holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 2.0.2d

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1373 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-28 17:24:32 +00:00
parent 1baf2f468f
commit 03153243eb
4 changed files with 294 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-Website/Shorewall_index_frame.htm
View File

@ -38,7 +38,7 @@ Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li><a href="useful_links.html">Useful Links</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a href="shorewall_index.htm#Donations">Donations</a></li>
</ul>
<p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas
M. Eastep.</font></a><br>

66
Shorewall-Website/Shorewall_sfindex_frame.htm
View File

@ -18,49 +18,38 @@
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
<li style="font-weight: bold;"><a href="index.htm" target="_top">Home</a></li>
<li style="font-weight: bold;"><a href="download.htm">Download</a></li>
<li><a href="Install.htm"><span style="font-weight: bold;">Installation</span></a>
</li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a href="Documentation_Index.html">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a>&nbsp; (<a
href="http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ"
<li><b><a href="Documentation_Index.html">Documentation</a></b></li>
<li><a href="FAQ.htm"><span style="font-weight: bold;">FAQ</span>s</a>&nbsp;
(<a href="http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ"
target="_top">Wiki</a>)</li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm"><span
style="font-weight: bold;">Troubleshooting - </span>Things to try if
it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm"><span style="font-weight: bold;">Support
- </span>Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li><a href="troubleshoot.htm"><span style="font-weight: bold;">Troubleshooting</span></a></li>
<li><a href="support.htm"><span style="font-weight: bold;">Support</span></a></li>
</ul>
<ul>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it
Cannot Do</a> </li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li><a href="http://lists.shorewall.net">Mailing
Lists</a><a href="http://lists.shorewall.net"> </a> </li>
<li><a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li><a href="errata.htm">Errata</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> </li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li><a href="useful_links.html">Useful Links</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a href="shorewall_index.htm#Donations">Donations</a></li>
</ul>
<ul>
</ul>
</td>
</tr>
@ -71,9 +60,10 @@ Repository</a></li>
</p>
<h1 align="center"><b><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"></a></b></h1>
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=1" title=""
style="border: 0px solid ; width: 88px; height: 31px;"></a></b></h1>
<br>
<b><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a></b></b>
This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a>
</body>
</html>

16
Shorewall-Website/download.htm
View File

@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br>
</p>
<p>2004-04-05<br>
<p>2004-05-18<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><b>I strongly urge you to read and print a copy of the <a
@ -200,15 +200,11 @@ repository at cvs.shorewall.net</a> contains the latest snapshots of
the each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
<p align="left">The CVS repository also can be used to retreive the
latest released versions. <a
href="http://shorewall.net/pub/shorewall/contrib/makelrp.sh">Here is a
shell script</a> that allows you to create a .lrp file from the current
contents of the CVS Lrp2/ project.<br>
</p>
</blockquote>
</body>

429
Shorewall-Website/shorewall_index.htm
View File

@ -8,44 +8,77 @@
</head>
<body>
<div>
<table border="0" cellpadding="0" cellspacing="0" id="AutoNumber4"
style="border-collapse: collapse; width: 100%; height: 100%;">
<tbody>
<tr>
<td width="90%">
<h2>Introduction to Shorewall</h2>
<h3>This is the Shorewall 2.0 Web Site</h3>
<div style="margin-left: 40px;">The information on this site
<h1>Shorewall 2.0</h1>
<span style="font-weight: bold;">Tom Eastep</span><br>
<br>
