Update the errata to advertise a new rfc1918 file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1014 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-28 22:10:28 +00:00
parent 526dfa2218
commit 09e8bd4a95
4 changed files with 661 additions and 591 deletions

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2003-12-17</pubdate> <pubdate>2003-12-28</pubdate>
<copyright> <copyright>
<year>2001-2003</year> <year>2001-2003</year>
@ -67,6 +67,15 @@
<section> <section>
<title>Problems in Version 1.4</title> <title>Problems in Version 1.4</title>
<section>
<title>All Versions</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
</section>
<section> <section>
<title>Shorewall 1.4.8</title> <title>Shorewall 1.4.8</title>
@ -424,4 +433,12 @@ Aborted (core dumped)</programlisting>
kernel patch and precompiled modules to fix this problem are available at kernel patch and precompiled modules to fix this problem are available at
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink>.</para> <ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink>.</para>
</section> </section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
Conversion to Docbook XML</revremark></revision></revhistory></para>
</appendix>
</article> </article>

View File

@ -60,9 +60,9 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>One-to-one NAT for Ursa (my XP System that dual-boots Mandrake <para>One-to-one NAT for Ursa (my personal system that dual-boots
9.2) - Internal address 192.168.1.5 and external address Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and
206.124.146.178.</para> external address 206.124.146.178.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -71,18 +71,18 @@
</listitem> </listitem>
<listitem> <listitem>
<para>SNAT through 206.124.146.179 for&#x00A0; my Linux system <para>SNAT through 206.124.146.179 for&#x00A0; my SuSE 8.1 Linux
(Wookie), my Wife&#39;s system (Tarry), and our&#x00A0; laptop system (Wookie), my Wife&#39;s Windows XP system (Tarry), and
(Tipper) which connects through the Wireless Access Point (wap) via a our&#x00A0; Windows XP laptop (Tipper) which connects through the
Wireless Bridge (bridge).<note><para>While the distance between the Wireless Access Point (wap) via a Wireless Bridge (bridge).<note><para>While
WAP and where I usually use the laptop isn&#39;t very far (25 feet or the distance between the WAP and where I usually use the laptop
so), using a WAC11 (CardBus wireless card) has proved very isn&#39;t very far (25 feet or so), using a WAC11 (CardBus wireless
unsatisfactory (lots of lost connections). By replacing the WAC11 with card) has proved very unsatisfactory (lots of lost connections). By
the WET11 wireless bridge, I have virtually eliminated these problems replacing the WAC11 with the WET11 wireless bridge, I have virtually
(Being an old radio tinkerer (K7JPV), I was also able to eliminate the eliminated these problems (Being an old radio tinkerer (K7JPV), I was
disconnects by hanging a piece of aluminum foil on the family room also able to eliminate the disconnects by hanging a piece of aluminum
wall. Needless to say, my wife Tarry rejected that as a permanent foil on the family room wall. Needless to say, my wife Tarry rejected
solution :-).</para></note></para> that as a permanent solution :-).</para></note></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>

View File

@ -1,276 +1,397 @@
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <html>
<head> <head>
<meta content="HTML Tidy, see www.w3.org" name="generator" /> <meta content="HTML Tidy, see www.w3.org" name="generator">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<title>Shoreline Firewall (Shorewall) 1.4</title> </head>
<body>
<base target="_self" /> <div>
</head> <table border="0" cellpadding="0" cellspacing="0" id="AutoNumber4"
style="border-collapse: collapse; width: 100%; height: 100%;">
<body><div align="center"> <center> <table border="0" cellpadding="0" <tbody>
cellspacing="0" id="AutoNumber4" <tr>
style="border-collapse: collapse; width: 100%; height: 100%;"><tbody><tr><td <td width="90%">
width="90%"><h2>Site Problem</h2> The server that normally hosts <h2>Introduction to Shorewall</h2>
www.shorewall.net and ftp.shorewall.net is currently down. Until it is back <h3>This is the Shorewall 1.4 Web Site</h3>
up, a small server with very limited bandwidth is being used temporarly. You The information on this site applies only to 1.4.x releases of
will likely experience better response time from the <a Shorewall. For older versions:<br>
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a> <ul>
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>. Sorry <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
for the inconvenience.<br /> <br /> <h2>Introduction to Shorewall</h2> target="_top">here.</a></li>
<h3>This is the Shorewall 1.4 Web Site</h3> The information on this site <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
applies only to 1.4.x releases of Shorewall. For older versions:<br /> target="_top">here</a>.</li>
<ul><li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target="_top">here.</a></li><li>The </ul>
1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li></ul> <h3>Glossary</h3>
<h3>Glossary</h3> <ul><li><a href="http://www.netfilter.org">Netfilter</a> - <ul>
the packet filter facility built into the 2.4 and later Linux kernels.</li><li>ipchains <li><a href="http://www.netfilter.org">Netfilter</a> - the
- the packet filter facility built into the 2.2 Linux kernels. Also the name packet filter facility built into the 2.4 and later Linux kernels.</li>
of the utility program used to configure and control that facility. <li>ipchains - the packet filter facility built into the 2.2
Netfilter can be used in ipchains compatibility mode.</li><li>iptables - the Linux kernels. Also the name of the utility program used to configure
utility program used to configure and control Netfilter. The term and control that facility. Netfilter can be used in ipchains
&#39;iptables&#39; is often used to refer to the combination of compatibility mode.</li>
iptables+Netfilter (with Netfilter not in ipchains compatibility mode).</li></ul> <li>iptables - the utility program used to configure and
<h3>What is Shorewall?</h3> The Shoreline Firewall, more commonly known as control Netfilter. The term 'iptables' is often used to refer to the
&#34;Shorewall&#34;, is high-level tool for configuring Netfilter. You combination of iptables+Netfilter (with Netfilter not in ipchains
describe your firewall/gateway requirements using entries in a set of compatibility mode).</li>
configuration files. Shorewall reads those configuration files and with the </ul>
help of the iptables utility, Shorewall configures Netfilter to match your <h3>What is Shorewall?</h3>
requirements. Shorewall can be used on a dedicated firewall system, a The Shoreline Firewall, more commonly known as "Shorewall", is
multi-function gateway/router/server or on a standalone GNU/Linux system. high-level tool for configuring Netfilter. You describe your
Shorewall does not use Netfilter&#39;s ipchains compatibility mode and can firewall/gateway requirements using entries in a set of configuration
thus take advantage of Netfilter&#39;s connection state tracking files. Shorewall reads those configuration files and with the help of
capabilities.<br /> <br /> Shorewall is <span the iptables utility, Shorewall configures Netfilter to match your
style="text-decoration: underline;">not</span> a daemon. Once Shorewall has requirements. Shorewall can be used on a dedicated firewall system, a
configured Netfilter, it&#39;s job is complete although the <a multi-function gateway/router/server or on a standalone GNU/Linux
href="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be system. Shorewall does not use Netfilter's ipchains compatibility mode
used at any time to monitor the Netfilter firewall</a>.<br /> <h3>Getting and can thus take advantage of Netfilter's connection state tracking
Started with Shorewall</h3> New to Shorewall? Start by selecting the <a capabilities.<br>
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely <br>
match your environment and follow the step by step instructions.<br /> Shorewall is <span style="text-decoration: underline;">not</span> a
<h3>Looking for Information?</h3> The <a daemon. Once Shorewall has configured Netfilter, it's job is complete
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a> although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
is a good place to start as is the Quick Search in the frame above. program can be used at any time to monitor the Netfilter firewall</a>.<br>
<h3>License</h3> This program is free software; you can redistribute it <h3>Getting Started with Shorewall</h3>
and/or modify it under the terms of <a New to Shorewall? Start by selecting the <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
Public License</a> as published by the Free Software Foundation.<br /> closely match your environment and follow the step by step instructions.<br>
<p>This program is distributed in the hope that it will be useful, but <h3>Looking for Information?</h3>
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for Index</a> is a good place to start as is the Quick Search in the frame
more detail.</p> <p>You should have received a copy of the GNU General above.
