holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall-2.0.3c

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1435 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-02 22:42:04 +00:00
parent 91b57229fb
commit 0cb16ef3b1
6 changed files with 595 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

313
Shorewall-Website/News.htm
View File

@ -18,10 +18,319 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br>
</p>
<p>2004-05-13<br>
<p>2004-06-23<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><b> 4/5/2004 - Shorewall 2.0.1</b><b></b><br>
<p><b>6/3/2004 - Shorewall 2.0.2f<br>
</b></p>
<p>Fixes one problem:<br>
</p>
<ol>
<li>Versions 2.0.2d and 2.0.2e fail to load kernel modules unless
MODULE_SUFFIX is set in shorewall.conf<br>
</li>
</ol>
<p><b>6/2/2004 - Shorewall 2.0.2e<br>
</b></p>
<p>One problem corrected:<br>
</p>
<ol>
<li>LOG rules within an action generate two Netfilter logging rules.<br>
</li>
</ol>
<p><b>5/28/2004 - Shorewall 2.0.2d<br>
</b><br>
One problem corrected:<br>
</p>
<ol>
<li>Shorewall was checking capabilities before loading kernel
modules. Consequently, if kernel module autoloading was disabled, the
capabilities were mis-detected.<br>
</li>
</ol>
<p><b>5/21/2004 - Shorewall 2.0.2c</b></p>
One problem corrected:<br>
<ol>
<li>&nbsp;DNAT rules with a dynamic source zone don't work
properly. When used, these rules cause the rule to be checked against
ALL input,&nbsp; not just input from the designated zone.<br>
</li>
</ol>
<p><b>5/18/2004 - Shorewall 2.0.2b</b><b>&nbsp;</b></p>
<p>Corrects two problems:</p>
<ol>
<li>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.<br>
<br>
</li>
<li>If /var/lib/shorewall does not exist, shorewall start fails.<br>
</li>
</ol>
<p><b>5/15/2004 - Shorewall 2.0.2a</b><b> </b><br>
</p>
<p>Corrects two problems:<br>
</p>
<ol>
<li>Temporary restore files were not being removed from
/var/lib/shorewall. These files have names of the form
'restore-nnnnn'.&nbsp;
You can remove files that have accumulated with the command: <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;rm -f /var/lib/shorewall/restore-[0-9]* <br>
<br>
</li>
<li>The restore script did not load kernel modules. The result
was that after a cold load, applications like FTP and IRC DCC didn't
work. <br>
<br>
To correct: <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;1) Install 2.0.2a <br>
&nbsp;&nbsp;&nbsp;&nbsp;2) "shorewall restart" <br>
&nbsp;&nbsp;&nbsp;&nbsp;3) "shorewall save" </li>
</ol>
<p><b>5/13/2004 - Shorewall 2.0.2</b><b>&nbsp;</b></p>
<p>Problems Corrected since 2.0.1<br>
</p>
<ol>
<li>The /etc/init.d/shorewall script installed on Debian by
install.sh failed silently due to a missing file
(/usr/share/shorewall/wait4ifup). That file is not part of the normal
Shorewall distribution and is provided by the Debian maintainer.</li>
<li>A meaningless warning message out of the proxyarp file
processing has been eliminated.</li>
<li>The "shorewall delete" command now correctly removes all
dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
Engel for this correction.</li>
</ol>
Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:<br>
<ol>
<li>Extension Scripts -- In order for extension scripts to work
properly with the new iptables-save/restore integration (see New
Feature 1 below), some change may be required to your extension
scripts. If your extension scripts are executing commands other than
iptables then those commands must also be written to the restore file
(a temporary file in /var/lib/shorewall that is renamed
/var/lib/shorewall/restore-base at the end of the operation).<br>
<br>
The following functions should be of help:<br>
<br>
A. save_command() -- saves the passed command to the restore file.<br>
<br>
&nbsp;&nbsp;&nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; save_command echo Operation
