forked from extern/shorewall_code
Update the errata to advertise a new rfc1918 file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1014 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
526dfa2218
commit
09e8bd4a95
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-12-17</pubdate>
|
<pubdate>2003-12-28</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2003</year>
|
<year>2001-2003</year>
|
||||||
@ -67,6 +67,15 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Problems in Version 1.4</title>
|
<title>Problems in Version 1.4</title>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>All Versions</title>
|
||||||
|
|
||||||
|
<para><ulink
|
||||||
|
url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
|
||||||
|
is the most up to date version of the <ulink
|
||||||
|
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Shorewall 1.4.8</title>
|
<title>Shorewall 1.4.8</title>
|
||||||
|
|
||||||
@ -424,4 +433,12 @@ Aborted (core dumped)</programlisting>
|
|||||||
kernel patch and precompiled modules to fix this problem are available at
|
kernel patch and precompiled modules to fix this problem are available at
|
||||||
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink>.</para>
|
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<appendix>
|
||||||
|
<title>Revision History</title>
|
||||||
|
|
||||||
|
<para><revhistory><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
|
||||||
|
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||||
|
Conversion to Docbook XML</revremark></revision></revhistory></para>
|
||||||
|
</appendix>
|
||||||
</article>
|
</article>
|
@ -60,9 +60,9 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>One-to-one NAT for Ursa (my XP System that dual-boots Mandrake
|
<para>One-to-one NAT for Ursa (my personal system that dual-boots
|
||||||
9.2) - Internal address 192.168.1.5 and external address
|
Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and
|
||||||
206.124.146.178.</para>
|
external address 206.124.146.178.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -71,18 +71,18 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>SNAT through 206.124.146.179 for  my Linux system
|
<para>SNAT through 206.124.146.179 for  my SuSE 8.1 Linux
|
||||||
(Wookie), my Wife's system (Tarry), and our  laptop
|
system (Wookie), my Wife's Windows XP system (Tarry), and
|
||||||
(Tipper) which connects through the Wireless Access Point (wap) via a
|
our  Windows XP laptop (Tipper) which connects through the
|
||||||
Wireless Bridge (bridge).<note><para>While the distance between the
|
Wireless Access Point (wap) via a Wireless Bridge (bridge).<note><para>While
|
||||||
WAP and where I usually use the laptop isn't very far (25 feet or
|
the distance between the WAP and where I usually use the laptop
|
||||||
so), using a WAC11 (CardBus wireless card) has proved very
|
isn't very far (25 feet or so), using a WAC11 (CardBus wireless
|
||||||
unsatisfactory (lots of lost connections). By replacing the WAC11 with
|
card) has proved very unsatisfactory (lots of lost connections). By
|
||||||
the WET11 wireless bridge, I have virtually eliminated these problems
|
replacing the WAC11 with the WET11 wireless bridge, I have virtually
|
||||||
(Being an old radio tinkerer (K7JPV), I was also able to eliminate the
|
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
|
||||||
disconnects by hanging a piece of aluminum foil on the family room
|
also able to eliminate the disconnects by hanging a piece of aluminum
|
||||||
wall. Needless to say, my wife Tarry rejected that as a permanent
|
foil on the family room wall. Needless to say, my wife Tarry rejected
|
||||||
solution :-).</para></note></para>
|
that as a permanent solution :-).</para></note></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
@ -1,276 +1,397 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
||||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<meta content="HTML Tidy, see www.w3.org" name="generator" />
|
<meta content="HTML Tidy, see www.w3.org" name="generator">
|
||||||
|
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
|
||||||
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
||||||
|
<base target="_self">
|
||||||
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
</head>
|
||||||
|
<body>
|
||||||
<base target="_self" />
|
<div>
|
||||||
</head>
|
<table border="0" cellpadding="0" cellspacing="0" id="AutoNumber4"
|
||||||
|
style="border-collapse: collapse; width: 100%; height: 100%;">
|
||||||
<body><div align="center"> <center> <table border="0" cellpadding="0"
|
<tbody>
|
||||||
cellspacing="0" id="AutoNumber4"
|
<tr>
|
||||||
style="border-collapse: collapse; width: 100%; height: 100%;"><tbody><tr><td
|
<td width="90%">
|
||||||
width="90%"><h2>Site Problem</h2> The server that normally hosts
|
<h2>Introduction to Shorewall</h2>
|
||||||
www.shorewall.net and ftp.shorewall.net is currently down. Until it is back
|
<h3>This is the Shorewall 1.4 Web Site</h3>
|
||||||
up, a small server with very limited bandwidth is being used temporarly. You
|
The information on this site applies only to 1.4.x releases of
|
||||||
will likely experience better response time from the <a
|
Shorewall. For older versions:<br>
|
||||||
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
|
<ul>
|
||||||
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>. Sorry
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
||||||
for the inconvenience.<br /> <br /> <h2>Introduction to Shorewall</h2>
|
target="_top">here.</a></li>
|
||||||
<h3>This is the Shorewall 1.4 Web Site</h3> The information on this site
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
||||||
applies only to 1.4.x releases of Shorewall. For older versions:<br />
|
target="_top">here</a>.</li>
|
||||||
<ul><li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target="_top">here.</a></li><li>The
|
</ul>
|
||||||
1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li></ul>
|
<h3>Glossary</h3>
|
||||||
<h3>Glossary</h3> <ul><li><a href="http://www.netfilter.org">Netfilter</a> -
|
<ul>
|
||||||
the packet filter facility built into the 2.4 and later Linux kernels.</li><li>ipchains
|
<li><a href="http://www.netfilter.org">Netfilter</a> - the
|
||||||
- the packet filter facility built into the 2.2 Linux kernels. Also the name
|
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
||||||
of the utility program used to configure and control that facility.
|
<li>ipchains - the packet filter facility built into the 2.2
|
||||||
Netfilter can be used in ipchains compatibility mode.</li><li>iptables - the
|
Linux kernels. Also the name of the utility program used to configure
|
||||||
utility program used to configure and control Netfilter. The term
|
and control that facility. Netfilter can be used in ipchains
|
||||||
'iptables' is often used to refer to the combination of
|
compatibility mode.</li>
|
||||||
iptables+Netfilter (with Netfilter not in ipchains compatibility mode).</li></ul>
|
<li>iptables - the utility program used to configure and
|
||||||
<h3>What is Shorewall?</h3> The Shoreline Firewall, more commonly known as
|
control Netfilter. The term 'iptables' is often used to refer to the
|
||||||
"Shorewall", is high-level tool for configuring Netfilter. You
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||||
describe your firewall/gateway requirements using entries in a set of
|
compatibility mode).</li>
|
||||||
configuration files. Shorewall reads those configuration files and with the
|
</ul>
|
||||||
help of the iptables utility, Shorewall configures Netfilter to match your
|
<h3>What is Shorewall?</h3>
|
||||||
requirements. Shorewall can be used on a dedicated firewall system, a
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
multi-function gateway/router/server or on a standalone GNU/Linux system.
|
high-level tool for configuring Netfilter. You describe your
|
||||||
Shorewall does not use Netfilter's ipchains compatibility mode and can
|
firewall/gateway requirements using entries in a set of configuration
|
||||||
thus take advantage of Netfilter's connection state tracking
|
files. Shorewall reads those configuration files and with the help of
|
||||||
capabilities.<br /> <br /> Shorewall is <span
|
the iptables utility, Shorewall configures Netfilter to match your
|
||||||
style="text-decoration: underline;">not</span> a daemon. Once Shorewall has
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
||||||
configured Netfilter, it's job is complete although the <a
|
multi-function gateway/router/server or on a standalone GNU/Linux
|
||||||
href="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
|
system. Shorewall does not use Netfilter's ipchains compatibility mode
|
||||||
used at any time to monitor the Netfilter firewall</a>.<br /> <h3>Getting
|
and can thus take advantage of Netfilter's connection state tracking
|
||||||
Started with Shorewall</h3> New to Shorewall? Start by selecting the <a
|
capabilities.<br>
|
||||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
|
<br>
|
||||||
match your environment and follow the step by step instructions.<br />
|
Shorewall is <span style="text-decoration: underline;">not</span> a
|
||||||
<h3>Looking for Information?</h3> The <a
|
daemon. Once Shorewall has configured Netfilter, it's job is complete
|
||||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a>
|
although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
|
||||||
is a good place to start as is the Quick Search in the frame above.