Public License along with this program; if not, write to the Free Software <h3>License</h3>
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Permission is This program is free software; you can redistribute it and/or modify it
granted to copy, distribute and/or modify this document under the terms of under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
the GNU Free Documentation License, Version 1.2 or any later version 2 of the GNU General Public License</a> as published by the Free
published by the Free Software Foundation; with no Invariant Sections, with Software Foundation.<br>
no Front-Cover, and with no Back-Cover Texts. A copy of the license is <p>This program is distributed in the hope that it will be
included in the section entitled <a>&#34;GNU Free Documentation License&#34;</a>.<p>Copyright useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
© 2001-2003 Thomas M. Eastep </p> <h3>Running Shorewall on Mandrake with a MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
two-interface setup?</h3> If so, the documentation <b></b>on this site will General Public License for more detail.</p>
not apply directly to your setup. If you want to use the documentation that <p>You should have received a copy of the GNU General Public
you find here, you will want to consider uninstalling what you have and License along with this program; if not, write to the Free Software
installing a setup that matches the documentation on this site. See the <a Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br /> Permission is granted to copy, distribute and/or modify this document
<h2>News</h2> <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img under the terms of the GNU Free Documentation License, Version 1.2 or
alt="(New)" src="images/new10.gif" any later version published by the Free Software Foundation; with no
style="border: 0px solid ; width: 28px; height: 12px;" title="" /> </b></p> Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
<div style="margin-left: 40px;"><a A copy of the license is included in the section entitled <a>"GNU Free
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br /> Documentation License"</a>.
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a> <p>Copyright © 2001-2003 Thomas M. Eastep </p>
</div> <p>Problems Corrected since version 1.4.8:</p> <ol><li>There has been <h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
a low continuing level of confusion over the terms &#34;Source NAT&#34; If so, the documentation <b></b>on this site will not apply directly
(SNAT) and &#34;Static NAT&#34;. To avoid future confusion, all instances of to your setup. If you want to use the documentation that you find here,
&#34;Static NAT&#34; have been replaced with &#34;One-to-one NAT&#34; in the you will want to consider uninstalling what you have and installing a
documentation and configuration files.</li><li>The description of NEWNOTSYN setup that matches the documentation on this site. See the <a
in shorewall.conf has been reworded for clarity.</li><li>Wild-card rules href="two-interface.htm">Two-interface QuickStart Guide</a> for
(those involving &#34;all&#34; as SOURCE or DEST) will no longer produce an details.<br>
error if they attempt to add a rule that would override a NONE policy. The <h2>News</h2>
logic for expanding these wild-card rules now simply skips those <p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
(SOURCE,DEST) pairs that have a NONE policy.</li></ol> <p>Migration Issues:<br /> On-line</b> <b><img alt="(New)" src="images/new10.gif"
&#x00A0;&#x00A0;&#x00A0; None.<br /> <br /> New Features: </p> <ol><li>To style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
cut down on the number of &#34;Why are these ports closed rather than </b></p>
stealthed?&#34; questions, the SMB-related rules in <p>Our high-capacity server has been restored to service --
/etc/shorewall/common.def have been changed from &#39;reject&#39; to please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
&#39;DROP&#39;.</li><li>For easier identification, packets logged under the find any problems.<br>
&#39;norfc1918&#39; interface option are now logged out of chains named </p>
&#39;rfc1918&#39;. Previously, such packets were logged under chains named <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b><b> </b></p>
&#39;logdrop&#39;.</li><li>Distributors and developers seem to be regularly <div style="margin-left: 40px;"><a
inventing new naming conventions for kernel modules. To avoid the need to href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
change Shorewall code for each new convention, the MODULE_SUFFIX option has <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix for </div>
module names in your particular distribution. If MODULE_SUFFIX is not set in <p>Problems Corrected since version 1.4.8:</p>
shorewall.conf, Shorewall will use the list &#34;o gz ko o.gz&#34;.<br /> <ol>
<br /> To see what suffix is used by your distribution:<br /> <br /> ls <li>There has been a low continuing level of confusion over the
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br /> <br /> All of the terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion,
files listed should have the same suffix (extension). Set MODULE_SUFFIX to all instances of "Static NAT" have been replaced with "One-to-one NAT"
that suffix.<br /> <br /> Examples:<br /> <br /> in the documentation and configuration files.</li>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; If all files end in &#34;.kzo&#34; then set <li>The description of NEWNOTSYN in shorewall.conf has been
MODULE_SUFFIX=&#34;kzo&#34;<br /> &#x00A0;&#x00A0;&#x00A0;&#x00A0; If all reworded for clarity.</li>
files end in &#34;.kz.o&#34; then set MODULE_SUFFIX=&#34;kz.o&#34;</li><li>Support <li>Wild-card rules (those involving "all" as SOURCE or DEST)
for user defined rule ACTIONS has been implemented through two new files:<br /> will no longer produce an error if they attempt to add a rule that
<br /> /etc/shorewall/actions - used to list the user-defined ACTIONS.<br /> would override a NONE policy. The logic for expanding these wild-card
/etc/shorewall/action.template - For each user defined &#60;action&#62;, rules now simply skips those (SOURCE,DEST) pairs that have a NONE
copy this file to /etc/shorewall/action.&#60;action&#62; and add the policy.</li>
appropriate rules for that &#60;action&#62;. Once an &#60;action&#62; has </ol>
been defined, it may be used like any of the builtin ACTIONS (ACCEPT, DROP, <p>Migration Issues:<br>
etc.) in /etc/shorewall/rules.<br /> <br /> Example: You want an action that &nbsp;&nbsp;&nbsp; None.<br>
logs a packet at the &#39;info&#39; level and accepts the connection.<br /> <br>
<br /> In /etc/shorewall/actions, you would add:<br /> <br /> New Features: </p>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; LogAndAccept<br /> <br /> You would then <ol>
copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in <li>To cut down on the number of "Why are these ports closed