Complete<br>
<br>
&nbsp;&nbsp; That command would simply write "echo Operation Complete"
to the restore file.<br>
<br>
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.<br>
<br>
&nbsp; &nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; run_and_save_command "echo 1 &gt;
/proc/sys/net/ipv4/icmp_echo_ignore_all"<br>
<br>
&nbsp;&nbsp;&nbsp; Note that as in this example, when the command
involves file redirection then the entire command must be enclosed in
quotes. This applies to all of the functions described here.<br>
<br>
C. ensure_and_save_command() -- runs the passed command. If the command
fails, the firewall is restored to it's prior saved state and the
operation is terminated. If the command succeeds, the command is
written to the restore file.<br>
<br>
</li>
<li>Dynamic Zone support -- If you don't need to use the
"shorewall add" and "shorewall delete commands, you should set
DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.</li>
</ol>
New Features:<br>
<ol>
<li>Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and restart.
The elements of this integration are as follows:<br>
<br>
a) The 'shorewall save' command now saves the current configuration in
addition to the current dynamic blacklist. If you have dynamic zones,
you will want to issue 'shorewall save' when the zones are empty or the
current contents of the zones will be restored by the 'shorewall
restore' and 'shorewall -f start' commands.<br>
<br>
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.<br>
<br>
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there is no
saved configuration, a normal 'shorewall start' is performed.<br>
<br>
d) The /etc/init.d/shorewall script now translates the 'start' command
into 'shorewall -f start' so that fast restart is possible.<br>
<br>
e) When a state-changing command encounters an error and there is
current saved configuration, that configuration will be restored
(currently, the firewall is placed in the 'stopped' state).<br>
<br>
f) If you have previously saved the running configuration and want
Shorewall to discard it, use the 'shorewall forget' command. WARNING:
iptables 1.2.9 is broken with respect to iptables-save; if your kernel
has connection tracking match support, you must patch iptables 1.2.9
with the iptables patch availale from the Shorewall errata page.<br>
<br>
</li>
<li>The previous implementation of dynamic zones was difficult
to maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf.<br>
<br>
</li>
<li>In earlier Shorewall 2.0 releases, Shorewall searches in
order the following directories for configuration files.<br>
<br>
a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) /etc/shorewall<br>
c) /usr/share/shorewall<br>
<br>
In this release, the CONFIG_PATH option is added to shorewall.conf.
CONFIG_PATH contains a list of directory names separated by colons
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
Shorewall searches for shorewall.conf according to the old rules and
for other configuration files as follows:<br>
<br>
a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) Each directory in $CONFIG_PATH is searched in sequence.<br>
<br>
In case it is not obvious, your CONFIG_PATH should include
/usr/share/shorewall and your shorewall.conf file must be in the
directory specified via -c or in a try command, in /etc/shorewall or in
/usr/share/shorewall.<br>
<br>
For distribution packagers, the default CONFIG_PATH is set in
/usr/share/shorewall/configpath. You can customize this file to have a
default that differs from mine.<br>
<br>
</li>
<li>Previously, in /etc/shorewall/nat a Yes (or yes) in the
LOCAL column would only take effect if the ALL INTERFACES column also
contained Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column.<br>
<br>
</li>
<li>The folks at Mandrake have created yet another kernel