|
program can be used at any time to monitor the Netfilter firewall</a>.<br>
|
||||||
<h3>License</h3> This program is free software; you can redistribute it
|
<h3>Getting Started with Shorewall</h3>
|
||||||
and/or modify it under the terms of <a
|
New to Shorewall? Start by selecting the <a
|
||||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||||
Public License</a> as published by the Free Software Foundation.<br />
|
closely match your environment and follow the step by step instructions.<br>
|
||||||
<p>This program is distributed in the hope that it will be useful, but
|
<h3>Looking for Information?</h3>
|
||||||
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
Index</a> is a good place to start as is the Quick Search in the frame
|
||||||
more detail.</p> <p>You should have received a copy of the GNU General
|
above.
|
||||||
Public License along with this program; if not, write to the Free Software
|
<h3>License</h3>
|
||||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Permission is
|
This program is free software; you can redistribute it and/or modify it
|
||||||
granted to copy, distribute and/or modify this document under the terms of
|
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||||
the GNU Free Documentation License, Version 1.2 or any later version
|
2 of the GNU General Public License</a> as published by the Free
|
||||||
published by the Free Software Foundation; with no Invariant Sections, with
|
Software Foundation.<br>
|
||||||
no Front-Cover, and with no Back-Cover Texts. A copy of the license is
|
<p>This program is distributed in the hope that it will be
|
||||||
included in the section entitled <a>"GNU Free Documentation License"</a>.<p>Copyright
|
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
© 2001-2003 Thomas M. Eastep </p> <h3>Running Shorewall on Mandrake with a
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
two-interface setup?</h3> If so, the documentation <b></b>on this site will
|
General Public License for more detail.</p>
|
||||||
not apply directly to your setup. If you want to use the documentation that
|
<p>You should have received a copy of the GNU General Public
|
||||||
you find here, you will want to consider uninstalling what you have and
|
License along with this program; if not, write to the Free Software
|
||||||
installing a setup that matches the documentation on this site. See the <a
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br />
|
Permission is granted to copy, distribute and/or modify this document
|
||||||
<h2>News</h2> <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
||||||
alt="(New)" src="images/new10.gif"
|
any later version published by the Free Software Foundation; with no
|
||||||
style="border: 0px solid ; width: 28px; height: 12px;" title="" /> </b></p>
|
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
||||||
<div style="margin-left: 40px;"><a
|
A copy of the license is included in the section entitled <a>"GNU Free
|
||||||
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br />
|
Documentation License"</a>.
|
||||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
|
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
|
||||||
</div> <p>Problems Corrected since version 1.4.8:</p> <ol><li>There has been
|
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
|
||||||
a low continuing level of confusion over the terms "Source NAT"
|
If so, the documentation <b></b>on this site will not apply directly
|
||||||
(SNAT) and "Static NAT". To avoid future confusion, all instances of
|
to your setup. If you want to use the documentation that you find here,
|
||||||
"Static NAT" have been replaced with "One-to-one NAT" in the
|
you will want to consider uninstalling what you have and installing a
|
||||||
documentation and configuration files.</li><li>The description of NEWNOTSYN
|
setup that matches the documentation on this site. See the <a
|
||||||
in shorewall.conf has been reworded for clarity.</li><li>Wild-card rules
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||||
(those involving "all" as SOURCE or DEST) will no longer produce an
|
details.<br>
|
||||||
error if they attempt to add a rule that would override a NONE policy. The
|
<h2>News</h2>
|
||||||
logic for expanding these wild-card rules now simply skips those
|
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
|
||||||
(SOURCE,DEST) pairs that have a NONE policy.</li></ol> <p>Migration Issues:<br />
|
On-line</b> <b><img alt="(New)" src="images/new10.gif"
|
||||||
    None.<br /> <br /> New Features: </p> <ol><li>To
|
style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
|
||||||
cut down on the number of "Why are these ports closed rather than
|
</b></p>
|
||||||
stealthed?" questions, the SMB-related rules in
|
<p>Our high-capacity server has been restored to service --
|
||||||
/etc/shorewall/common.def have been changed from 'reject' to
|
please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
|
||||||
'DROP'.</li><li>For easier identification, packets logged under the
|
find any problems.<br>
|
||||||
'norfc1918' interface option are now logged out of chains named
|
</p>
|
||||||
'rfc1918'. Previously, such packets were logged under chains named
|
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b><b> </b></p>
|
||||||
'logdrop'.</li><li>Distributors and developers seem to be regularly
|
<div style="margin-left: 40px;"><a
|
||||||
inventing new naming conventions for kernel modules. To avoid the need to
|
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||||
change Shorewall code for each new convention, the MODULE_SUFFIX option has
|
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
|
||||||
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix for
|
</div>
|
||||||
module names in your particular distribution. If MODULE_SUFFIX is not set in
|
<p>Problems Corrected since version 1.4.8:</p>
|
||||||
shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br />
|
<ol>
|
||||||
<br /> To see what suffix is used by your distribution:<br /> <br /> ls
|
<li>There has been a low continuing level of confusion over the
|
||||||
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br /> <br /> All of the
|
terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
|
||||||
files listed should have the same suffix (extension). Set MODULE_SUFFIX to
|
all instances of "Static NAT" have been replaced with "One-to-one NAT"
|
||||||
that suffix.<br /> <br /> Examples:<br /> <br />
|
in the documentation and configuration files.</li>
|
||||||
     If all files end in ".kzo" then set
|
<li>The description of NEWNOTSYN in shorewall.conf has been
|
||||||
MODULE_SUFFIX="kzo"<br />      If all
|
reworded for clarity.</li>
|
||||||
files end in ".kz.o" then set MODULE_SUFFIX="kz.o"</li><li>Support
|
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
|
||||||
for user defined rule ACTIONS has been implemented through two new files:<br />
|
will no longer produce an error if they attempt to add a rule that
|
||||||
<br /> /etc/shorewall/actions - used to list the user-defined ACTIONS.<br />
|
would override a NONE policy. The logic for expanding these wild-card
|
||||||
/etc/shorewall/action.template - For each user defined <action>,
|
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
|
||||||
copy this file to /etc/shorewall/action.<action> and add the
|
policy.</li>
|
||||||
appropriate rules for that <action>. Once an <action> has
|
</ol>
|
||||||
been defined, it may be used like any of the builtin ACTIONS (ACCEPT, DROP,
|
<p>Migration Issues:<br>
|
||||||
etc.) in /etc/shorewall/rules.<br /> <br /> Example: You want an action that
|
None.<br>
|
||||||
logs a packet at the 'info' level and accepts the connection.<br />
|
<br>
|
||||||
<br /> In /etc/shorewall/actions, you would add:<br /> <br />
|
New Features: </p>
|
||||||
     LogAndAccept<br /> <br /> You would then
|
<ol>
|
||||||
copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in
|
<li>To cut down on the number of "Why are these ports closed
|
||||||
that file, you would add the two rules:<br />
|
rather than stealthed?" questions, the SMB-related rules in
|
||||||
        LOG:info<br />
|
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
|
||||||
        ACCEPT<br />
|
<li>For easier identification, packets logged under the
|
||||||
<br /></li></ol> <p><b>12/03/2003 - Support Torch Passed</b> <b><img
|
'norfc1918' interface option are now logged out of chains named
|
||||||
alt="(New)" src="images/new10.gif"
|
'rfc1918'. Previously, such packets were logged under chains named
|
||||||
style="border: 0px solid ; width: 28px; height: 12px;" title="" /></b></p>
|
'logdrop'.</li>
|
||||||
Effective today, I am reducing my participation in the day-to-day support of
|
<li>Distributors and developers seem to be regularly inventing
|
||||||
Shorewall. As part of this shift to community-based Shorewall support a new
|
new naming conventions for kernel modules. To avoid the need to change
|
||||||
<a href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
|
Shorewall code for each new convention, the MODULE_SUFFIX option has
|
||||||
Newbies mailing list</a> has been established to field questions and
|
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
|
||||||
problems from new users. I will not monitor that list personally. I will
|
for module names in your particular distribution. If MODULE_SUFFIX is
|
||||||
continue my active development of Shorewall and will be available via the
|
not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
|
||||||