that file, you would add the two rules:<br /> rather than stealthed?" questions, the SMB-related rules in
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; LOG:info<br /> /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.</li>
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; ACCEPT<br /> <li>For easier identification, packets logged under the
<br /></li></ol> <p><b>12/03/2003 - Support Torch Passed</b> <b><img 'norfc1918' interface option are now logged out of chains named
alt="(New)" src="images/new10.gif" 'rfc1918'. Previously, such packets were logged under chains named
style="border: 0px solid ; width: 28px; height: 12px;" title="" /></b></p> 'logdrop'.</li>
Effective today, I am reducing my participation in the day-to-day support of <li>Distributors and developers seem to be regularly inventing
Shorewall. As part of this shift to community-based Shorewall support a new new naming conventions for kernel modules. To avoid the need to change
<a href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall Shorewall code for each new convention, the MODULE_SUFFIX option has
Newbies mailing list</a> has been established to field questions and been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
problems from new users. I will not monitor that list personally. I will for module names in your particular distribution. If MODULE_SUFFIX is
continue my active development of Shorewall and will be available via the not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br>
development list to handle development issues -- Tom. <p><b>11/07/2003 - <br>
Shorewall 1.4.8</b><b><br /> <br /> </b> Problems Corrected since version To see what suffix is used by your distribution:<br>
1.4.7:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a problem <br>
that occurs using some versions of &#39;ash&#39;. The symptom is that ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
&#34;shorewall start&#34; fails with:<br /> &#x00A0;<br /> &#x00A0;&#x00A0; <br>
local: --limit: bad variable name<br /> &#x00A0;&#x00A0; iptables v1.2.8: All of the files listed should have the same suffix (extension). Set
Couldn&#39;t load match `-j&#39;:/lib/iptables/libipt_-j.so:<br /> MODULE_SUFFIX to that suffix.<br>
&#x00A0;&#x00A0; cannot open shared object file: No such file or directory<br /> <br>
&#x00A0;&#x00A0; Try `iptables -h&#39; or &#39;iptables --help&#39; for more Examples:<br>
information.</li><li>Andres Zhoglo has supplied a correction that avoids <br>
trying to use the multiport match iptables facility on ICMP rules.<br /> &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
&#x00A0;<br /> &#x00A0;&#x00A0; Example of rule that previously caused MODULE_SUFFIX="kzo"<br>
&#34;shorewall start&#34; to fail:<br /> &#x00A0;<br /> &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; MODULE_SUFFIX="kz.o"</li>
ACCEPT&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; loc&#x00A0; $FW&#x00A0; <li>Support for user defined rule ACTIONS has been implemented
icmp&#x00A0;&#x00A0;&#x00A0; 0,8,11,12<br /> <br /></li><li>Previously, if through two new files:<br>
the following error message was issued, Shorewall was left in an <br>
inconsistent state.<br /> &#x00A0;<br /> &#x00A0;&#x00A0; Error: Unable to /etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
determine the routes through interface xxx<br /> <br /></li><li>Handling of /etc/shorewall/action.template - For each user defined &lt;action&gt;,
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In copy this file to /etc/shorewall/action.&lt;action&gt; and add the
Shorewall 1.4.2, an optimization was added. This optimization involved appropriate rules for that &lt;action&gt;. Once an &lt;action&gt; has
creating a chain named &#34;&#60;zone&#62;_frwd&#34; for most zones defined been defined, it may be used like any of the builtin ACTIONS (ACCEPT,
using the /etc/shorewall/hosts file. It has since been discovered that in DROP, etc.) in /etc/shorewall/rules.<br>
many cases these new chains contain redundant rules and that the <br>
&#34;optimization&#34; turns out to be less than optimal. The implementation Example: You want an action that logs a packet at the 'info' level and
has now been corrected.</li><li>When the MARK value in a tcrules entry is accepts the connection.<br>
followed by &#34;:F&#34; or &#34;:P&#34;, the &#34;:F&#34; or &#34;:P&#34; <br>
was previously only applied to the first Netfilter rule generated by the In /etc/shorewall/actions, you would add:<br>
entry. It is now applied to all entries.</li><li>An incorrect comment <br>
concerning Debian&#39;s use of the SUBSYSLOCK option has been removed from &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
shorewall.conf.</li><li>Previously, neither the &#39;routefilter&#39; <br>
interface option nor the ROUTE_FILTER parameter were working properly. This You would then copy /etc/shorewall/action.template to
has been corrected (thanks to Eric Bowles for his analysis and patch). The /etc/shorewall/LogAndAccept and in that file, you would add the two
definition of the ROUTE_FILTER option has changed however. Previously, rules:<br>
ROUTE_FILTER=Yes was documented as enabling route filtering on all &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
interfaces (which didn&#39;t work). Beginning with this release, setting &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought up <br>
while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can coexist </li>
with the use of the &#39;routefilter&#39; option in the interfaces file.</li><li>If </ol>
MAC verification was enabled on an interface with a /32 address and a <p><b>12/03/2003 - Support Torch Passed</b> <b><img alt="(New)"
broadcast address then an error would occur during startup.</li><li>he NONE src="images/new10.gif"
policy&#39;s intended use is to suppress the generating of rules that style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
can&#39;t possibly be traversed. This means that a policy of NONE is Effective today, I am reducing my participation in the day-to-day
inappropriate where the source or destination zone is $FW or &#34;all&#34;. support of Shorewall. As part of this shift to community-based
Shorewall now generates an error message if such a policy is given in Shorewall support a new <a
/etc/shorewall/policy. Previously such a policy caused &#34;shorewall href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
start&#34; to fail.</li><li>The &#39;routeback&#39; option was broken for Newbies mailing list</a> has been established to field questions and
wildcard interfaces (e.g., &#34;tun+&#34;). This has been corrected so that problems from new users. I will not monitor that list personally. I
&#39;routeback&#39; now works as expected in this case.<br /></li></ol> will continue my active development of Shorewall and will be available
Migration Issues:<br /> <ol><li>The definition of the ROUTE_FILTER option in via the development list to handle development issues -- Tom.