module naming convention (module names end in "ko.gz"). As a
consequence, beginning with this release, if MODULE_SUFFIX isn't
specified in shorewall.conf, then the default value is "o gz ko o.gz
ko.gz".<br>
<br>
</li>
<li>An updated bogons file is included in this release.<br>
<br>
</li>
<li>In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and the
log tag.<br>
<br>
Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT:info:ftp
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 21<br>
<br>
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum
length of a log prefix supported by iptables is 29 characters; if a
larger prefix is generated, Shorewall will issue a warning message and
will truncate the prefix to 29 characters.<br>
<br>
</li>
<li>A new "-q" option has been added to /sbin/shorewall
commands. It causes the start, restart, check and refresh commands to
produce much less output so that warning messages are more visible
(when testing this change, I discovered a bug where a bogus warning
message was being generated).<br>
<br>
</li>
<li>Shorewall now uses 'modprobe' to load kernel modules if
that utility is available in the PATH; otherwise, 'insmod' is used.<br>
<br>
</li>
<li>It is now possible to restrict entries in the
/etc/shorewall/masq file to particular protocols and destination
port(s). Two new columns (PROTO and PORT(S)) have been added to the
file.<br>
<br>
Example:<br>
<br>
You want all outgoing SMTP traffic entering the firewall on eth1 to be
sent from eth0 with source IP address 206.124.146.177. You want all
other outgoing traffic from eth1 to be sent from eth0 with source IP
address 206.124.146.176.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.177 tcp&nbsp;&nbsp;&nbsp;&nbsp; 25<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.176<br>
<br>
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!<br>
<br>
Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
the progress message at "shorewall start" would be:<br>
<br>
&nbsp;&nbsp;&nbsp; Masqueraded Networks and Hosts:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (tcp 25) from
10.0.0.0/8 through eth0 using 206.124.146.177<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (all) from 10.0.0.0/8
through eth0 using 206.124.146.176<br>
<br>
</li>
<li>Two new actions are available in the /etc/shorewall/rules
file.<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT+&nbsp;&nbsp;&nbsp; -- Behaves like ACCEPT
with the exception that it exempts matching connections from subsequent
DNAT[-] and REDIRECT[-] rules.<br>
&nbsp;&nbsp;&nbsp; NONAT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Exempts
matching connections from subsequent DNAT[-] and REDIRECT[-] rules.<br>
<br>
</li>
<li>A new extension script 'initdone' has been added. This
script is invoked at the same point as the 'common' script was
previously and is useful for users who mis-used that script under
Shorewall 1.x (the script was intended for adding rules to the 'common'
chain but many users treated it as a script for adding rules before
Shorewall's).<br>
<br>
</li>
<li>Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify settings
in the install.sh script before running it as follows:<br>
<br>
&nbsp;&nbsp;&nbsp; DEST="/etc/rc.d"<br>
&nbsp;&nbsp;&nbsp; INIT="rc.firewall"<br>
<br>
Thanks to Alex Wilms for helping with this change.</li>
</ol>
<p><b>4/17/2004 - Presentation at
LinuxFest NW</b><b><br>
</b></p>
Today I gave a presentation at LinuxFest NW in Bellingham. The
presentation was entitled "<a
href="http://lists.shorewall.net/Shorewall_and_the_Enterprise.htm"
target="_blank">Shorewall
and the Enterprise</a>" and described the history of Shorewall and gave
an overview of its features.
<p><b> 4/5/2004 - Shorewall 2.0.1</b><br>
</p>
Problems Corrected since 2.0.0<br>
<br>