The information on this site
applies only to 2.0.x releases of
Shorewall. For older versions:<br>
</div>
<ul>
<ul>
<li>The 1.4 site is <a href="http://www.shorewall.net/1.4"
<ul>
<li>The 1.4 site is <a href="http://www.shorewall.net/1.4"
target="_top">here.<br>
</a></li>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
</a></li>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.</li>
</ul>
</ul>
<h3>Glossary</h3>
<ul>
<li><a href="http://www.netfilter.org" target="_top">Netfilter</a>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li>
</ul>
Copyright © 2001-2004 Thomas M. Eastep<br>
<div>
<div class="legalnotice">
<p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled “<span
class="quote"><a
href="file:///vfat/Ursa/Shorewall/Shorewall-Website/GnuCopyright.htm"
target="_self">GNU Free
Documentation License</a></span>”.</p>
</div>
</div>
<div>
<p class="pubdate">2004-05-28<br>
</p>
<hr style="width: 100%; height: 2px;"></div>
<h3>Table of Contents</h3>
<div style="margin-left: 40px;"><a href="#Intro">Introduction to
Shorewall</a><br>
<div style="margin-left: 40px;"><a href="#Glossary">Glossary</a><br>
<a href="#WhatIs">What is Shorewall?</a><br>
<a href="#GettingStarted">Getting Started with Shorewall</a><br>
<a href="#Info">Looking for Information?</a><br>
<a href="#Mandrake">Running Shorewall on Mandrake® with a
two-interface setup?</a><br>
<a href="#License">License</a><br>
</div>
<a href="#News">News</a><br>
<div style="margin-left: 40px;"><a href="#2_0_2d">Shorewall 2.0.2d</a><br>
<a href="#2_0_2c">Shorewall 2.0.2c</a><br>
<a href="#2_0_2b">Shorewall 2.0.2b</a><br>
<a href="#2_0_2a">Shorewall 2.0.2a</a><br>
<a href="#2_0_2">Shorewall 2.0.2</a><br>
<a href="#LinuxFest">Presentation at LinuxFest NW</a><br>
</div>
<a href="#Leaf">Leaf</a><br>
<a href="#Donations">Donations</a><br>
</div>
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
<h3><a name="Glossary"></a>Glossary</h3>
<ul>
<li><a href="http://www.netfilter.org" target="_top">Netfilter</a>
- the
packet filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2
<li>ipchains - the packet filter facility built into the 2.2
Linux kernels. Also the name of the utility program used to configure
and control that facility. Netfilter can be used in ipchains
compatibility mode.</li>
<li>iptables - the utility program used to configure and
<li>iptables - the utility program used to configure and
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).</li>
</ul>
<h3>What is Shorewall?</h3>
<div style="margin-left: 40px;">The Shoreline Firewall, more
</ul>
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
<div style="margin-left: 40px;">The Shoreline Firewall, more
commonly known as "Shorewall", is
a high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
@ -59,223 +92,273 @@ and can thus take advantage of Netfilter's <a
target="_top">connection
state tracking
capabilities</a>.<br>
<br>
<br>
Shorewall is <span style="text-decoration: underline;">not</span> a
daemon. Once Shorewall has configured Netfilter, it's job is complete.
After that, there is no Shorewall code running although the <a
href="starting_and_stopping_shorewall.htm">/sbin/shorewall
program can be used at any time to monitor the Netfilter firewall</a>.<br>
</div>
<h3>Getting Started with Shorewall</h3>
<div style="margin-left: 40px;">New to Shorewall? Start by
</div>
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
<div style="margin-left: 40px;">New to Shorewall? Start by
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most
closely match your environment and follow the step by step instructions.<br>
</div>
<h3>Looking for Information?</h3>
<div style="margin-left: 40px;">The <a
href="Documentation_Index.html">Documentation
closely matches your environment and follow the step by step
instructions.<br>
</div>
<h3><a name="Info"></a>Looking for Information?</h3>
<div style="margin-left: 40px;">The <a href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the frame
above. </div>
<h3>Running Shorewall on Mandrake® with a two-interface setup?</h3>
<div style="margin-left: 40px;">If so, the documentation on this
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
two-interface setup?</h3>