shorewall.conf has changed as described in item 8) above.<br /></li></ol> <p><b>11/07/2003 - Shorewall 1.4.8</b><b><br>
New Features:<br /> <ol><li>A new QUEUE action has been introduced for <br>
rules. QUEUE allows you to pass connection requests to a user-space filter </b> Problems Corrected since version 1.4.7:<br>
such as ftwall (http://p2pwall.sourceforge.net). The ftwall program allows </p>
for effective filtering of p2p applications such as Kazaa. For example, to <ol>
use ftwall to filter P2P clients in the &#39;loc&#39; zone, you would add <li>Tuomo Soini has supplied a correction to a problem that
the following rules:<br /> <br /> &#x00A0;&#x00A0; QUEUE&#x00A0;&#x00A0; occurs using some versions of 'ash'. The symptom is that "shorewall
loc&#x00A0;&#x00A0;&#x00A0; &#x00A0;&#x00A0;&#x00A0;&#x00A0; start" fails with:<br>
net&#x00A0;&#x00A0;&#x00A0; tcp<br /> &#x00A0;&#x00A0; QUEUE&#x00A0;&#x00A0; &nbsp;<br>
loc&#x00A0;&#x00A0;&#x00A0; &#x00A0;&#x00A0;&#x00A0;&#x00A0; &nbsp;&nbsp; local: --limit: bad variable name<br>
net&#x00A0;&#x00A0;&#x00A0; udp<br /> &#x00A0;&#x00A0; QUEUE&#x00A0;&#x00A0; &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
loc&#x00A0;&#x00A0;&#x00A0; &#x00A0;&#x00A0;&#x00A0;&#x00A0; `-j':/lib/iptables/libipt_-j.so:<br>
fw&#x00A0;&#x00A0;&#x00A0;&#x00A0; udp<br /> <br /> You would normally want &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
to place those three rules BEFORE any ACCEPT rules for loc-&#62;net udp or &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
tcp.<br /> <br /> Note: When the protocol specified is TCP (&#34;tcp&#34;, information.</li>
&#34;TCP&#34; or &#34;6&#34;), Shorewall will only pass connection requests <li>Andres Zhoglo has supplied a correction that avoids trying
(SYN packets) to user space. This is for compatibility with ftwall.</li><li>A to use the multiport match iptables facility on ICMP rules.<br>
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this option &nbsp;<br>
is set to &#34;Yes&#34;, the blacklists (dynamic and static) are only &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
consulted for new connection requests. When set to &#34;No&#34; (the default to fail:<br>
if the variable is not set), the blacklists are consulted on every packet.<br /> &nbsp;<br>
<br /> Setting this option to &#34;No&#34; allows blacklisting to stop &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
existing connections from a newly blacklisted host but is more expensive in ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
terms of packet processing time. This is especially true if the blacklists icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
contain a large number of entries.</li><li>Chain names used in the <br>
/etc/shorewall/accounting file may now begin with a digit ([0-9]) and may </li>
contain embedded dashes (&#34;-&#34;).</li></ol> <p><b>10/26/2003 - <li>Previously, if the following error message was issued,
Shorewall 1.4.7a and 1.4.7b win brown paper bag awards</b> <b><img Shorewall was left in an inconsistent state.<br>
align="middle" alt="" src="images/j0233056.gif" &nbsp;<br>
style="border: 0px solid ; width: 50px; height: 80px;" title="" />Shorewall &nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
1.4.7c released.</b></p> <ol><li>The saga with &#34;&#60;zone&#62;_frwd&#34; <br>
chains continues. The 1.4.7c script produces a ruleset that should work for </li>
everyone even if it is not quite optimal. My apologies for this ongoing <li>Handling of the LOGUNCLEAN option in shorewall.conf has
mess.<br /></li></ol> <p><b>10/24/2003 - Shorewall 1.4.7b</b></p> <p>This is been corrected.</li>
a bugfx rollup of the 1.4.7a fixes plus:<br /> </p> <ol><li>The fix for <li>In Shorewall 1.4.2, an optimization was added. This
problem 5 in 1.4.7a was wrong with the result that optimization involved creating a chain named "&lt;zone&gt;_frwd" for
&#34;&#60;zone&#62;_frwd&#34; chains might contain too few rules. That wrong most zones defined using the /etc/shorewall/hosts file. It has since
code is corrected in this release.<br /></li></ol> <p><b>10/21/2003 - been discovered that in many cases these new chains contain redundant
Shorewall 1.4.7a</b></p> <p>This is a bugfix rollup of the following problem rules and that the "optimization" turns out to be less than optimal.