development list to handle development issues -- Tom. <p><b>11/07/2003 -
|
<br>
|
||||||
Shorewall 1.4.8</b><b><br /> <br /> </b> Problems Corrected since version
|
To see what suffix is used by your distribution:<br>
|
||||||
1.4.7:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a problem
|
<br>
|
||||||
that occurs using some versions of 'ash'. The symptom is that
|
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
|
||||||
"shorewall start" fails with:<br />  <br />   
|
<br>
|
||||||
local: --limit: bad variable name<br />    iptables v1.2.8:
|
All of the files listed should have the same suffix (extension). Set
|
||||||
Couldn't load match `-j':/lib/iptables/libipt_-j.so:<br />
|
MODULE_SUFFIX to that suffix.<br>
|
||||||
   cannot open shared object file: No such file or directory<br />
|
<br>
|
||||||
   Try `iptables -h' or 'iptables --help' for more
|
Examples:<br>
|
||||||
information.</li><li>Andres Zhoglo has supplied a correction that avoids
|
<br>
|
||||||
trying to use the multiport match iptables facility on ICMP rules.<br />
|
If all files end in ".kzo" then set
|
||||||
 <br />    Example of rule that previously caused
|
MODULE_SUFFIX="kzo"<br>
|
||||||
"shorewall start" to fail:<br />  <br />
|
If all files end in ".kz.o" then set
|
||||||
          
|
MODULE_SUFFIX="kz.o"</li>
|
||||||
ACCEPT      loc  $FW 
|
<li>Support for user defined rule ACTIONS has been implemented
|
||||||
icmp    0,8,11,12<br /> <br /></li><li>Previously, if
|
through two new files:<br>
|
||||||
the following error message was issued, Shorewall was left in an
|
<br>
|
||||||
inconsistent state.<br />  <br />    Error: Unable to
|
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
|
||||||
determine the routes through interface xxx<br /> <br /></li><li>Handling of
|
/etc/shorewall/action.template - For each user defined <action>,
|
||||||
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In
|
copy this file to /etc/shorewall/action.<action> and add the
|
||||||
Shorewall 1.4.2, an optimization was added. This optimization involved
|
appropriate rules for that <action>. Once an <action> has
|
||||||
creating a chain named "<zone>_frwd" for most zones defined
|
been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
|
||||||
using the /etc/shorewall/hosts file. It has since been discovered that in
|
DROP, etc.) in /etc/shorewall/rules.<br>
|
||||||
many cases these new chains contain redundant rules and that the
|
<br>
|
||||||
"optimization" turns out to be less than optimal. The implementation
|
Example: You want an action that logs a packet at the 'info' level and
|
||||||
has now been corrected.</li><li>When the MARK value in a tcrules entry is
|
accepts the connection.<br>
|
||||||
followed by ":F" or ":P", the ":F" or ":P"
|
<br>
|
||||||
was previously only applied to the first Netfilter rule generated by the
|
In /etc/shorewall/actions, you would add:<br>
|
||||||
entry. It is now applied to all entries.</li><li>An incorrect comment
|
<br>
|
||||||
concerning Debian's use of the SUBSYSLOCK option has been removed from
|
LogAndAccept<br>
|
||||||
shorewall.conf.</li><li>Previously, neither the 'routefilter'
|
<br>
|
||||||
interface option nor the ROUTE_FILTER parameter were working properly. This
|
You would then copy /etc/shorewall/action.template to
|
||||||
has been corrected (thanks to Eric Bowles for his analysis and patch). The
|
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
||||||
definition of the ROUTE_FILTER option has changed however. Previously,
|
rules:<br>
|
||||||
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
LOG:info<br>
|
||||||
interfaces (which didn't work). Beginning with this release, setting
|
ACCEPT<br>
|
||||||
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought up
|
<br>
|
||||||
while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can coexist
|
</li>
|
||||||
with the use of the 'routefilter' option in the interfaces file.</li><li>If
|
</ol>
|
||||||
MAC verification was enabled on an interface with a /32 address and a
|
<p><b>12/03/2003 - Support Torch Passed</b> <b><img alt="(New)"
|
||||||
broadcast address then an error would occur during startup.</li><li>he NONE
|
src="images/new10.gif"
|
||||||
policy's intended use is to suppress the generating of rules that
|
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
|
||||||
can't possibly be traversed. This means that a policy of NONE is
|
Effective today, I am reducing my participation in the day-to-day
|
||||||
inappropriate where the source or destination zone is $FW or "all".
|
support of Shorewall. As part of this shift to community-based
|
||||||
Shorewall now generates an error message if such a policy is given in
|
Shorewall support a new <a
|
||||||
/etc/shorewall/policy. Previously such a policy caused "shorewall
|
href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
|
||||||
start" to fail.</li><li>The 'routeback' option was broken for
|
Newbies mailing list</a> has been established to field questions and
|
||||||
wildcard interfaces (e.g., "tun+"). This has been corrected so that
|
problems from new users. I will not monitor that list personally. I
|
||||||
'routeback' now works as expected in this case.<br /></li></ol>
|
will continue my active development of Shorewall and will be available
|
||||||
Migration Issues:<br /> <ol><li>The definition of the ROUTE_FILTER option in
|
via the development list to handle development issues -- Tom.
|
||||||
shorewall.conf has changed as described in item 8) above.<br /></li></ol>
|
<p><b>11/07/2003 - Shorewall 1.4.8</b><b><br>
|
||||||
New Features:<br /> <ol><li>A new QUEUE action has been introduced for
|
<br>
|
||||||
rules. QUEUE allows you to pass connection requests to a user-space filter
|
</b> Problems Corrected since version 1.4.7:<br>
|
||||||
such as ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
|
</p>
|
||||||
for effective filtering of p2p applications such as Kazaa. For example, to
|
<ol>
|
||||||
use ftwall to filter P2P clients in the 'loc' zone, you would add
|
<li>Tuomo Soini has supplied a correction to a problem that
|
||||||
the following rules:<br /> <br />    QUEUE  
|
occurs using some versions of 'ash'. The symptom is that "shorewall
|
||||||
loc        
|
start" fails with:<br>
|
||||||
net    tcp<br />    QUEUE  
|
<br>
|
||||||
loc        
|
local: --limit: bad variable name<br>
|
||||||
net    udp<br />    QUEUE  
|
iptables v1.2.8: Couldn't load match
|
||||||
loc        
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||||
fw     udp<br /> <br /> You would normally want
|
cannot open shared object file: No such file or directory<br>
|
||||||
to place those three rules BEFORE any ACCEPT rules for loc->net udp or
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
tcp.<br /> <br /> Note: When the protocol specified is TCP ("tcp",
|
information.</li>
|
||||||
"TCP" or "6"), Shorewall will only pass connection requests
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||||
(SYN packets) to user space. This is for compatibility with ftwall.</li><li>A
|
to use the multiport match iptables facility on ICMP rules.<br>
|
||||||
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this option
|
<br>
|
||||||
is set to "Yes", the blacklists (dynamic and static) are only
|
Example of rule that previously caused "shorewall start"
|
||||||
consulted for new connection requests. When set to "No" (the default
|
to fail:<br>
|
||||||
if the variable is not set), the blacklists are consulted on every packet.<br />
|
<br>
|
||||||
<br /> Setting this option to "No" allows blacklisting to stop
|
|
||||||
existing connections from a newly blacklisted host but is more expensive in
|
ACCEPT loc $FW
|
||||||
terms of packet processing time. This is especially true if the blacklists
|
icmp 0,8,11,12<br>
|
||||||
contain a large number of entries.</li><li>Chain names used in the
|
<br>
|
||||||
/etc/shorewall/accounting file may now begin with a digit ([0-9]) and may
|
</li>
|
||||||
contain embedded dashes ("-").</li></ol> <p><b>10/26/2003 -
|
<li>Previously, if the following error message was issued,
|
||||||
Shorewall 1.4.7a and 1.4.7b win brown paper bag awards</b> <b><img
|
Shorewall was left in an inconsistent state.<br>
|
||||||
align="middle" alt="" src="images/j0233056.gif"
|
<br>
|
||||||
style="border: 0px solid ; width: 50px; height: 80px;" title="" />Shorewall
|
Error: Unable to determine the routes through interface xxx<br>
|
||||||
1.4.7c released.</b></p> <ol><li>The saga with "<zone>_frwd"
|
<br>
|
||||||
chains continues. The 1.4.7c script produces a ruleset that should work for
|
</li>
|
||||||
everyone even if it is not quite optimal. My apologies for this ongoing
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||||
mess.<br /></li></ol> <p><b>10/24/2003 - Shorewall 1.4.7b</b></p> <p>This is
|
been corrected.</li>
|
||||||
a bugfx rollup of the 1.4.7a fixes plus:<br /> </p> <ol><li>The fix for
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||||
problem 5 in 1.4.7a was wrong with the result that
|
optimization involved creating a chain named "<zone>_frwd" for
|
||||||
"<zone>_frwd" chains might contain too few rules. That wrong
|
most zones defined using the /etc/shorewall/hosts file. It has since
|
||||||
code is corrected in this release.<br /></li></ol> <p><b>10/21/2003 -
|
been discovered that in many cases these new chains contain redundant
|
||||||
Shorewall 1.4.7a</b></p> <p>This is a bugfix rollup of the following problem
|
rules and that the "optimization" turns out to be less than optimal.