<div style="margin-left: 40px;">If so, the documentation on this
site will not apply directly
to your setup. If you want to use the documentation that you find here,
you will want to consider uninstalling what you have and installing a
setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.<br>
<br>
<span style="font-weight: bold;">Update: </span>I've been
<br>
<span style="font-weight: bold;">Update: </span>I've been
informed by Mandrake Development that this problem has been corrected
in Mandrake 10.0 Final (the problem still exists in the 10.0 Community
release).<br>
</div>
<h3>License</h3>
<div style="margin-left: 40px;">This program is free software;
</div>
<h3><a name="License"></a>License</h3>
<div style="margin-left: 40px;">This program is free software;
you can redistribute it and/or modify it
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
</div>
<p style="margin-left: 40px;">This program is distributed in the
</div>
<p style="margin-left: 40px;">This program is distributed in the
hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more detail.</p>
<div style="margin-left: 40px;"> </div>
<p style="margin-left: 40px;">You should have received a copy of
<div style="margin-left: 40px;"> </div>
<p style="margin-left: 40px;">You should have received a copy of
the GNU General Public
License along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<div style="margin-left: 40px;">Permission is granted to copy,
<div style="margin-left: 40px;">Permission is granted to copy,
distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled <a>"GNU Free
Documentation License"</a>. </div>
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
<hr style="width: 100%; height: 2px;">
<h2>News</h2>
<p><b>5/13/2004 - Shorewall 2.0.2</b><b> </b><b> <img
alt="(New)" src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
<p>Problems Corrected since 2.0.1<br>
</p>
<ol>
<li>The /etc/init.d/shorewall script installed on Debian by
<p> </p>
<hr style="width: 100%; height: 2px;">
<h2><a name="News"></a>News</h2>
<p><b><a name="2_0_2d"></a>5/28/2004 - Shorewall 2.0.2d<br>
</b><br>
One problem corrected:<br>
</p>
<ol>
<li>Shorewall was checking capabilities before loading kernel
modules. Consequently, if kernel module autoloading was disabled, the
capabilities were mis-detected.<br>
</li>
</ol>
<p><b><a name="2_0_2c"></a>5/21/2004 - Shorewall 2.0.2c</b></p>
One problem corrected:<br>
<ol>
<li>&nbsp;DNAT rules with a dynamic source zone don't work
properly. When used, these rules cause the rule to be checked against
ALL input,&nbsp; not just input from the designated zone.<br>
</li>
</ol>
<p><b><a name="2_0_2b"></a>5/18/2004 - Shorewall 2.0.2b</b><b>&nbsp;</b></p>
<p>Corrects two problems:</p>
<ol>
<li>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.<br>
<br>
</li>
<li>If /var/lib/shorewall does not exist, shorewall start fails.<br>
</li>
</ol>
<p><b><a name="2_0_2a"></a>5/15/2004 - Shorewall 2.0.2a</b><b> </b><br>
</p>
<p>Corrects two problems:<br>
</p>
<ol>
<li>Temporary restore files were not being removed from
/var/lib/shorewall. These files have names of the form
'restore-nnnnn'.&nbsp;
You can remove files that have accumulated with the command: <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;rm -f /var/lib/shorewall/restore-[0-9]* <br>
<br>
</li>
<li>The restore script did not load kernel modules. The result
was that after a cold load, applications like FTP and IRC DCC didn't
work. <br>
<br>
To correct: <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;1) Install 2.0.2a <br>
&nbsp;&nbsp;&nbsp;&nbsp;2) "shorewall restart" <br>
&nbsp;&nbsp;&nbsp;&nbsp;3) "shorewall save" </li>
</ol>
<p><b><a name="2_0_2"></a>5/13/2004 - Shorewall 2.0.2</b><b>&nbsp;</b></p>
<p>Problems Corrected since 2.0.1<br>
</p>
<ol>
<li>The /etc/init.d/shorewall script installed on Debian by
install.sh failed silently due to a missing file
(/usr/share/shorewall/wait4ifup). That file is not part of the normal
Shorewall distribution and is provided by the Debian maintainer.</li>
<li>A meaningless warning message out of the proxyarp file
<li>A meaningless warning message out of the proxyarp file
processing has been eliminated.</li>
<li>The "shorewall delete" command now correctly removes all