corrections:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a The implementation has now been corrected.</li>
problem that occurs using some versions of &#39;ash&#39;. The symptom is <li>When the MARK value in a tcrules entry is followed by ":F"
that &#34;shorewall start&#34; fails with:<br /> &#x00A0;<br /> or ":P", the ":F" or ":P" was previously only applied to the first
&#x00A0;&#x00A0; local: --limit: bad variable name<br /> &#x00A0;&#x00A0; Netfilter rule generated by the entry. It is now applied to all entries.</li>
iptables v1.2.8: Couldn&#39;t load match <li>An incorrect comment concerning Debian's use of the
`-j&#39;:/lib/iptables/libipt_-j.so:<br /> &#x00A0;&#x00A0; cannot open SUBSYSLOCK option has been removed from shorewall.conf.</li>
shared object file: No such file or directory<br /> &#x00A0;&#x00A0; Try <li>Previously, neither the 'routefilter' interface option nor
`iptables -h&#39; or &#39;iptables --help&#39; for more information.<br /> the ROUTE_FILTER parameter were working properly. This has been
<br /></li><li>Andres Zhoglo has supplied a correction that avoids trying to corrected (thanks to Eric Bowles for his analysis and patch). The
use the multiport match iptables facility on ICMP rules.<br /> &#x00A0;<br /> definition of the ROUTE_FILTER option has changed however. Previously,
&#x00A0;&#x00A0; Example of rule that previously caused &#34;shorewall ROUTE_FILTER=Yes was documented as enabling route filtering on all
start&#34; to fail:<br /> &#x00A0;<br /> interfaces (which didn't work). Beginning with this release, setting
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
ACCEPT&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; loc&#x00A0; $FW&#x00A0; up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
icmp&#x00A0;&#x00A0;&#x00A0; 0,8,11,12<br /> <br /></li><li>Previously, if coexist with the use of the 'routefilter' option in the interfaces file.</li>
the following error message was issued, Shorewall was left in an <li>If MAC verification was enabled on an interface with a /32
inconsistent state.<br /> &#x00A0;<br /> &#x00A0;&#x00A0; Error: Unable to address and a broadcast address then an error would occur during
determine the routes through interface xxx<br /> <br /></li><li>Handling of startup.</li>
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In <li>he NONE policy's intended use is to suppress the generating
Shorewall 1.4.2, an optimization was added. This optimization involved of rules that can't possibly be traversed. This means that a policy of
creating a chain named &#34;&#60;zone&#62;_frwd&#34; for most zones defined NONE is inappropriate where the source or destination zone is $FW or
using the /etc/shorewall/hosts file. It has since been discovered that in "all". Shorewall now generates an error message if such a policy is
many cases these new chains contain redundant rules and that the given in /etc/shorewall/policy. Previously such a policy caused
&#34;optimization&#34; turns out to be less than optimal. The implementation "shorewall start" to fail.</li>
has now been corrected.</li><li>When the MARK value in a tcrules entry is <li>The 'routeback' option was broken for wildcard interfaces
followed by &#34;:F&#34; or &#34;:P&#34;, the &#34;:F&#34; or &#34;:P&#34; (e.g., "tun+"). This has been corrected so that 'routeback' now works
was previously only applied to the first Netfilter rule generated by the as expected in this case.<br>
entry. It is now applied to all entries.<br /></li></ol> <p><a </li>
href="News.htm">More News</a></p> <p><a href="http://leaf.sourceforge.net" </ol>
target="_top"><img alt="(Leaf Logo)" border="0" height="36" Migration Issues:<br>
src="images/leaflogo.gif" width="49" /></a> Jacques Nilo and Eric Wolzak <ol>
have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) <li>The definition of the ROUTE_FILTER option in shorewall.conf
distribution called <i>Bering</i> that features Shorewall-1.4.2 and has changed as described in item 8) above.<br>
Kernel-2.4.20. You can find their work at: <a </li>
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br /> </ol>
</a></p> <b>Congratulations to Jacques and Eric on the recent release of New Features:<br>
Bering 1.2!!!<br /> <br /> </b> <div style="text-align: center;"> <div <ol>
style="text-align: center;"><a href="http://www.shorewall.net" target="_top"><img <li>A new QUEUE action has been introduced for rules. QUEUE
alt="(Protected by Shorewall)" src="images/ProtectedBy.png" allows you to pass connection requests to a user-space filter such as
style="border: 0px solid ; width: 216px; height: 45px;" title="" /></a></div> ftwall (http://p2pwall.sourceforge.net). The ftwall program allows for
</div> <h2><a name="Donations"></a>Donations</h2> <p effective filtering of p2p applications such as Kazaa. For example, to
style="text-align: left;"><a href="http://www.starlight.org"><img use ftwall to filter P2P clients in the 'loc' zone, you would add the
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif" following rules:<br>
style="border: 4px solid ; width: 57px; height: 100px;" title="" /></a><br /> <br>
<big>Shorewall is free but if you try it and find it useful, please consider &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
making a donation to <a href="http://www.starlight.org">Starlight &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
Children&#39;s Foundation</a>. Thanks!</big><br /> <a &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
href="http://www.starlight.org"></a></p></td></tr></tbody></table> </center> &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
</div> <p><font size="2">Updated 12/21/2003 - <a href="support.htm">Tom &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
Eastep</a></font><br /> </p></body> &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
</html> <br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to
shorewall.conf. When this option is set to "Yes", the blacklists
(dynamic and static) are only consulted for new connection requests.
When set to "No" (the default if the variable is not set), the
blacklists are consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag awards</b> <b><img align="middle" alt="" src="images/j0233056.gif"
style="border: 0px solid ; width: 50px; height: 80px;" title="">Shorewall
1.4.7c released.</b></p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c script produces a ruleset that should work for everyone even if
it is not quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that "&lt;zone&gt;_frwd" chains might contain too few rules. That wrong
code is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs using some versions of 'ash'. The symptom is that "shorewall
start" fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd" for
most zones defined using the /etc/shorewall/hosts file. It has since
been discovered that in many cases these new chains contain redundant
rules and that the "optimization" turns out to be less than optimal.