128
Shorewall-Website/Shorewall_index_frame.htm
View File

@ -6,50 +6,94 @@
<title>Shorewall Index</title>
<base target="main">
</head>
<body>
<body style="background-color: rgb(51, 102, 255); color: rgb(0, 0, 0);"
link="#0000ee" alink="#0000ee" vlink="#551a8b">
<a href="index.htm" target="_top" style="font-weight: bold;"><font
color="#ffffff">Home</font></a><font color="#ffffff"><br>
<a href="download.htm" style="font-weight: bold;"><font color="#ffffff">Download</font></a><font
color="#ffffff"><br>
<a href="Install.htm"><span style="font-weight: bold;"><font
color="#ffffff">Installation</font></span></a>
<font color="#ffffff"><br>
<b><a href="Documentation_Index.html"><font color="#ffffff">Documentation</font></a></b><font
color="#ffffff"><br>
<a href="FAQ.htm"><font color="#ffffff"><span style="font-weight: bold;">FAQ</span>s</font></a><font
color="#ffffff">&nbsp;
<span style="font-weight: bold;">(</span><a
href="http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ"
target="_top" style="font-weight: bold;"><font color="#ffffff">Wiki</font></a><font
color="#ffffff"><span style="font-weight: bold;">)</span><br>
<a href="troubleshoot.htm"><font color="#ffffff"><span
style="font-weight: bold;">Troubleshooting</span></font></a><font
color="#ffffff"><br>
<a href="support.htm"><font color="#ffffff"><span
style="font-weight: bold;">Support</span></font></a><font
color="#ffffff"><br>
<br>
<a href="shoreline.htm"><font color="#ffffff">About the Author</font></a><font
color="#ffffff"> <br>
<a href="http://cvs.shorewall.net/Shorewall_CVS_Access.html"><font
color="#ffffff">CVS
Repository</font></a><font color="#ffffff"><br>
<a href="shorewall_index.htm#Donations"><font color="#ffffff">Donations</font></a><font
color="#ffffff"><br>
<a href="errata.htm"><font color="#ffffff">Errata</font></a><font
color="#ffffff"><br>
<a href="shorewall_features.htm"><font color="#ffffff">Features</font></a><font
color="#ffffff"> <br>
<a href="http://lists.shorewall.net"><font color="#ffffff">Mailing
Lists</font></a><font color="#ffffff"><a
href="http://lists.shorewall.net"> </a> <br>
<a href="shorewall_mirrors.htm"><font color="#ffffff">Mirrors</font></a><font
color="#ffffff"> <br>
<a href="News.htm"><font color="#ffffff">News Archive</font></a><font
color="#ffffff"><br>
<a href="quotes.htm"><font color="#ffffff">Quotes from Users</font></a><font
color="#ffffff"><br>
<a href="shorewall_prerequisites.htm"><font color="#ffffff">Requirements</font></a><font
color="#ffffff"><br>
<a href="upgrade_issues.htm"><font color="#ffffff">Upgrade
Issues</font></a><font color="#ffffff"><br>
<a href="useful_links.html"><font color="#ffffff">Useful Links</font></a><font
color="#ffffff"><br>
<a href="Shorewall_Doesnt.html"><font color="#ffffff">What it
Cannot Do</font></a>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
<ul>
<small> </small><li style="font-weight: bold;"><a href="index.htm"
target="_top">Home</a></li>
<li style="font-weight: bold;"><a href="download.htm">Download</a></li>
<li><a href="Install.htm"><span style="font-weight: bold;">Installation</span></a>
</li>
<li><b><a href="Documentation_Index.html">Documentation</a></b></li>
<li><a href="FAQ.htm"><span style="font-weight: bold;">FAQ</span>s</a>&nbsp;
(<a href="http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ"
target="_top">Wiki</a>)</li>
<li><a href="troubleshoot.htm"><span style="font-weight: bold;">Troubleshooting</span></a></li>
<li><a href="support.htm"><span style="font-weight: bold;">Support</span></a></li>
</ul>
<span style="font-weight: bold;"></span>
<ul>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it
Cannot Do</a> </li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li><a href="http://lists.shorewall.net">Mailing
Lists</a><a href="http://lists.shorewall.net"> </a> </li>
<li><a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li><a href="errata.htm">Errata</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> </li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li><a href="useful_links.html">Useful Links</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="shorewall_index.htm#Donations">Donations</a></li>
</ul>
<p><a href="copyright.htm"><font size="2">Copyright © 2001-2004 Thomas
M. Eastep.</font></a><br>
</p>
<p><font color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><a
href="copyright.htm"><font size="2"><font color="#ffffff">Copyright ©
2001-2004</font></font></a><font size="2"><br>
<a href="copyright.htm"><font size="2"><font color="#ffffff">Thomas
M. Eastep.</font></font></a><font size="2"><br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></p>
<div style="text-align: left;">
<div style="text-align: left;"><a href="http://www.shorewall.net"
target="_top"><img alt="(Protected by Shorewall)"
src="images/ProtectedBy.png"
style="border: 0px solid ; width: 216px; height: 45px;" title=""></a></div>
<a href="http://www.shorewall.net" target="_top"></a></div>
<p><br>
<a href="copyright.htm"> </a> </p>
<div style="text-align: left;"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
size="2"><a href="http://www.shorewall.net" target="_top"><img title=""
style="border: 0px solid ; width: 144px; height: 30px;"
src="images/ProtectedBy.png" alt="(Protected by Shorewall)"></a></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></div>
</div>
<p><font color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font color="#ffffff"><font color="#ffffff"><font
color="#ffffff"><font size="2"><br>
<a href="copyright.htm"> </a> </font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></p>
</body>
</html>

