorewall.conf file.
+ - Shorewall now enables Ipv4 Packet Forwarding
+ by default. Packet forwarding may be disabled
+ by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
+ If you don't want Shorewall to enable or
+ disable packet forwarding, add IP_FORWARDING=Keep
+ to your /etc/shorewall/shorewall.conf file.
- - The "shorewall hits" command no longer lists
- extraneous service names in its last report.
+ - The "shorewall hits" command no longer
+lists extraneous service names in its last report.
- - Erroneous instructions in the comments at
- the head of the firewall script have been corrected.
+ - Erroneous instructions in the comments
+at the head of the firewall script have been
+corrected.
-
+
-
-6/23/2001 - The current version of Shorewall is 1.1.9. In this version
+
+6/23/2001 - The current version of Shorewall is 1.1.9. In this
+version
-
+
- - The "tunnels" file really is in
- the RPM now.
+ - The "tunnels" file really is
+in the RPM now.
- - SNAT can now be applied to port-forwarded
- connections.
+ - SNAT can now be applied to port-forwarded
+ connections.
- - A bug which would cause firewall start
-failures in some dhcp configurations has been fixed.
+ - A bug which would cause firewall start
+ failures in some dhcp configurations has been
+fixed.
- - The firewall script now issues a message
- if you have the name of an interface in the second
- column in an entry in /etc/shorewall/masq and that
- interface is not up.
+ - The firewall script now issues a message
+ if you have the name of an interface in the second
+ column in an entry in /etc/shorewall/masq and that
+ interface is not up.
- - You can now configure Shorewall so that
- it doesn't require the NAT
-and/or mangle netfilter modules.
+ - You can now configure Shorewall so that
+ it doesn't require the NAT
+ and/or mangle netfilter modules.
- - Thanks to Alex Polishchuk, the "hits" command
- from seawall is now in shorewall.
+ - Thanks to Alex Polishchuk, the "hits"
+command from seawall is now in shorewall.
- - Support for IPIP tunnels
- has been added.
+ - Support for IPIP tunnels
+ has been added.
-
+
-
-6/18/2001 - The current version of Shorewall is 1.1.8. In this version
+
+6/18/2001 - The current version of Shorewall is 1.1.8. In this
+version
-
+
-
+
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
-
+
- - The TOS rules are now deleted when the
-firewall is stopped.
+ - The TOS rules are now deleted when the
+ firewall is stopped.
- - The .rpm will now install regardless of
-which version of iptables is installed.
+ - The .rpm will now install regardless of
+ which version of iptables is installed.
- - The .rpm will now install without iproute2
- being installed.
+ - The .rpm will now install without iproute2
+ being installed.
- - The documentation has been cleaned up.
+ - The documentation has been cleaned up.
- - The sample configuration files included
- in Shorewall have been formatted to 80 columns
- for ease of editing on a VGA console.
+ - The sample configuration files included
+ in Shorewall have been formatted to 80 columns
+ for ease of editing on a VGA console.
-
+
-
-5/25/2001 - The current version of Shorewall is 1.1.6. In this version
+
+5/25/2001 - The current version of Shorewall is 1.1.6. In this
+version
-
+
- - You may now rate-limit
- the packet log.
+ - You may now rate-limit
+ the packet log.
- - Previous versions of Shorewall have
- an implementation of Static NAT which violates the
- principle of least surprise. NAT only occurs for packets
- arriving at (DNAT) or send from (SNAT) the interface
- named in the INTERFACE column of /etc/shorewall/nat.
- Beginning with version 1.1.6, NAT effective regardless
- of which interface packets come from or are destined to.
- To get compatibility with prior versions, I have added
- a new "ALL "ALL INTERFACES"
- column to /etc/shorewall/nat. By placing "no"
-or "No" in the new column, the NAT behavior of prior
- versions may be retained.
+ - Previous versions of Shorewall have
+ an implementation of Static NAT which violates the
+ principle of least surprise. NAT only occurs for
+ packets arriving at (DNAT) or send from (SNAT) the
+interface named in the INTERFACE column of /etc/shorewall/nat.
+ Beginning with version 1.1.6, NAT effective regardless
+ of which interface packets come from or are destined to.
+ To get compatibility with prior versions, I have added
+ a new "ALL "ALL INTERFACES"
+ column to /etc/shorewall/nat. By placing "no" or
+ "No" in the new column, the NAT behavior of prior
+versions may be retained.
- - The treatment of IPSEC Tunnels where the remote
- gateway is a standalone system has been improved. Previously,
- it was necessary to include an additional rule allowing
- UDP port 500 traffic to pass through the tunnel. Shorewall
- will now create this rule automatically when you place
-the name of the remote peer's zone in a new GATEWAY ZONE column
-in /etc/shorewall/tunnels.