<li>The "shorewall delete" command now correctly removes all
dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
Engel for this correction.</li>
</ol>
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:<br>
<ol>
<li>Extension Scripts -- In order for extension scripts to work
</ol>
Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:<br>
<ol>
<li>Extension Scripts -- In order for extension scripts to work
properly with the new iptables-save/restore integration (see New
Feature 1 below), some change may be required to your extension
scripts. If your extension scripts are executing commands other than
iptables then those commands must also be written to the restore file
(a temporary file in /var/lib/shorewall that is renamed
/var/lib/shorewall/restore-base at the end of the operation).<br>
<br>
<br>
The following functions should be of help:<br>
<br>
<br>
A. save_command() -- saves the passed command to the restore file.<br>
<br>
<br>
&nbsp;&nbsp;&nbsp; Example:<br>
<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; save_command echo Operation
Complete<br>
<br>
<br>
&nbsp;&nbsp; That command would simply write "echo Operation Complete"
to the restore file.<br>
<br>
<br>
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.<br>
<br>
<br>
&nbsp; &nbsp; Example:<br>
<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; run_and_save_command "echo 1 &gt;
/proc/sys/net/ipv4/icmp_echo_ignore_all"<br>
<br>
<br>
&nbsp;&nbsp;&nbsp; Note that as in this example, when the command
involves file redirection then the entire command must be enclosed in
quotes. This applies to all of the functions described here.<br>
<br>
<br>
C. ensure_and_save_command() -- runs the passed command. If the command
fails, the firewall is restored to it's prior saved state and the
operation is terminated. If the command succeeds, the command is
written to the restore file.<br>
<br>
</li>
<li>Dynamic Zone support -- If you don't need to use the
<br>
</li>
<li>Dynamic Zone support -- If you don't need to use the
"shorewall add" and "shorewall delete commands, you should set
DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.</li>
</ol>
</ol>
New Features:<br>
<ol>
<li>Shorewall has now been integrated with
<ol>
<li>Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and restart.
The elements of this integration are as follows:<br>
<br>
<br>
a) The 'shorewall save' command now saves the current configuration in
addition to the current dynamic blacklist. If you have dynamic zones,
you will want to issue 'shorewall save' when the zones are empty or the
current contents of the zones will be restored by the 'shorewall
restore' and 'shorewall -f start' commands.<br>
<br>
<br>
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.<br>
<br>
<br>
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there is no
saved configuration, a normal 'shorewall start' is performed.<br>
<br>
<br>
d) The /etc/init.d/shorewall script now translates the 'start' command
into 'shorewall -f start' so that fast restart is possible.<br>
<br>
<br>
e) When a state-changing command encounters an error and there is
current saved configuration, that configuration will be restored
(currently, the firewall is placed in the 'stopped' state).<br>
<br>
<br>
f) If you have previously saved the running configuration and want
Shorewall to discard it, use the 'shorewall forget' command. WARNING:
iptables 1.2.9 is broken with respect to iptables-save; if your kernel
has connection tracking match support, you must patch iptables 1.2.9
with the iptables patch availale from the Shorewall errata page.<br>
<br>
</li>
<li>The previous implementation of dynamic zones was difficult
<br>
</li>
<li>The previous implementation of dynamic zones was difficult
to maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf.<br>
<br>
</li>
<li>In earlier Shorewall 2.0 releases, Shorewall searches in
<br>
</li>
<li>In earlier Shorewall 2.0 releases, Shorewall searches in
order the following directories for configuration files.<br>
<br>
<br>
a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) /etc/shorewall<br>
c) /usr/share/shorewall<br>
<br>
<br>
In this release, the CONFIG_PATH option is added to shorewall.conf.