|
||||||
corrections:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a
|
The implementation has now been corrected.</li>
|
||||||
problem that occurs using some versions of 'ash'. The symptom is
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||||
that "shorewall start" fails with:<br />  <br />
|
or ":P", the ":F" or ":P" was previously only applied to the first
|
||||||
   local: --limit: bad variable name<br />   
|
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||||
iptables v1.2.8: Couldn't load match
|
<li>An incorrect comment concerning Debian's use of the
|
||||||
`-j':/lib/iptables/libipt_-j.so:<br />    cannot open
|
SUBSYSLOCK option has been removed from shorewall.conf.</li>
|
||||||
shared object file: No such file or directory<br />    Try
|
<li>Previously, neither the 'routefilter' interface option nor
|
||||||
`iptables -h' or 'iptables --help' for more information.<br />
|
the ROUTE_FILTER parameter were working properly. This has been
|
||||||
<br /></li><li>Andres Zhoglo has supplied a correction that avoids trying to
|
corrected (thanks to Eric Bowles for his analysis and patch). The
|
||||||
use the multiport match iptables facility on ICMP rules.<br />  <br />
|
definition of the ROUTE_FILTER option has changed however. Previously,
|
||||||
   Example of rule that previously caused "shorewall
|
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
||||||
start" to fail:<br />  <br />
|
interfaces (which didn't work). Beginning with this release, setting
|
||||||
          
|
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
|
||||||
ACCEPT      loc  $FW 
|
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
|
||||||
icmp    0,8,11,12<br /> <br /></li><li>Previously, if
|
coexist with the use of the 'routefilter' option in the interfaces file.</li>
|
||||||
the following error message was issued, Shorewall was left in an
|
<li>If MAC verification was enabled on an interface with a /32
|
||||||
inconsistent state.<br />  <br />    Error: Unable to
|
address and a broadcast address then an error would occur during
|
||||||
determine the routes through interface xxx<br /> <br /></li><li>Handling of
|
startup.</li>
|
||||||
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In
|
<li>he NONE policy's intended use is to suppress the generating
|
||||||
Shorewall 1.4.2, an optimization was added. This optimization involved
|
of rules that can't possibly be traversed. This means that a policy of
|
||||||
creating a chain named "<zone>_frwd" for most zones defined
|
NONE is inappropriate where the source or destination zone is $FW or
|
||||||
using the /etc/shorewall/hosts file. It has since been discovered that in
|
"all". Shorewall now generates an error message if such a policy is
|
||||||
many cases these new chains contain redundant rules and that the
|
given in /etc/shorewall/policy. Previously such a policy caused
|
||||||
"optimization" turns out to be less than optimal. The implementation
|
"shorewall start" to fail.</li>
|
||||||
has now been corrected.</li><li>When the MARK value in a tcrules entry is
|
<li>The 'routeback' option was broken for wildcard interfaces
|
||||||
followed by ":F" or ":P", the ":F" or ":P"
|
(e.g., "tun+"). This has been corrected so that 'routeback' now works
|
||||||
was previously only applied to the first Netfilter rule generated by the
|
as expected in this case.<br>
|
||||||
entry. It is now applied to all entries.<br /></li></ol> <p><a
|
</li>
|
||||||
href="News.htm">More News</a></p> <p><a href="http://leaf.sourceforge.net"
|
</ol>
|
||||||
target="_top"><img alt="(Leaf Logo)" border="0" height="36"
|
Migration Issues:<br>
|
||||||
src="images/leaflogo.gif" width="49" /></a> Jacques Nilo and Eric Wolzak
|
<ol>
|
||||||
have a LEAF (router/firewall/gateway on a floppy, CD or compact flash)
|
<li>The definition of the ROUTE_FILTER option in shorewall.conf
|
||||||
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
|
has changed as described in item 8) above.<br>
|
||||||
Kernel-2.4.20. You can find their work at: <a
|
</li>
|
||||||
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br />
|
</ol>
|
||||||
</a></p> <b>Congratulations to Jacques and Eric on the recent release of
|
New Features:<br>
|
||||||
Bering 1.2!!!<br /> <br /> </b> <div style="text-align: center;"> <div
|
<ol>
|
||||||
style="text-align: center;"><a href="http://www.shorewall.net" target="_top"><img
|
<li>A new QUEUE action has been introduced for rules. QUEUE
|
||||||
alt="(Protected by Shorewall)" src="images/ProtectedBy.png"
|
allows you to pass connection requests to a user-space filter such as
|
||||||
style="border: 0px solid ; width: 216px; height: 45px;" title="" /></a></div>
|
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows for
|
||||||
</div> <h2><a name="Donations"></a>Donations</h2> <p
|
effective filtering of p2p applications such as Kazaa. For example, to
|
||||||
style="text-align: left;"><a href="http://www.starlight.org"><img
|
use ftwall to filter P2P clients in the 'loc' zone, you would add the
|
||||||
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif"
|
following rules:<br>
|
||||||
style="border: 4px solid ; width: 57px; height: 100px;" title="" /></a><br />
|
<br>
|
||||||
<big>Shorewall is free but if you try it and find it useful, please consider
|
QUEUE loc
|
||||||
making a donation to <a href="http://www.starlight.org">Starlight
|
net tcp<br>
|
||||||
Children's Foundation</a>. Thanks!</big><br /> <a
|
QUEUE loc
|
||||||
href="http://www.starlight.org"></a></p></td></tr></tbody></table> </center>
|
net udp<br>
|
||||||
</div> <p><font size="2">Updated 12/21/2003 - <a href="support.htm">Tom
|
QUEUE loc
|
||||||
Eastep</a></font><br /> </p></body>
|
fw udp<br>
|
||||||
</html>
|
<br>
|
||||||
|
You would normally want to place those three rules BEFORE any ACCEPT
|
||||||
|
rules for loc->net udp or tcp.<br>
|
||||||
|
<br>
|
||||||
|
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||||
|
Shorewall will only pass connection requests (SYN packets) to user
|
||||||
|
space. This is for compatibility with ftwall.</li>
|
||||||
|
<li>A BLACKLISTNEWNONLY option has been added to
|
||||||
|
shorewall.conf. When this option is set to "Yes", the blacklists
|
||||||
|
(dynamic and static) are only consulted for new connection requests.
|
||||||
|
When set to "No" (the default if the variable is not set), the
|
||||||
|
blacklists are consulted on every packet.<br>
|
||||||
|
<br>
|
||||||
|
Setting this option to "No" allows blacklisting to stop existing
|
||||||
|
connections from a newly blacklisted host but is more expensive in
|
||||||
|
terms of packet processing time. This is especially true if the
|
||||||
|
blacklists contain a large number of entries.</li>
|
||||||
|
<li>Chain names used in the /etc/shorewall/accounting file may
|
||||||
|
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
|
||||||
|
</ol>
|
||||||
|
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
|
||||||
|
bag awards</b> <b><img align="middle" alt="" src="images/j0233056.gif"
|
||||||
|
style="border: 0px solid ; width: 50px; height: 80px;" title="">Shorewall
|
||||||
|
1.4.7c released.</b></p>
|
||||||
|
<ol>
|
||||||
|
<li>The saga with "<zone>_frwd" chains continues. The
|
||||||
|
1.4.7c script produces a ruleset that should work for everyone even if
|
||||||
|
it is not quite optimal. My apologies for this ongoing mess.<br>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
|
||||||
|
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>The fix for problem 5 in 1.4.7a was wrong with the result
|
||||||
|
that "<zone>_frwd" chains might contain too few rules. That wrong
|
||||||
|
code is corrected in this release.<br>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
|
||||||
|
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>Tuomo Soini has supplied a correction to a problem that
|
||||||
|
occurs using some versions of 'ash'. The symptom is that "shorewall
|
||||||
|
start" fails with:<br>
|
||||||
|
<br>
|
||||||
|
local: --limit: bad variable name<br>
|
||||||
|
iptables v1.2.8: Couldn't load match
|
||||||
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||||
|
cannot open shared object file: No such file or directory<br>
|
||||||
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
|
information.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||||
|
to use the multiport match iptables facility on ICMP rules.<br>
|
||||||
|
<br>
|
||||||
|
Example of rule that previously caused "shorewall start"
|
||||||
|
to fail:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
ACCEPT loc $FW
|
||||||
|
icmp 0,8,11,12<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Previously, if the following error message was issued,
|
||||||
|
Shorewall was left in an inconsistent state.<br>
|
||||||
|
<br>
|
||||||
|
Error: Unable to determine the routes through interface xxx<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||||
|
been corrected.</li>
|
||||||
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||||
|
optimization involved creating a chain named "<zone>_frwd" for
|
||||||
|
most zones defined using the /etc/shorewall/hosts file. It has since
|
||||||
|
been discovered that in many cases these new chains contain redundant
|
||||||
|
rules and that the "optimization" turns out to be less than optimal.