+ - The treatment of IPSEC Tunnels where the remote
+ gateway is a standalone system has been improved. Previously,
+ it was necessary to include an additional rule allowing
+ UDP port 500 traffic to pass through the tunnel. Shorewall
+ will now create this rule automatically when you place the
+name of the remote peer's zone in a new GATEWAY ZONE column in
+/etc/shorewall/tunnels.
-
+
-
-5/20/2001 - The current version of Shorewall is 1.1.5. In this version
+
+5/20/2001 - The current version of Shorewall is 1.1.5. In this
+version
-
+
-
-5/10/2001 - The current version of Shorewall is 1.1.4. In this version
+
+5/10/2001 - The current version of Shorewall is 1.1.4. In this
+version
-
+
- - Accepting RELATED
- connections is now optional.
+ - Accepting RELATED
+ connections is now optional.
- - Corrected problem where if "shorewall start"
- aborted early (due to kernel configuration errors
- for example), superfluous 'sed' error messages
- were reported.
+ - Corrected problem where if "shorewall start"
+ aborted early (due to kernel configuration errors
+ for example), superfluous 'sed' error messages
+ were reported.
- - Corrected rules generated for port redirection.
+ - Corrected rules generated for port redirection.
- - The order in which iptables kernel modules
- are loaded has been corrected (Thanks to Mark
+
- The order in which iptables kernel modules
+ are loaded has been corrected (Thanks to Mark
Pavlidis).
-
+
-
-4/28/2001 - The current version of Shorewall is 1.1.3. In this version
+
+4/28/2001 - The current version of Shorewall is 1.1.3. In this
+version
-
+
- - Correct message issued when Proxy ARP address
+
- Correct message issued when Proxy ARP address
added (Thanks to Jason Kirtland).
- - /tmp/shorewallpolicy-$$ is now removed
-if there is an error while starting the firewall.
+ - /tmp/shorewallpolicy-$$ is now removed
+ if there is an error while starting the firewall.
- - /etc/shorewall/icmp.def and /etc/shorewall/common.def
- are now used to define the icmpdef and common
- chains unless overridden by the presence of /etc/shorewall/icmpdef
- or /etc/shorewall/common.
+ - /etc/shorewall/icmp.def and /etc/shorewall/common.def
+ are now used to define the icmpdef and
+common chains unless overridden by the presence
+ of /etc/shorewall/icmpdef or /etc/shorewall/common.
- - In the .lrp, the file /var/lib/lrpkg/shorwall.conf
- has been corrected. An extra space after
-"/etc/shorwall/policy" has been removed and "/etc/shorwall/rules"
- has been added.
+ - In the .lrp, the file /var/lib/lrpkg/shorwall.conf
+ has been corrected. An extra space after
+ "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules"
+ has been added.
- - When a sub-shell encounters a fatal error
- and has stopped the firewall, it now kills the
- main shell so that the main shell will not continue.
+ - When a sub-shell encounters a fatal error
+ and has stopped the firewall, it now kills
+ the main shell so that the main shell will not continue.
- - A problem has been corrected where a sub-shell
- stopped the firewall and main shell continued
- resulting in a perplexing error message referring
- to "common.so" resulted.
+ - A problem has been corrected where a sub-shell
+ stopped the firewall and main shell continued
+ resulting in a perplexing error message referring
+ to "common.so" resulted.
- - Previously, placing "-" in the PORT(S)
-column in /etc/shorewall/rules resulted in an
+
- Previously, placing "-" in the PORT(S)
+ column in /etc/shorewall/rules resulted in an
error message during start. This has been corrected.
- - The first line of "install.sh" has been
-corrected -- I had inadvertently deleted the initial
+
- The first line of "install.sh" has been
+ corrected -- I had inadvertently deleted the initial
"#".
-
+
+
+4/12/2001 - The current version of Shorewall is 1.1.2. In this
+version
+
+
-4/12/2001 - The current version of Shorewall is 1.1.2. In this version
-
-
-
- - Port redirection now works again.
+ - Port redirection now works again.
- - The icmpdef and common chains The icmpdef and common chains may now be user-defined.
- - The firewall no longer fails to start if
- "routefilter" is specified for an interface that
- isn't started. A warning message is now issued
- in this case.
+ - The firewall no longer fails to start if
+ "routefilter" is specified for an interface that
+ isn't started. A warning message is now issued
+ in this case.
- - The LRP Version is renamed "shorwall" for
+
- The LRP Version is renamed "shorwall" for
8,3 MSDOS file system compatibility.
- - A couple of LRP-specific problems were corrected.