5
Shorewall-Website/download.htm
View File

@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br>
</p>
<p>2004-05-18<br>
<p>2004-06-15<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><b>I strongly urge you to read and print a copy of the <a
@ -44,7 +44,8 @@ download from the Download Sites listed in the table below.<br>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
<li>If you run a <b>RedHat</b>, <b>Fedora, SuSE, Mandrake</b>, <b>
Linux
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
TurboLinux</b> distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other

2
Shorewall-Website/index.htm
View File

@ -10,7 +10,7 @@ charset=UTF-8"></head>
border="1"framespacing="0"> <frame
src="Banner.html" name="topFrame"scrolling="NO"
noresize >
<frameset cols="230,*" frameborder="yes" border="1" framespacing="0">
<frameset cols="156,*" frameborder="yes" border="1" framespacing="0">
<frame src="Shorewall_index_frame.htm" name="contents"> <frame src="shorewall_index.htm"
name="main">
</frameset>

500
Shorewall-Website/shorewall_index.htm
View File

@ -37,7 +37,7 @@ Documentation License</a></span>”.</p>
</div>
</div>
<div>
<p class="pubdate">2004-06-03<br>
<p class="pubdate">2004-07-02<br>
</p>
<hr style="width: 100%; height: 2px;"></div>
<h3>Table of Contents</h3>
@ -51,17 +51,13 @@ Shorewall</a><br>
two-interface setup?</a><br>
<a href="#License">License</a><br>
</div>
<a href="#News">News</a><br>
<div style="margin-left: 40px;"><a href="#Downtime"><span
style="font-weight: bold;">shorewall.net Downtime</span></a><br>
<a href="#2_0_2f">Shorewall 2.0.2f</a><br>
<a href="#2_0_2e">Shorewall 2.0.2e</a><br>
<a href="#2_0_2d">Shorewall 2.0.2d</a><br>
<a href="#2_0_2c">Shorewall 2.0.2c</a><br>
<a href="#2_0_2b">Shorewall 2.0.2b</a><br>
<a href="#2_0_2a">Shorewall 2.0.2a</a><br>
<a href="#2_0_2">Shorewall 2.0.2</a><br>
<a href="#LinuxFest">Presentation at LinuxFest NW</a><br>
<a href="#News">News</a><a href="#2_0_3b"><br>
</a>
<div style="margin-left: 40px;"><a href="#2_0_3c">Shorewall 2.0.3c</a><br>
<a href="#2_0_3b">Shorewall 2.0.3b</a><br>
<a href="#2_0_3a">Shorewall 2.0.3a</a><br>
<a href="#2_0_3">Shorewall
2.0.3</a><br>
</div>
<a href="#Leaf">Leaf</a><br>
<a href="#Donations">Donations</a><br>
@ -156,341 +152,207 @@ Documentation License"</a>. </div>
<p> </p>
<hr style="width: 100%; height: 2px;">
<h2><a name="News"></a>News</h2>
<p><b><a name="2_0_2f"></a>6/3/2004 - Shorewall 2.0.2f<br>
</b></p>
<p>Fixes one problem:<br>
</p>
<span style="font-weight: bold;"><a name="2_0_3c"><span
style="font-weight: bold;">7/02/2004 -
Shorewall 2.0.3c<br>
<br>
</span></a></span>Problems Corrected<span style="font-weight: bold;">:<br>
</span>
<ol>
<li>Versions 2.0.2d and 2.0.2e fail to load kernel modules unless
MODULE_SUFFIX is set in shorewall.conf<br>
<li> Error messages regarding $RESTOREBASE occur during <span