|
||||||
|
The implementation has now been corrected.</li>
|
||||||
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||||
|
or ":P", the ":F" or ":P" was previously only applied to the first
|
||||||
|
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
<p><a href="News.htm">More News</a></p>
|
||||||
|
<p><a href="http://leaf.sourceforge.net" target="_top"><img
|
||||||
|
alt="(Leaf Logo)" border="0" height="36" src="images/leaflogo.gif"
|
||||||
|
width="49"></a> Jacques Nilo and Eric Wolzak have a LEAF
|
||||||
|
(router/firewall/gateway on a floppy, CD or compact flash) distribution
|
||||||
|
called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
|
||||||
|
You can find their work at: <a
|
||||||
|
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br>
|
||||||
|
</a></p>
|
||||||
|
<b>Congratulations to Jacques and Eric on the recent release of
|
||||||
|
Bering 1.2!!!<br>
|
||||||
|
<br>
|
||||||
|
</b>
|
||||||
|
<div style="text-align: center;"><a
|
||||||
|
href="http://www.shorewall.net" target="_top"><img
|
||||||
|
alt="(Protected by Shorewall)"
|
||||||
|
src="file:///Z:/Ursa/Shorewall/Shorewall-docs/images/ProtectedBy.png"
|
||||||
|
style="border: 0px solid ; width: 216px; height: 45px;" title=""></a></div>
|
||||||
|
<b> </b>
|
||||||
|
<div>
|
||||||
|
<div style="text-align: center;"> </div>
|
||||||
|
</div>
|
||||||
|
<h2><a name="Donations"></a>Donations</h2>
|
||||||
|
<p style="text-align: left;"><a href="http://www.starlight.org"><img
|
||||||
|
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif"
|
||||||
|
style="border: 4px solid ; width: 57px; height: 100px;" title=""></a><br>
|
||||||
|
<big>Shorewall is free but if you try it and find it useful,
|
||||||
|
please consider making a donation to <a href="http://www.starlight.org">Starlight
|
||||||
|
Children's Foundation</a>. Thanks!</big><br>
|
||||||
|
<a href="http://www.starlight.org"></a></p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
</div>
|
||||||
|
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom Eastep</a></font><br>
|
||||||
|
</p>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
@ -1,52 +1,38 @@
|
|||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content="HTML Tidy, see www.w3.org">
|
<meta name="generator" content="HTML Tidy, see www.w3.org">
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||||
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
||||||
<base target="_self">
|
<base target="_self">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<div align="center">
|
<div align="center">
|
||||||
<center>
|
<center>
|
||||||
<table border="0" cellpadding="0" cellspacing="0" style=
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
"border-collapse: collapse;" width="100%" id="AutoNumber4">
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="90%">
|
<td width="90%">
|
||||||
<h2>Site Problem</h2>
|
<h2>Introduction<br>
|
||||||
|
</h2>
|
||||||
The server that normally hosts www.shorewall.net and
|
<ul>
|
||||||
ftp.shorewall.net is currently down. Until it is back up, a small
|
<li><a href="http://www.netfilter.org">Netfilter</a> - the
|
||||||
server with very limited bandwidth is being used temporarly. You
|
packet
|
||||||
will likely experience better response time from the <a href=
|
|
||||||
"http://shorewall.sourceforge.net" target="_top">Sourceforge
|
|
||||||
site</a> or from one of the other <a href=
|
|
||||||
"shorewall_mirrors.htm">mirrors</a>. Sorry for the
|
|
||||||
inconvenience.<br>
|
|
||||||
<br>
|
|
||||||
|
|
||||||
|
|
||||||
<h2>Introduction<br>
|
|
||||||
</h2>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a href="http://www.netfilter.org">Netfilter</a> - the packet
|
|
||||||
filter facility built into the 2.4 and later Linux kernels.</li>
|
filter facility built into the 2.4 and later Linux kernels.</li>
|
||||||
|
<li>ipchains - the packet filter facility built into the 2.2
|
||||||
<li>ipchains - the packet filter facility built into the 2.2 Linux
|
Linux
|
||||||
kernels. Also the name of the utility program used to configure and
|
kernels. Also the name of the utility program used to configure and
|
||||||
control that facility. Netfilter can be used in ipchains
|
control that facility. Netfilter can be used in ipchains
|
||||||
compatibility mode.<br>
|
compatibility mode.<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>iptables - the utility program used to configure and
|
||||||
<li>iptables - the utility program used to configure and control
|
control
|
||||||
Netfilter. The term 'iptables' is often used to refer to the
|
Netfilter. The term 'iptables' is often used to refer to the
|
||||||
combination of iptables+Netfilter (with Netfilter not in ipchains
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||||
compatibility mode).<br>
|
compatibility mode).<br>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
high-level tool for configuring Netfilter. You describe your
|
high-level tool for configuring Netfilter. You describe your
|
||||||
firewall/gateway requirements using entries in a set of
|
firewall/gateway requirements using entries in a set of
|
||||||
@ -56,142 +42,131 @@ Netfilter to match your requirements. Shorewall can be used on a
|
|||||||
dedicated firewall system, a multi-function gateway/router/server
|
dedicated firewall system, a multi-function gateway/router/server
|
||||||
or on a standalone GNU/Linux system. Shorewall does not use
|
or on a standalone GNU/Linux system. Shorewall does not use
|
||||||
Netfilter's ipchains compatibility mode and can thus take advantage
|
Netfilter's ipchains compatibility mode and can thus take advantage
|
||||||
of Netfilter's connection state tracking capabilities.
|
of Netfilter's connection state tracking capabilities.
|
||||||
|
<p>This program is free software; you can redistribute it and/or
|
||||||
<p>This program is free software; you can redistribute it and/or
|
modify it under the terms of <a
|
||||||
modify it under the terms of <a href=
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||||
"http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
General
|
||||||
Public License</a> as published by the Free Software
|
Public License</a> as published by the Free Software
|
||||||
Foundation.<br>
|
Foundation.<br>
|
||||||
<br>
|
<br>
|
||||||
This program is distributed in the hope that it will be useful, but
|
This program is distributed in the hope that it will be useful, but
|
||||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
General Public License for more details.<br>
|
General Public License for more details.<br>
|
||||||
<br>
|
<br>
|
||||||
You should have received a copy of the GNU General Public License
|
You should have received a copy of the GNU General Public License
|
||||||
along with this program; if not, write to the Free Software
|
along with this program; if not, write to the Free Software
|
||||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||||
|
<p> Permission is granted to copy, distribute and/or modify this
|
||||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
Eastep</a></p>
|
1.2 or any later version published by the Free Software Foundation;
|
||||||
|
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
<h2>This is the Shorewall 1.4 Web Site</h2>
|
Texts. A copy of the license is included in the section entitled <a>"GNU
|
||||||
|
Free Documentation License"</a>.</p>
|
||||||
|
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
|
||||||
|
<h2>This is the Shorewall 1.4 Web Site</h2>
|
||||||
The information on this site applies only to 1.4.x releases of
|
The information on this site applies only to 1.4.x releases of
|
||||||
Shorewall. For older versions:<br>
|
Shorewall. For older versions:<br>
|
||||||
|
<ul>
|
||||||
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
||||||
<ul>
|
target="_top">here.</a></li>
|
||||||
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target=
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
||||||
"_top">here.</a></li>
|
target="_top">here</a>.<br>
|
||||||
|
</li>
|
||||||
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target=
|
</ul>
|
||||||
"_top">here</a>.<br>
|
<h2>Getting Started with Shorewall</h2>
|
||||||
</li>
|
New to Shorewall? Start by selecting the <a
|
||||||
</ul>
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||||
|
|
||||||
<h2>Getting Started with Shorewall</h2>
|
|
||||||
|
|
||||||
New to Shorewall? Start by selecting the <a href=
|
|
||||||
"shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
|
||||||
closely match your environment and follow the step by step
|
closely match your environment and follow the step by step
|
||||||
instructions.<br>
|
instructions.<br>
|
||||||
|
<h2>Looking for Information?</h2>
|
||||||
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
<h2>Looking for Information?</h2>
|
|
||||||
|
|
||||||
The <a href=
|
|
||||||
"shorewall_quickstart_guide.htm#Documentation">Documentation
|
|
||||||
Index</a> is a good place to start as is the Quick Search in the
|
Index</a> is a good place to start as is the Quick Search in the
|
||||||
frame above.
|
frame above.