The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or ":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.<br>
</li>
</ol>
<p><a href="News.htm">More News</a></p>
<p><a href="http://leaf.sourceforge.net" target="_top"><img
alt="(Leaf Logo)" border="0" height="36" src="images/leaflogo.gif"
width="49"></a> Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!<br>
<br>
</b>
<div style="text-align: center;"><a
href="http://www.shorewall.net" target="_top"><img
alt="(Protected by Shorewall)"
src="file:///Z:/Ursa/Shorewall/Shorewall-docs/images/ProtectedBy.png"
style="border: 0px solid ; width: 216px; height: 45px;" title=""></a></div>
<b> </b>
<div>
<div style="text-align: center;"> </div>
</div>
<h2><a name="Donations"></a>Donations</h2>
<p style="text-align: left;"><a href="http://www.starlight.org"><img
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif"
style="border: 4px solid ; width: 57px; height: 100px;" title=""></a><br>
<big>Shorewall is free but if you try it and find it useful,
please consider making a donation to <a href="http://www.starlight.org">Starlight
Children's Foundation</a>. Thanks!</big><br>
<a href="http://www.starlight.org"></a></p>
</td>
</tr>
</tbody>
</table>
</div>
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom Eastep</a></font><br>
</p>
</body>
</html>

View File

@ -1,52 +1,38 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta name="generator" content="HTML Tidy, see www.w3.org"> <meta name="generator" content="HTML Tidy, see www.w3.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" style= <table border="0" cellpadding="0" cellspacing="0"
"border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
<h2>Site Problem</h2> <h2>Introduction<br>
</h2>
The server that normally hosts www.shorewall.net and <ul>
ftp.shorewall.net is currently down. Until it is back up, a small <li><a href="http://www.netfilter.org">Netfilter</a> - the
server with very limited bandwidth is being used temporarly. You packet
will likely experience better response time from the <a href=
"http://shorewall.sourceforge.net" target="_top">Sourceforge
site</a> or from one of the other <a href=
"shorewall_mirrors.htm">mirrors</a>. Sorry for the
inconvenience.<br>
<br>
<h2>Introduction<br>
</h2>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the packet
filter facility built into the 2.4 and later Linux kernels.</li> filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2
<li>ipchains - the packet filter facility built into the 2.2 Linux Linux
kernels. Also the name of the utility program used to configure and kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains control that facility. Netfilter can be used in ipchains
compatibility mode.<br> compatibility mode.<br>
</li> </li>
<li>iptables - the utility program used to configure and
<li>iptables - the utility program used to configure and control control
Netfilter. The term 'iptables' is often used to refer to the Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).<br> compatibility mode).<br>
</li> </li>
</ul> </ul>
The Shoreline Firewall, more commonly known as "Shorewall", is The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of firewall/gateway requirements using entries in a set of
@ -56,142 +42,131 @@ Netfilter to match your requirements. Shorewall can be used on a
dedicated firewall system, a multi-function gateway/router/server dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system. Shorewall does not use or on a standalone GNU/Linux system. Shorewall does not use
Netfilter's ipchains compatibility mode and can thus take advantage Netfilter's ipchains compatibility mode and can thus take advantage
of Netfilter's connection state tracking capabilities. of Netfilter's connection state tracking capabilities.
<p>This program is free software; you can redistribute it and/or
<p>This program is free software; you can redistribute it and/or modify it under the terms of <a
modify it under the terms of <a href= href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
"http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General General
Public License</a> as published by the Free Software Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the hope that it will be useful, but This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br> General Public License for more details.<br>
<br> <br>
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p> Permission is granted to copy, distribute and/or modify this
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. document under the terms of the GNU Free Documentation License, Version
Eastep</a></p> 1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
<h2>This is the Shorewall 1.4 Web Site</h2> Texts. A copy of the license is included in the section entitled <a>"GNU
Free Documentation License"</a>.</p>
<p>Copyright © 2001-2003 Thomas M. Eastep </p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br> Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
<ul> target="_top">here.</a></li>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target= <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
"_top">here.</a></li> target="_top">here</a>.<br>
</li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target= </ul>
"_top">here</a>.<br> <h2>Getting Started with Shorewall</h2>
</li> New to Shorewall? Start by selecting the <a
</ul> href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a href=
"shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step closely match your environment and follow the step by step
instructions.<br> instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
<h2>Looking for Information?</h2>
The <a href=
"shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search in the Index</a> is a good place to start as is the Quick Search in the
frame above. frame above.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation <b></b>on this site will not apply If so, the documentation <b></b>on this site will not apply
directly to your setup. If you want to use the documentation that directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site. and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details. Guide</a> for details.
<h2><b>News</b></h2>
<h2><b>News</b></h2> <p><b>12/28/2003 - www.shorewall.net/ftp.shorewall.net Back
On-line</b> <b><img alt="(New)" src="images/new10.gif"
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img style= style="border: 0px solid ; width: 28px; height: 12px;" title=""> <br>
"border: 0px solid ; width: 28px; height: 12px;" src= </b></p>
"images/new10.gif" alt="(New)" title=""><br> <p>Our high-capacity server has been restored to service --
</b></p> please let <a href="mailto:webmaster@shorewall.net">us</a> know if you
find any problems.<br>
<div style="margin-left: 40px;"><a href= </p>
"http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br> <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
style="border: 0px solid ; width: 28px; height: 12px;"
<a href="ftp://shorewall.net/pub/shorewall/Beta" target= src="images/new10.gif" alt="(New)" title=""><br>
"_top">ftp://shorewall.net/pub/shorewall/Beta</a><br> </b></p>
</div> <div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<p>Problems Corrected since version 1.4.8:<br> <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
</p> </div>
<p>Problems Corrected since version 1.4.8:<br>
<ol> </p>
<li>There has been a low continuing level of confusion over the <ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future terms "Source NAT" (SNAT) and "Static NAT". To avoid future
confusion, all instances of "Static NAT" have been replaced with confusion, all instances of "Static NAT" have been replaced with
"One-to-one NAT" in the documentation and configuration files.</li> "One-to-one NAT" in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li> reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST)
<li>Wild-card rules (those involving "all" as SOURCE or DEST) will will
no longer produce an error if they attempt to add a rule that would no longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.<br> policy.<br>
</li> </li>
</ol> </ol>
<p>Migration Issues:<br>
<p>Migration Issues:<br> <br>
<br>
&nbsp;&nbsp;&nbsp; None.<br> &nbsp;&nbsp;&nbsp; None.<br>
<br> <br>
New Features:<br> New Features:<br>
</p> </p>
<ol>
<ol> <li>To cut down on the number of "Why are these ports closed
<li>To cut down on the number of "Why are these ports closed rather rather
than stealthed?" questions, the SMB-related rules in than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to /etc/shorewall/common.def have been changed from 'reject' to
'DROP'.</li> 'DROP'.</li>
<li>For easier identification, packets logged under the
<li>For easier identification, packets logged under the 'norfc1918' 'norfc1918'
interface option are now logged out of chains named 'rfc1918'. interface option are now logged out of chains named 'rfc1918'.
Previously, such packets were logged under chains named Previously, such packets were logged under chains named
'logdrop'.</li> 'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing
<li>Distributors and developers seem to be regularly inventing new new
naming conventions for kernel modules. To avoid the need to change naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option Shorewall code for each new convention, the MODULE_SUFFIX option
has been added to shorewall.conf. MODULE_SUFFIX may be set to the has been added to shorewall.conf. MODULE_SUFFIX may be set to the
suffix for module names in your particular distribution. If suffix for module names in your particular distribution. If
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
list "o gz ko o.gz".<br> list "o gz ko o.gz".<br>
<br> <br>
To see what suffix is used by your distribution:<br> To see what suffix is used by your distribution:<br>
<br> <br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br> ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br> <br>
All of the files listed should have the same suffix (extension). All of the files listed should have the same suffix (extension).