CONFIG_PATH contains a list of directory names separated by colons
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
Shorewall searches for shorewall.conf according to the old rules and
for other configuration files as follows:<br>
<br>
<br>
a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) Each directory in $CONFIG_PATH is searched in sequence.<br>
<br>
<br>
In case it is not obvious, your CONFIG_PATH should include
/usr/share/shorewall and your shorewall.conf file must be in the
directory specified via -c or in a try command, in /etc/shorewall or in
/usr/share/shorewall.<br>
<br>
<br>
For distribution packagers, the default CONFIG_PATH is set in
/usr/share/shorewall/configpath. You can customize this file to have a
default that differs from mine.<br>
<br>
</li>
<li>Previously, in /etc/shorewall/nat a Yes (or yes) in the
<br>
</li>
<li>Previously, in /etc/shorewall/nat a Yes (or yes) in the
LOCAL column would only take effect if the ALL INTERFACES column also
contained Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column.<br>
<br>
</li>
<li>The folks at Mandrake have created yet another kernel
<br>
</li>
<li>The folks at Mandrake have created yet another kernel
module naming convention (module names end in "ko.gz"). As a
consequence, beginning with this release, if MODULE_SUFFIX isn't
specified in shorewall.conf, then the default value is "o gz ko o.gz
ko.gz".<br>
<br>
</li>
<li>An updated bogons file is included in this release.<br>
<br>
</li>
<li>In /etc/shorewall/rules and in action files generated from
<br>
</li>
<li>An updated bogons file is included in this release.<br>
<br>
</li>
<li>In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and the
log tag.<br>
<br>
<br>
Example:<br>
<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT:info:ftp
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 21<br>
<br>
<br>
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
@ -283,122 +366,128 @@ prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
length of a log prefix supported by iptables is 29 characters; if a
larger prefix is generated, Shorewall will issue a warning message and
will truncate the prefix to 29 characters.<br>
<br>
</li>
<li>A new "-q" option has been added to /sbin/shorewall
<br>
</li>
<li>A new "-q" option has been added to /sbin/shorewall
commands. It causes the start, restart, check and refresh commands to
produce much less output so that warning messages are more visible
(when testing this change, I discovered a bug where a bogus warning
message was being generated).<br>
<br>
</li>
<li>Shorewall now uses 'modprobe' to load kernel modules if
<br>
</li>
<li>Shorewall now uses 'modprobe' to load kernel modules if
that utility is available in the PATH; otherwise, 'insmod' is used.<br>
<br>
</li>
<li>It is now possible to restrict entries in the
<br>
</li>
<li>It is now possible to restrict entries in the
/etc/shorewall/masq file to particular protocols and destination
port(s). Two new columns (PROTO and PORT(S)) have been added to the
file.<br>
<br>
<br>
Example:<br>
<br>
<br>
You want all outgoing SMTP traffic entering the firewall on eth1 to be
sent from eth0 with source IP address 206.124.146.177. You want all
other outgoing traffic from eth1 to be sent from eth0 with source IP
address 206.124.146.176.<br>
<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.177 tcp&nbsp;&nbsp;&nbsp;&nbsp; 25<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.176<br>
<br>
<br>
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!<br>
<br>
<br>
Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
the progress message at "shorewall start" would be:<br>
<br>
<br>
&nbsp;&nbsp;&nbsp; Masqueraded Networks and Hosts:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (tcp 25) from
10.0.0.0/8 through eth0 using 206.124.146.177<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (all) from 10.0.0.0/8
through eth0 using 206.124.146.176<br>
<br>
</li>
<li>Two new actions are available in the /etc/shorewall/rules
<br>
</li>
<li>Two new actions are available in the /etc/shorewall/rules