|
||||||
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
|
||||||
|
|
||||||
If so, the documentation <b></b>on this site will not apply
|
If so, the documentation <b></b>on this site will not apply
|
||||||
directly to your setup. If you want to use the documentation that
|
directly to your setup. If you want to use the documentation that
|
||||||
you find here, you will want to consider uninstalling what you have
|
you find here, you will want to consider uninstalling what you have
|
||||||
and installing a setup that matches the documentation on this site.
|
and installing a setup that matches the documentation on this site.
|
||||||
See the <a href="two-interface.htm">Two-interface QuickStart
|
See the <a href="two-interface.htm">Two-interface QuickStart
|
||||||
Guide</a> for details.
|
Guide</a> for details.
|
||||||
|
<h2><b>News</b></h2>
|
||||||
<h2><b>News</b></h2>
|
<p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
|
||||||
|
On-line</b> <b><img alt="(New)" src="images/new10.gif"
|
||||||
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img style=
|
style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
|
||||||
"border: 0px solid ; width: 28px; height: 12px;" src=
|
</b></p>
|
||||||
"images/new10.gif" alt="(New)" title=""><br>
|
<p>Our high-capacity server has been restored to service --
|
||||||
</b></p>
|
please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
|
||||||
|
find any problems.<br>
|
||||||
<div style="margin-left: 40px;"><a href=
|
</p>
|
||||||
"http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
|
||||||
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target=
|
src="images/new10.gif" alt="(New)" title=""><br>
|
||||||
"_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
</b></p>
|
||||||
</div>
|
<div style="margin-left: 40px;"><a
|
||||||
|
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||||
<p>Problems Corrected since version 1.4.8:<br>
|
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
||||||
</p>
|
</div>
|
||||||
|
<p>Problems Corrected since version 1.4.8:<br>
|
||||||
<ol>
|
</p>
|
||||||
<li>There has been a low continuing level of confusion over the
|
<ol>
|
||||||
|
<li>There has been a low continuing level of confusion over the
|
||||||
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
|
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
|
||||||
confusion, all instances of "Static NAT" have been replaced with
|
confusion, all instances of "Static NAT" have been replaced with
|
||||||
"One-to-one NAT" in the documentation and configuration files.</li>
|
"One-to-one NAT" in the documentation and configuration files.</li>
|
||||||
|
<li>The description of NEWNOTSYN in shorewall.conf has been
|
||||||
<li>The description of NEWNOTSYN in shorewall.conf has been
|
|
||||||
reworded for clarity.</li>
|
reworded for clarity.</li>
|
||||||
|
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
|
||||||
<li>Wild-card rules (those involving "all" as SOURCE or DEST) will
|
will
|
||||||
no longer produce an error if they attempt to add a rule that would
|
no longer produce an error if they attempt to add a rule that would
|
||||||
override a NONE policy. The logic for expanding these wild-card
|
override a NONE policy. The logic for expanding these wild-card
|
||||||
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
|
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
|
||||||
policy.<br>
|
policy.<br>
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<p>Migration Issues:<br>
|
||||||
<p>Migration Issues:<br>
|
<br>
|
||||||
<br>
|
|
||||||
None.<br>
|
None.<br>
|
||||||
<br>
|
<br>
|
||||||
New Features:<br>
|
New Features:<br>
|
||||||
</p>
|
</p>
|
||||||
|
<ol>
|
||||||
<ol>
|
<li>To cut down on the number of "Why are these ports closed
|
||||||
<li>To cut down on the number of "Why are these ports closed rather
|
rather
|
||||||
than stealthed?" questions, the SMB-related rules in
|
than stealthed?" questions, the SMB-related rules in
|
||||||
/etc/shorewall/common.def have been changed from 'reject' to
|
/etc/shorewall/common.def have been changed from 'reject' to
|
||||||
'DROP'.</li>
|
'DROP'.</li>
|
||||||
|
<li>For easier identification, packets logged under the
|
||||||
<li>For easier identification, packets logged under the 'norfc1918'
|
'norfc1918'
|
||||||
interface option are now logged out of chains named 'rfc1918'.
|
interface option are now logged out of chains named 'rfc1918'.
|
||||||
Previously, such packets were logged under chains named
|
Previously, such packets were logged under chains named
|
||||||
'logdrop'.</li>
|
'logdrop'.</li>
|
||||||
|
<li>Distributors and developers seem to be regularly inventing
|
||||||
<li>Distributors and developers seem to be regularly inventing new
|
new
|
||||||
naming conventions for kernel modules. To avoid the need to change
|
naming conventions for kernel modules. To avoid the need to change
|
||||||
Shorewall code for each new convention, the MODULE_SUFFIX option
|
Shorewall code for each new convention, the MODULE_SUFFIX option
|
||||||
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
|
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
|
||||||
suffix for module names in your particular distribution. If
|
suffix for module names in your particular distribution. If
|
||||||
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
|
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
|
||||||
list "o gz ko o.gz".<br>
|
list "o gz ko o.gz".<br>
|
||||||
<br>
|
<br>
|
||||||
To see what suffix is used by your distribution:<br>
|
To see what suffix is used by your distribution:<br>
|
||||||
<br>
|
<br>
|
||||||
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
|
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
|
||||||
<br>
|
<br>
|
||||||
All of the files listed should have the same suffix (extension).
|
All of the files listed should have the same suffix (extension).
|
||||||
Set MODULE_SUFFIX to that suffix.<br>
|
Set MODULE_SUFFIX to that suffix.<br>
|
||||||
<br>
|
<br>
|
||||||
Examples:<br>
|
Examples:<br>
|
||||||
<br>
|
<br>
|
||||||
If all files end in ".kzo" then set
|
If all files end in ".kzo" then set
|
||||||
MODULE_SUFFIX="kzo"<br>
|
MODULE_SUFFIX="kzo"<br>
|
||||||
If all files end in ".kz.o" then set
|
If all files end in ".kz.o" then set
|
||||||
MODULE_SUFFIX="kz.o"</li>
|
MODULE_SUFFIX="kz.o"</li>
|
||||||
|
<li>Support for user defined rule ACTIONS has been implemented
|
||||||
<li>Support for user defined rule ACTIONS has been implemented
|
|
||||||
through two new files:<br>
|
through two new files:<br>
|
||||||
<br>
|
<br>
|
||||||
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
|
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
|
||||||
/etc/shorewall/action.template - For each user defined
|
/etc/shorewall/action.template - For each user defined
|
||||||
<action>, copy this file to
|
<action>, copy this file to
|
||||||
@ -199,54 +174,45 @@ through two new files:<br>
|
|||||||
for that <action>. Once an <action> has been defined,
|
for that <action>. Once an <action> has been defined,
|
||||||
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
|
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
|
||||||
in /etc/shorewall/rules.<br>
|
in /etc/shorewall/rules.<br>
|
||||||
<br>
|
<br>
|
||||||
Example: You want an action that logs a packet at the 'info' level
|
Example: You want an action that logs a packet at the 'info' level
|
||||||
and accepts the connection.<br>
|
and accepts the connection.<br>
|
||||||
<br>
|
<br>
|
||||||
In /etc/shorewall/actions, you would add:<br>
|
In /etc/shorewall/actions, you would add:<br>
|
||||||
<br>
|
<br>
|
||||||
LogAndAccept<br>
|
LogAndAccept<br>
|
||||||
<br>
|
<br>
|
||||||
You would then copy /etc/shorewall/action.template to
|
You would then copy /etc/shorewall/action.template to
|
||||||
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
/etc/shorewall/LogAndAccept and in that file, you would add the two
|
||||||
rules:<br>
|
rules:<br>
|
||||||
LOG:info<br>
|
LOG:info<br>
|
||||||
ACCEPT</li>
|
ACCEPT</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<p><b>12/03/2003 - Support Torch Passed</b> <b><img
|
||||||
<p><b>12/03/2003 - Support Torch Passed</b> <b><img style=
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
"border: 0px solid ; width: 28px; height: 12px;" src=
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||||
"images/new10.gif" alt="(New)" title=""></b></p>
|
|
||||||
|
|
||||||
Effective today, I am reducing my participation in the day-to-day
|
Effective today, I am reducing my participation in the day-to-day
|
||||||
support of Shorewall. As part of this shift to community-based
|
support of Shorewall. As part of this shift to community-based
|
||||||
Shorewall support a new <a href=
|
Shorewall support a new <a
|
||||||
"https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
|
href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
|
||||||
Newbies mailing list</a> has been established to field questions
|
Newbies mailing list</a> has been established to field questions
|
||||||
and problems from new users. I will not monitor that list
|
and problems from new users. I will not monitor that list
|
||||||
personally. I will continue my active development of Shorewall and
|
personally. I will continue my active development of Shorewall and
|
||||||
will be available via the development list to handle development
|
will be available via the development list to handle development
|
||||||
issues -- Tom.