Set MODULE_SUFFIX to that suffix.<br> Set MODULE_SUFFIX to that suffix.<br>
<br> <br>
Examples:<br> Examples:<br>
<br> <br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br> MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set &nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li> MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br> through two new files:<br>
<br> <br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br> /etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined /etc/shorewall/action.template - For each user defined
&lt;action&gt;, copy this file to &lt;action&gt;, copy this file to
@ -199,54 +174,45 @@ through two new files:<br>
for that &lt;action&gt;. Once an &lt;action&gt; has been defined, for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.) it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
in /etc/shorewall/rules.<br> in /etc/shorewall/rules.<br>
<br> <br>
Example: You want an action that logs a packet at the 'info' level Example: You want an action that logs a packet at the 'info' level
and accepts the connection.<br> and accepts the connection.<br>
<br> <br>
In /etc/shorewall/actions, you would add:<br> In /etc/shorewall/actions, you would add:<br>
<br> <br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br> &nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br> <br>
You would then copy /etc/shorewall/action.template to You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two /etc/shorewall/LogAndAccept and in that file, you would add the two
rules:<br> rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT</li>
</ol> </ol>
<p><b>12/03/2003 - Support Torch Passed</b> <b><img
<p><b>12/03/2003 - Support Torch Passed</b> <b><img style= style="border: 0px solid ; width: 28px; height: 12px;"
"border: 0px solid ; width: 28px; height: 12px;" src= src="images/new10.gif" alt="(New)" title=""></b></p>
"images/new10.gif" alt="(New)" title=""></b></p>
Effective today, I am reducing my participation in the day-to-day Effective today, I am reducing my participation in the day-to-day
support of Shorewall. As part of this shift to community-based support of Shorewall. As part of this shift to community-based
Shorewall support a new <a href= Shorewall support a new <a
"https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
Newbies mailing list</a> has been established to field questions Newbies mailing list</a> has been established to field questions
and problems from new users. I will not monitor that list and problems from new users. I will not monitor that list
personally. I will continue my active development of Shorewall and personally. I will continue my active development of Shorewall and
will be available via the development list to handle development will be available via the development list to handle development
issues -- Tom. issues -- Tom.
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b> <b><img style= style="border: 0px solid ; width: 28px; height: 12px;"
"border: 0px solid ; width: 28px; height: 12px;" src= src="images/new10.gif" alt="(New)" title=""></b> <b></b></p>
"images/new10.gif" alt="(New)" title=""></b> <b></b></p>
Given the small number of new features and the relatively few lines Given the small number of new features and the relatively few lines
of code that were changed, there will be no Beta for 1.4.8.<br> of code that were changed, there will be no Beta for 1.4.8.<br>
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
<p><b><a href= <br>
"http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br> </b> Problems Corrected since version 1.4.7:<br>
</p>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target= <ol>
"_top">ftp://shorewall.net/pub/shorewall/Beta</a><br> <li>Tuomo Soini has supplied a correction to a problem that
<br> occurs
</b> Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start" using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br> fails with:<br>
&nbsp;<br> &nbsp;<br>
@ -257,8 +223,8 @@ fails with:<br>
directory<br> directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li> information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
<li>Andres Zhoglo has supplied a correction that avoids trying to to
use the multiport match iptables facility on ICMP rules.<br> use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br> &nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall &nbsp;&nbsp; Example of rule that previously caused "shorewall
@ -267,36 +233,34 @@ start" to fail:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp; ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br> icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br> <br>
</li> </li>
<li>Previously, if the following error message was issued,
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br> Shorewall was left in an inconsistent state.<br>
&nbsp;<br> &nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through &nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br> interface xxx<br>
<br> <br>
</li> </li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been been
corrected.</li> corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd" optimization involved creating a chain named "&lt;zone&gt;_frwd"
for most zones defined using the /etc/shorewall/hosts file. It has for most zones defined using the /etc/shorewall/hosts file. It has
since been discovered that in many cases these new chains contain since been discovered that in many cases these new chains contain
redundant rules and that the "optimization" turns out to be less redundant rules and that the "optimization" turns out to be less
than optimal. The implementation has now been corrected.</li> than optimal. The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
<li>When the MARK value in a tcrules entry is followed by ":F" or or
":P", the ":F" or ":P" was previously only applied to the first ":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all Netfilter rule generated by the entry. It is now applied to all
entries.</li> entries.</li>
<li>An incorrect comment concerning Debian's use of the
<li>An incorrect comment concerning Debian's use of the SUBSYSLOCK SUBSYSLOCK
option has been removed from shorewall.conf.</li> option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
<li>Previously, neither the 'routefilter' interface option nor the the
ROUTE_FILTER parameter were working properly. This has been ROUTE_FILTER parameter were working properly. This has been
corrected (thanks to Eric Bowles for his analysis and patch). The corrected (thanks to Eric Bowles for his analysis and patch). The
definition of the ROUTE_FILTER option has changed however. definition of the ROUTE_FILTER option has changed however.
@ -306,96 +270,87 @@ this release, setting ROUTE_FILTER=Yes will enable route filtering
of all interfaces brought up while Shorewall is started. As a of all interfaces brought up while Shorewall is started. As a
consequence, ROUTE_FILTER=Yes can coexist with the use of the consequence, ROUTE_FILTER=Yes can coexist with the use of the
'routefilter' option in the interfaces file.</li> 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
<li>If MAC verification was enabled on an interface with a /32
address and a broadcast address then an error would occur during address and a broadcast address then an error would occur during
startup.</li> startup.</li>
</ol> </ol>
Migration Issues:<br> Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
<ol> has
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 8) above.<br> changed as described in item 8) above.<br>
</li> </li>
</ol> </ol>
New Features:<br> New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
<ol> allows
<li>A new QUEUE action has been introduced for rules. QUEUE allows
you to pass connection requests to a user-space filter such as you to pass connection requests to a user-space filter such as
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
for effective filtering of p2p applications such as Kazaa. For for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br> would add the following rules:<br>
<br> <br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br> &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br> &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br> &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br> <br>
You would normally want to place those three rules BEFORE any You would normally want to place those three rules BEFORE any
ACCEPT rules for loc-&gt;net udp or tcp.<br> ACCEPT rules for loc-&gt;net udp or tcp.<br>
<br> <br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li> space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. shorewall.conf.