file.<br>
<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT+&nbsp;&nbsp;&nbsp; -- Behaves like ACCEPT
with the exception that it exempts matching connections from subsequent
DNAT[-] and REDIRECT[-] rules.<br>
&nbsp;&nbsp;&nbsp; NONAT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Exempts
matching connections from subsequent DNAT[-] and REDIRECT[-] rules.<br>
<br>
</li>
<li>A new extension script 'initdone' has been added. This
<br>
</li>
<li>A new extension script 'initdone' has been added. This
script is invoked at the same point as the 'common' script was
previously and is useful for users who mis-used that script under
Shorewall 1.x (the script was intended for adding rules to the 'common'
chain but many users treated it as a script for adding rules before
Shorewall's).<br>
<br>
</li>
<li>Installing/Upgrading Shorewall on Slackware has been
<br>
</li>
<li>Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify settings
in the install.sh script before running it as follows:<br>
<br>
<br>
&nbsp;&nbsp;&nbsp; DEST="/etc/rc.d"<br>
&nbsp;&nbsp;&nbsp; INIT="rc.firewall"<br>
<br>
<br>
Thanks to Alex Wilms for helping with this change.<br>
</li>
</ol>
<p><b>4/17/2004 - Presentation at LinuxFest NW</b><b><br>
</b></p>
<p>Today I gave a presentation at LinuxFest NW in Bellingham. The
</li>
</ol>
<p><b><a name="LinuxFest"></a>4/17/2004 - Presentation at
LinuxFest NW</b><b><br>
</b></p>
<p>Today I gave a presentation at LinuxFest NW in Bellingham. The
presentation was entitled "<a
href="http://lists.shorewall.net/Shorewall_and_the_Enterprise.htm"
target="_blank">Shorewall
and the Enterprise</a>" and described the history of Shorewall and gave
an overview of its features.<br>
</p>
<ol>
</ol>
<p><a href="News.htm">More News</a></p>
<hr style="width: 100%; height: 2px;">
<p><a href="http://leaf.sourceforge.net" target="_top"><img
</p>
<ol>
</ol>
<p><a href="News.htm">More News</a></p>
<hr style="width: 100%; height: 2px;">
<h2><a name="Leaf"></a>Leaf<br>
</h2>
<p><a href="http://leaf.sourceforge.net" target="_top"><img
alt="(Leaf Logo)"
style="border: 0px solid ; height: 36px; width: 49px;"
src="images/leaflogo.gif" title=""></a> LEAF is an open source project
which provides a Firewall/router on a floppy, CD or CF. Several LEAF
distributions including Bering and Bering-uCLib use Shorewall as their
distributions including Bering and Bering-uClibc use Shorewall as their
Netfilter configuration tool.<br>
</p>
<div>
<div style="text-align: center;"> </div>
</div>
<hr style="width: 100%; height: 2px;">
<h2><a name="Donations"></a>Donations<br>
</h2>
<p style="text-align: left;"> <big><a href="http://www.alz.org"
</p>
<div>
<div style="text-align: center;"> </div>
</div>
<hr style="width: 100%; height: 2px;">
<h2><a name="Donations"></a>Donations
</h2>
<p style="text-align: left;"> </p>
<p style="text-align: left;"><big><a href="http://www.alz.org"
target="_top"><img src="images/alz_logo2.gif" title=""
alt="(Alzheimer's Association Logo)"
style="border: 0px solid ; width: 300px; height: 60px;" align="left"></a>Shorewall
style="border: 0px solid ; width: 300px; height: 60px;" align="left"></a></big></p>
<h2><big><a href="http://www.starlight.org" target="_top"><img
src="images/newlog.gif" title="" alt="(Starlight Foundation Logo)"
style="border: 0px solid ; width: 59px; height: 102px;" align="left"></a></big></h2>
<p style="text-align: left;"><big>Shorewall
is free but
if you
try it and find it useful,
please consider making a donation to the <a href="http://www.alz.org/"
target="_top">Alzheimer's Association</a>. Thanks!</big> </p>
</td>
</tr>
<tr>
<td style="vertical-align: top;"> <br>
</td>
</tr>
</tbody>
</table>
target="_top">Alzheimer's Association</a> or to the <a
href="http://www.starlight.org" target="_top">Starlight Children's
Foundation</a>.<br>
</big></p>
<p style="text-align: left;"><big>Thanks<br>
<br>
</big></p>
<p style="text-align: left;"><big><br>
</big> </p>
</div>
<p><font size="2">Updated 05/10/2004 - <a href="support.htm">Tom Eastep</a></font><br>
</p>
</body>
</html>