-
-
-
-
+ A couple of LRP-specific problems were corrected.
+
+
+
+
4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
+
-
+
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
-
+
- - The common chain is traversed from INPUT,
+
- The common chain is traversed from INPUT,
OUTPUT and FORWARD before logging occurs
- - The source has been cleaned up dramatically
+ - The source has been cleaned up dramatically
- - DHCP DISCOVER packets with RFC1918 source
- addresses no longer generate log messages. Linux
- DHCP clients generate such packets and it's
- annoying to see them logged.
-
-
-
-
+ DHCP DISCOVER packets with RFC1918 source
+ addresses no longer generate log messages. Linux
+ DHCP clients generate such packets and it's
+ annoying to see them logged.
+
+
+
+
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
-
+
- - Log messages now indicate the packet disposition.
+ - Log messages now indicate the packet disposition.
- - Error messages have been improved.
+ - Error messages have been improved.
- - The ability to define zones consisting of
- an enumerated set of hosts and/or subnetworks has
- been added.
+ - The ability to define zones consisting
+of an enumerated set of hosts and/or subnetworks
+ has been added.
- - The zone-to-zone chain matrix is now sparse
- so that only those chains that contain meaningful
- rules are defined.
+ - The zone-to-zone chain matrix is now sparse
+ so that only those chains that contain
+meaningful rules are defined.
- - 240.0.0.0/4 and 169.254.0.0/16 have been
- added to the source subnetworks whose packets
- are dropped under the norfc1918 interface
- option.
+ - 240.0.0.0/4 and 169.254.0.0/16 have been
+ added to the source subnetworks whose packets
+ are dropped under the norfc1918 interface
+ option.
- - Exits are now provided for executing an
- user-defined script when a chain is defined,
-when the firewall is initialized, when the firewall
- is started, when the firewall is stopped and when
-the firewall is cleared.
+ - Exits are now provided for executing an
+ user-defined script when a chain is defined,
+ when the firewall is initialized, when the firewall
+ is started, when the firewall is stopped and
+ when the firewall is cleared.
- - The Linux kernel's route filtering facility
- can now be specified selectively on network
- interfaces.
-
-
-
-
+ The Linux kernel's route filtering facility
+ can now be specified selectively on network
+ interfaces.
+
+
+
+
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
-
+
- - Allows user-defined zones. Shorewall now
- has only one pre-defined zone (fw) with the remaining
- zones being defined in the new configuration
- file /etc/shorewall/zones. The /etc/shorewall/zones file
- released in this version provides behavior that
- is compatible with Shorewall 1.0.3.
+ - Allows user-defined zones. Shorewall now
+ has only one pre-defined zone (fw) with the remaining
+ zones being defined in the new configuration
+ file /etc/shorewall/zones. The /etc/shorewall/zones file
+ released in this version provides behavior that
+ is compatible with Shorewall 1.0.3.
- - Adds the ability to specify logging in entries
- in the /etc/shorewall/rules file.
+ - Adds the ability to specify logging in
+entries in the /etc/shorewall/rules file.
- - Correct handling of the icmp-def chain so
- that only ICMP packets are sent through the
+
- Correct handling of the icmp-def chain
+so that only ICMP packets are sent through the
chain.
- - Compresses the output of "shorewall monitor"
- if awk is installed. Allows the command to work
- if awk isn't installed (although it's not pretty).
-
-
-
-
+ Compresses the output of "shorewall monitor"
+ if awk is installed. Allows the command to work
+ if awk isn't installed (although it's not pretty).
-3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
+
+
+
+
+
3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
release with no new features.
-
+
- - The PATH variable in the firewall script
- now includes /usr/local/bin and /usr/local/sbin.
+ - The PATH variable in the firewall script
+ now includes /usr/local/bin and /usr/local/sbin.
- - DMZ-related chains are now correctly deleted
- if the DMZ is deleted.
+ - DMZ-related chains are now correctly deleted
+ if the DMZ is deleted.
- - The interface OPTIONS for "gw" interfaces
- are no longer ignored.
-
-
-
-
+ The interface OPTIONS for "gw" interfaces
+ are no longer ignored.
-3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
- additional "gw" (gateway) zone for
- tunnels and it supports IPSEC tunnels with
- end-points on the firewall. There is also a .lrp available
+
+
+
+
+
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
+ additional "gw" (gateway) zone for
+ tunnels and it supports IPSEC tunnels with
+ end-points on the firewall. There is also a .lrp available
now.
-
-Updated 7/19/2003 - Tom Eastep
-
+
+Updated 7/22/2003 - Tom Eastep
+
-
+
Copyright © 2001, 2002 Thomas M. Eastep.
-
+
+