|
issues -- Tom.
|
||||||
|
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img
|
||||||
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img style=
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
"border: 0px solid ; width: 28px; height: 12px;" src=
|
src="images/new10.gif" alt="(New)" title=""></b> <b></b></p>
|
||||||
"images/new10.gif" alt="(New)" title=""></b> <b></b></p>
|
|
||||||
|
|
||||||
Given the small number of new features and the relatively few lines
|
Given the small number of new features and the relatively few lines
|
||||||
of code that were changed, there will be no Beta for 1.4.8.<br>
|
of code that were changed, there will be no Beta for 1.4.8.<br>
|
||||||
|
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||||
|
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
||||||
<p><b><a href=
|
<br>
|
||||||
"http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
</b> Problems Corrected since version 1.4.7:<br>
|
||||||
|
</p>
|
||||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target=
|
<ol>
|
||||||
"_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
<li>Tuomo Soini has supplied a correction to a problem that
|
||||||
<br>
|
occurs
|
||||||
</b> Problems Corrected since version 1.4.7:<br>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ol>
|
|
||||||
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
|
||||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||||
fails with:<br>
|
fails with:<br>
|
||||||
<br>
|
<br>
|
||||||
@ -257,8 +223,8 @@ fails with:<br>
|
|||||||
directory<br>
|
directory<br>
|
||||||
Try `iptables -h' or 'iptables --help' for more
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
information.</li>
|
information.</li>
|
||||||
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||||
<li>Andres Zhoglo has supplied a correction that avoids trying to
|
to
|
||||||
use the multiport match iptables facility on ICMP rules.<br>
|
use the multiport match iptables facility on ICMP rules.<br>
|
||||||
<br>
|
<br>
|
||||||
Example of rule that previously caused "shorewall
|
Example of rule that previously caused "shorewall
|
||||||
@ -267,36 +233,34 @@ start" to fail:<br>
|
|||||||
|
|
||||||
ACCEPT loc $FW
|
ACCEPT loc $FW
|
||||||
icmp 0,8,11,12<br>
|
icmp 0,8,11,12<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>Previously, if the following error message was issued,
|
||||||
<li>Previously, if the following error message was issued,
|
|
||||||
Shorewall was left in an inconsistent state.<br>
|
Shorewall was left in an inconsistent state.<br>
|
||||||
<br>
|
<br>
|
||||||
Error: Unable to determine the routes through
|
Error: Unable to determine the routes through
|
||||||
interface xxx<br>
|
interface xxx<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
been
|
||||||
corrected.</li>
|
corrected.</li>
|
||||||
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
|
||||||
optimization involved creating a chain named "<zone>_frwd"
|
optimization involved creating a chain named "<zone>_frwd"
|
||||||
for most zones defined using the /etc/shorewall/hosts file. It has
|
for most zones defined using the /etc/shorewall/hosts file. It has
|
||||||
since been discovered that in many cases these new chains contain
|
since been discovered that in many cases these new chains contain
|
||||||
redundant rules and that the "optimization" turns out to be less
|
redundant rules and that the "optimization" turns out to be less
|
||||||
than optimal. The implementation has now been corrected.</li>
|
than optimal. The implementation has now been corrected.</li>
|
||||||
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||||
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
or
|
||||||
":P", the ":F" or ":P" was previously only applied to the first
|
":P", the ":F" or ":P" was previously only applied to the first
|
||||||
Netfilter rule generated by the entry. It is now applied to all
|
Netfilter rule generated by the entry. It is now applied to all
|
||||||
entries.</li>
|
entries.</li>
|
||||||
|
<li>An incorrect comment concerning Debian's use of the
|
||||||
<li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
|
SUBSYSLOCK
|
||||||
option has been removed from shorewall.conf.</li>
|
option has been removed from shorewall.conf.</li>
|
||||||
|
<li>Previously, neither the 'routefilter' interface option nor
|
||||||
<li>Previously, neither the 'routefilter' interface option nor the
|
the
|
||||||
ROUTE_FILTER parameter were working properly. This has been
|
ROUTE_FILTER parameter were working properly. This has been
|
||||||
corrected (thanks to Eric Bowles for his analysis and patch). The
|
corrected (thanks to Eric Bowles for his analysis and patch). The
|
||||||
definition of the ROUTE_FILTER option has changed however.
|
definition of the ROUTE_FILTER option has changed however.
|
||||||
@ -306,96 +270,87 @@ this release, setting ROUTE_FILTER=Yes will enable route filtering
|
|||||||
of all interfaces brought up while Shorewall is started. As a
|
of all interfaces brought up while Shorewall is started. As a
|
||||||
consequence, ROUTE_FILTER=Yes can coexist with the use of the
|
consequence, ROUTE_FILTER=Yes can coexist with the use of the
|
||||||
'routefilter' option in the interfaces file.</li>
|
'routefilter' option in the interfaces file.</li>
|
||||||
|
<li>If MAC verification was enabled on an interface with a /32
|
||||||
<li>If MAC verification was enabled on an interface with a /32
|
|
||||||
address and a broadcast address then an error would occur during
|
address and a broadcast address then an error would occur during
|
||||||
startup.</li>
|
startup.</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
Migration Issues:<br>
|
Migration Issues:<br>
|
||||||
|
<ol>
|
||||||
|
<li>The definition of the ROUTE_FILTER option in shorewall.conf
|
||||||
<ol>
|
has
|
||||||
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
|
|
||||||
changed as described in item 8) above.<br>
|
changed as described in item 8) above.<br>
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
New Features:<br>
|
New Features:<br>
|
||||||
|
<ol>
|
||||||
|
<li>A new QUEUE action has been introduced for rules. QUEUE
|
||||||
<ol>
|
allows
|
||||||
<li>A new QUEUE action has been introduced for rules. QUEUE allows
|
|
||||||
you to pass connection requests to a user-space filter such as
|
you to pass connection requests to a user-space filter such as
|
||||||
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
|
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
|
||||||
for effective filtering of p2p applications such as Kazaa. For
|
for effective filtering of p2p applications such as Kazaa. For
|
||||||
example, to use ftwall to filter P2P clients in the 'loc' zone, you
|
example, to use ftwall to filter P2P clients in the 'loc' zone, you
|
||||||
would add the following rules:<br>
|
would add the following rules:<br>
|
||||||
<br>
|
<br>
|
||||||
QUEUE loc
|
QUEUE loc
|
||||||
net tcp<br>
|
net tcp<br>
|
||||||
QUEUE loc
|
QUEUE loc
|
||||||
net udp<br>
|
net udp<br>
|
||||||
QUEUE loc
|
QUEUE loc
|
||||||
fw udp<br>
|
fw udp<br>
|
||||||
<br>
|
<br>
|
||||||
You would normally want to place those three rules BEFORE any
|
You would normally want to place those three rules BEFORE any
|
||||||
ACCEPT rules for loc->net udp or tcp.<br>
|
ACCEPT rules for loc->net udp or tcp.<br>
|
||||||
<br>
|
<br>
|
||||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||||
Shorewall will only pass connection requests (SYN packets) to user
|
Shorewall will only pass connection requests (SYN packets) to user
|
||||||
space. This is for compatibility with ftwall.</li>
|
space. This is for compatibility with ftwall.</li>
|
||||||
|
<li>A BLACKLISTNEWNONLY option has been added to
|
||||||
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf.
|
shorewall.conf.