When this option is set to "Yes", the blacklists (dynamic and When this option is set to "Yes", the blacklists (dynamic and
static) are only consulted for new connection requests. When set to static) are only consulted for new connection requests. When set to
"No" (the default if the variable is not set), the blacklists are "No" (the default if the variable is not set), the blacklists are
consulted on every packet.<br> consulted on every packet.<br>
<br> <br>
Setting this option to "No" allows blacklisting to stop existing Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li> blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
<li>Chain names used in the /etc/shorewall/accounting file may now now
begin with a digit ([0-9]) and may contain embedded dashes begin with a digit ([0-9]) and may contain embedded dashes
("-").</li> ("-").</li>
</ol> </ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag bag
awards</b> <b><img style= awards</b> <b><img
"border: 0px solid ; width: 50px; height: 80px;" src= style="border: 0px solid ; width: 50px; height: 80px;"
"images/j0233056.gif" align="middle" title="" alt="">Shorewall src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b></p> 1.4.7c released.</b></p>
<ol>
<ol> <li>The saga with "&lt;zone&gt;_frwd" chains continues. The
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c 1.4.7c
script produces a ruleset that should work for everyone even if it script produces a ruleset that should work for everyone even if it
is not quite optimal. My apologies for this ongoing mess.</li> is not quite optimal. My apologies for this ongoing mess.</li>
</ol> </ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img
<p><b>10/24/2003 - Shorewall 1.4.7b</b> <b><img style= style="border: 0px solid ; width: 28px; height: 12px;"
"border: 0px solid ; width: 28px; height: 12px;" src= src="images/new10.gif" alt="(New)" title=""></b></p>
"images/new10.gif" alt="(New)" title=""></b></p> <p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br> <ol>
</p> <li>The fix for problem 5 in 1.4.7a was wrong with the result
that
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong "&lt;zone&gt;_frwd" chains might contain too few rules. That wrong
code is corrected in this release.<br> code is corrected in this release.<br>
</li> </li>
</ol> </ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p> <p>This is a bugfix rollup of the following problem
<p>This is a bugfix rollup of the following problem
corrections:<br> corrections:<br>
</p> </p>
<ol>
<ol> <li>Tuomo Soini has supplied a correction to a problem that
<li>Tuomo Soini has supplied a correction to a problem that occurs occurs
using some versions of 'ash'. The symptom is that "shorewall start" using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br> fails with:<br>
&nbsp;<br> &nbsp;<br>
@ -406,10 +361,10 @@ fails with:<br>
directory<br> directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br> information.<br>
<br> <br>
</li> </li>
<li>Andres Zhoglo has supplied a correction that avoids trying
<li>Andres Zhoglo has supplied a correction that avoids trying to to
use the multiport match iptables facility on ICMP rules.<br> use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br> &nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall &nbsp;&nbsp; Example of rule that previously caused "shorewall
@ -418,103 +373,80 @@ start" to fail:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp; ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br> icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br> <br>
</li> </li>
<li>Previously, if the following error message was issued,
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br> Shorewall was left in an inconsistent state.<br>
&nbsp;<br> &nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through &nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br> interface xxx<br>
<br> <br>
</li> </li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been been
corrected.</li> corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd" optimization involved creating a chain named "&lt;zone&gt;_frwd"
for most zones defined using the /etc/shorewall/hosts file. It has for most zones defined using the /etc/shorewall/hosts file. It has
since been discovered that in many cases these new chains contain since been discovered that in many cases these new chains contain
redundant rules and that the "optimization" turns out to be less redundant rules and that the "optimization" turns out to be less
than optimal. The implementation has now been corrected.</li> than optimal. The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
<li>When the MARK value in a tcrules entry is followed by ":F" or or
":P", the ":F" or ":P" was previously only applied to the first ":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all Netfilter rule generated by the entry. It is now applied to all
entries.</li> entries.</li>
</ol> </ol>
<p><b><a href="News.htm">More News</a></b></p>
<p><b><a href="News.htm">More News</a></b></p> <b></b>
<h2><b></b></h2>
<b></b> <b></b>
<p><a href="http://leaf.sourceforge.net" target="_top"><img
<h2><b></b></h2> border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
<b></b>
<p><a href="http://leaf.sourceforge.net" target="_top"><img border=
"0" src="images/leaflogo.gif" width="49" height="36" alt=
"(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash) (router/firewall/gateway on a floppy, CD or compact flash)
distribution called <i>Bering</i> that features Shorewall-1.4.2 and distribution called <i>Bering</i> that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their work at: <a href= Kernel-2.4.20. You can find their work at: <a
"http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!</b> <br> Bering 1.2!!!</b> <br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
<h1 align="center"><b><a href="http://www.sf.net"><img align="left" src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"></a></b></h1>
alt="SourceForge Logo" src= <b></b>
"http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> <h4><b></b></h4>
</a></b></h1> <b></b>
<h2><b>This site is hosted by the generous folks at <a
<b></b> href="http://www.sf.net">SourceForge.net</a></b></h2>
<br>
<h4><b></b></h4> <br>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b></b> <b></b></td>
</tr>
<h2><b>This site is hosted by the generous folks at <a href= </tbody>
"http://www.sf.net">SourceForge.net</a></b></h2>
<br>
<br>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b></b></td>
</tr>
</tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0"
<table border="0" cellpadding="5" cellspacing="0" style= style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
"border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
id="AutoNumber2"> id="AutoNumber2">
<tbody> <tbody>
<tr> <tr>
<td style="width: 100%; margin-top: 1px;"> <td style="width: 100%; margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"><img border= <p align="center"><a href="http://www.starlight.org"><img
"4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="Starlight Foundation Logo"></a></p> hspace="10" alt="Starlight Foundation Logo"></a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<p align="center"><font size="4" color="#ffffff"><br> <font size="+2">Shorewall is free but if you try it and find it
<font size="+2">Shorewall is free but if you try it and find it useful, please consider making a donation to <a
useful, please consider making a donation to <a href= href="http://www.starlight.org"><font color="#ffffff">Starlight
"http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p> Children's Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 12/28/2003 - <a href="support.htm">Tom
<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom
Eastep</a></font><br> Eastep</a></font><br>
</p> </p>
</body> </body>
</html> </html>