|
||||||
When this option is set to "Yes", the blacklists (dynamic and
|
When this option is set to "Yes", the blacklists (dynamic and
|
||||||
static) are only consulted for new connection requests. When set to
|
static) are only consulted for new connection requests. When set to
|
||||||
"No" (the default if the variable is not set), the blacklists are
|
"No" (the default if the variable is not set), the blacklists are
|
||||||
consulted on every packet.<br>
|
consulted on every packet.<br>
|
||||||
<br>
|
<br>
|
||||||
Setting this option to "No" allows blacklisting to stop existing
|
Setting this option to "No" allows blacklisting to stop existing
|
||||||
connections from a newly blacklisted host but is more expensive in
|
connections from a newly blacklisted host but is more expensive in
|
||||||
terms of packet processing time. This is especially true if the
|
terms of packet processing time. This is especially true if the
|
||||||
blacklists contain a large number of entries.</li>
|
blacklists contain a large number of entries.</li>
|
||||||
|
<li>Chain names used in the /etc/shorewall/accounting file may
|
||||||
<li>Chain names used in the /etc/shorewall/accounting file may now
|
now
|
||||||
begin with a digit ([0-9]) and may contain embedded dashes
|
begin with a digit ([0-9]) and may contain embedded dashes
|
||||||
("-").</li>
|
("-").</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
|
||||||
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
|
bag
|
||||||
awards</b> <b><img style=
|
awards</b> <b><img
|
||||||
"border: 0px solid ; width: 50px; height: 80px;" src=
|
style="border: 0px solid ; width: 50px; height: 80px;"
|
||||||
"images/j0233056.gif" align="middle" title="" alt="">Shorewall
|
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
|
||||||
1.4.7c released.</b></p>
|
1.4.7c released.</b></p>
|
||||||
|
<ol>
|
||||||
<ol>
|
<li>The saga with "<zone>_frwd" chains continues. The
|
||||||
<li>The saga with "<zone>_frwd" chains continues. The 1.4.7c
|
1.4.7c
|
||||||
script produces a ruleset that should work for everyone even if it
|
script produces a ruleset that should work for everyone even if it
|
||||||
is not quite optimal. My apologies for this ongoing mess.</li>
|
is not quite optimal. My apologies for this ongoing mess.</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img
|
||||||
<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img style=
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
"border: 0px solid ; width: 28px; height: 12px;" src=
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||||
"images/new10.gif" alt="(New)" title=""></b></p>
|
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
||||||
|
</p>
|
||||||
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
<ol>
|
||||||
</p>
|
<li>The fix for problem 5 in 1.4.7a was wrong with the result
|
||||||
|
that
|
||||||
<ol>
|
|
||||||
<li>The fix for problem 5 in 1.4.7a was wrong with the result that
|
|
||||||
"<zone>_frwd" chains might contain too few rules. That wrong
|
"<zone>_frwd" chains might contain too few rules. That wrong
|
||||||
code is corrected in this release.<br>
|
code is corrected in this release.<br>
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
|
||||||
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
|
<p>This is a bugfix rollup of the following problem
|
||||||
|
|
||||||
<p>This is a bugfix rollup of the following problem
|
|
||||||
corrections:<br>
|
corrections:<br>
|
||||||
</p>
|
</p>
|
||||||
|
<ol>
|
||||||
<ol>
|
<li>Tuomo Soini has supplied a correction to a problem that
|
||||||
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
occurs
|
||||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||||
fails with:<br>
|
fails with:<br>
|
||||||
<br>
|
<br>
|
||||||
@ -406,10 +361,10 @@ fails with:<br>
|
|||||||
directory<br>
|
directory<br>
|
||||||
Try `iptables -h' or 'iptables --help' for more
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
information.<br>
|
information.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||||
<li>Andres Zhoglo has supplied a correction that avoids trying to
|
to
|
||||||
use the multiport match iptables facility on ICMP rules.<br>
|
use the multiport match iptables facility on ICMP rules.<br>
|
||||||
<br>
|
<br>
|
||||||
Example of rule that previously caused "shorewall
|
Example of rule that previously caused "shorewall
|
||||||
@ -418,103 +373,80 @@ start" to fail:<br>
|
|||||||
|
|
||||||
ACCEPT loc $FW
|
ACCEPT loc $FW
|
||||||
icmp 0,8,11,12<br>
|
icmp 0,8,11,12<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>Previously, if the following error message was issued,
|
||||||
<li>Previously, if the following error message was issued,
|
|
||||||
Shorewall was left in an inconsistent state.<br>
|
Shorewall was left in an inconsistent state.<br>
|
||||||
<br>
|
<br>
|
||||||
Error: Unable to determine the routes through
|
Error: Unable to determine the routes through
|
||||||
interface xxx<br>
|
interface xxx<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
been
|
||||||
corrected.</li>
|
corrected.</li>
|
||||||
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
|
||||||
optimization involved creating a chain named "<zone>_frwd"
|
optimization involved creating a chain named "<zone>_frwd"
|
||||||
for most zones defined using the /etc/shorewall/hosts file. It has
|
for most zones defined using the /etc/shorewall/hosts file. It has
|
||||||
since been discovered that in many cases these new chains contain
|
since been discovered that in many cases these new chains contain
|
||||||
redundant rules and that the "optimization" turns out to be less
|
redundant rules and that the "optimization" turns out to be less
|
||||||
than optimal. The implementation has now been corrected.</li>
|
than optimal. The implementation has now been corrected.</li>
|
||||||
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||||
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
or
|
||||||
":P", the ":F" or ":P" was previously only applied to the first
|
":P", the ":F" or ":P" was previously only applied to the first
|
||||||
Netfilter rule generated by the entry. It is now applied to all
|
Netfilter rule generated by the entry. It is now applied to all
|
||||||
entries.</li>
|
entries.</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<p><b><a href="News.htm">More News</a></b></p>
|
||||||
<p><b><a href="News.htm">More News</a></b></p>
|
<b></b>
|
||||||
|
<h2><b></b></h2>
|
||||||
<b></b>
|
<b></b>
|
||||||
|
<p><a href="http://leaf.sourceforge.net" target="_top"><img
|
||||||
<h2><b></b></h2>
|
border="0" src="images/leaflogo.gif" width="49" height="36"
|
||||||
|
alt="(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
|
||||||
<b></b>
|
|
||||||
|
|
||||||
<p><a href="http://leaf.sourceforge.net" target="_top"><img border=
|
|
||||||
"0" src="images/leaflogo.gif" width="49" height="36" alt=
|
|
||||||
"(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
|
|
||||||
(router/firewall/gateway on a floppy, CD or compact flash)
|
(router/firewall/gateway on a floppy, CD or compact flash)
|
||||||
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
|
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
|
||||||
Kernel-2.4.20. You can find their work at: <a href=
|
Kernel-2.4.20. You can find their work at: <a
|
||||||
"http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
|
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||||
|
<b>Congratulations to Jacques and Eric on the recent release of
|
||||||
<b>Congratulations to Jacques and Eric on the recent release of
|
|
||||||
Bering 1.2!!!</b> <br>
|
Bering 1.2!!!</b> <br>
|
||||||
|
<h1 align="center"><b><a href="http://www.sf.net"><img
|
||||||
|
align="left" alt="SourceForge Logo"
|
||||||
<h1 align="center"><b><a href="http://www.sf.net"><img align="left"
|
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3"></a></b></h1>
|
||||||
alt="SourceForge Logo" src=
|
<b></b>
|
||||||
"http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
<h4><b></b></h4>
|
||||||
</a></b></h1>
|
<b></b>
|
||||||
|
<h2><b>This site is hosted by the generous folks at <a
|
||||||
<b></b>
|
href="http://www.sf.net">SourceForge.net</a></b></h2>
|
||||||
|
<br>
|
||||||
<h4><b></b></h4>
|
<br>
|
||||||
|
<h2><b><a name="Donations"></a>Donations</b></h2>
|
||||||
<b></b>
|
<b></b></td>
|
||||||
|
</tr>
|
||||||
<h2><b>This site is hosted by the generous folks at <a href=
|
</tbody>
|
||||||
"http://www.sf.net">SourceForge.net</a></b></h2>
|
|
||||||
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
|
|
||||||
|
|
||||||
<h2><b><a name="Donations"></a>Donations</b></h2>
|
|
||||||
|
|
||||||
<b></b></td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
</table>
|
||||||
</center>
|
</center>
|
||||||
</div>
|
</div>
|
||||||
|
<table border="0" cellpadding="5" cellspacing="0"
|
||||||
<table border="0" cellpadding="5" cellspacing="0" style=
|
style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
|
||||||
"border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
|
|
||||||
id="AutoNumber2">
|
id="AutoNumber2">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td style="width: 100%; margin-top: 1px;">
|
<td style="width: 100%; margin-top: 1px;">
|
||||||
<p align="center"><a href="http://www.starlight.org"><img border=
|
<p align="center"><a href="http://www.starlight.org"><img
|
||||||
"4" src="images/newlog.gif" width="57" height="100" align="left"
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||||
hspace="10" alt="Starlight Foundation Logo"></a></p>
|
hspace="10" alt="Starlight Foundation Logo"></a></p>
|
||||||
|
<p align="center"><font size="4" color="#ffffff"><br>
|
||||||
<p align="center"><font size="4" color="#ffffff"><br>
|
<font size="+2">Shorewall is free but if you try it and find it
|
||||||
<font size="+2">Shorewall is free but if you try it and find it
|
useful, please consider making a donation to <a
|
||||||
useful, please consider making a donation to <a href=
|
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||||
"http://www.starlight.org"><font color="#ffffff">Starlight
|
|
||||||
Children's Foundation.</font></a> Thanks!</font></font></p>
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom
|
||||||
<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom
|
|
||||||
Eastep</a></font><br>
|
Eastep</a></font><br>
|
||||||
</p>
|
</p>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user