class="bold"><b>shorewall stop</b></span> </li>
<li> If CLEAR_TC=Yes in <tt class="filename">shorewall.conf</tt>, <span
class="bold"><b>shorewall stop</b></span> fails without removing the
lock file. </li>
</ol>
<span style="font-weight: bold;"><br>
</span><span style="font-weight: bold;"><a name="2_0_3b"></a>6/30/2004
-
Shorewall 2.0.3b and Shorewall 1.4.10g<br>
<br>
</span>Problems Corrected:<br>
<ol>
<li>The security vulnerability fix released in Shorewall 2.0.3a
failed under Slackware 9.1.</li>
<li>The security vulnerability fix released in Shorewall 2.0.3a
failed if mktemp was not installed.<br>
</li>
</ol>
<p><b><a name="2_0_2e"></a>6/2/2004 - Shorewall 2.0.2e<br>
</b></p>
<p>One problem corrected:<br>
</p>
<a name="2_0_3a"></a><span style="font-weight: bold;">6/28/2004 -
Shorewall 2.0.3a and Shorewall 1.4.10f<br>
<br>
</span>Problems Corrected:<br>
<ol>
<li>LOG rules within an action generate two Netfilter logging rules.<br>
<li>Javier Fernández-Sanguino Peña has discovered an exploitable
vulnerability in the way that Shorewall handles temporary files and
directories. The vulnerability can allow a non-root user to cause
arbitrary files on the system to be overwritten. LEAF Bering and Bering
uClibc users are generally not at risk due to the fact that LEAF boxes
do not typically allow logins by non-root users. <br>
</li>
<li>(2.0.3a only) A non-empty DEST entry in /etc/shorewall/tcrules
will generate an error and Shorewall fails to start.</li>
</ol>
<p><b><a name="Downtime"></a>6/1/2004 - shorewall.net Downtime<br>
</b></p>
<p><b><span style="font-weight: bold;"><span style="font-weight: bold;"></span></span></b>The
following systems will be down on Saturday 5 June for server rebuild.<br>
</p>
<ul>
<li>shorewall.net</li>
<li>lists.shorewall.net</li>
<li>www1.shorewall.net</li>
<li>ftp1.shorewall.net</li>
<li>cvs.shorewall.net</li>
<li>rsync.shorewall.net</li>
</ul>
This will affect:<br>
<ul>
<li>Shorewall site and list archives search</li>
<li>Mailing Lists</li>
<li>Mailing List Archives</li>
<li>CVS</li>
<li>Primary shorewall.net DNS</li>
</ul>
I plan to start the rebuild on Saturday morning PDT (-0700) and hope to
be finished by Saturday evening.<br>
<p><b><a name="2_0_2d"><br>
</a>5/28/2004 - Shorewall 2.0.2d<br>
</b><br>
One problem corrected:<br>
</p>
<div style="margin-left: 40px;">Note:: Slackware users may need the
'functions' file from CVS (STABLE/ project for 1.4.10f and STABLE2/
project for 2.0.3a) to prevent startup errors with these versions
installed. These updatged files are also available from the Errata (<a
href="errata.htm">2.0,</a> <a href="1.4/errata.htm">1.4</a>).<br>
<br>
</div>
<a name="2_0_3"></a><span style="font-weight: bold;">6/23/2004 -
Shorewall 2.0.3<br>
<br>
</span>Problems Corrected:<br>
<ol>
<li>Shorewall was checking capabilities before loading kernel
modules. Consequently, if kernel module autoloading was disabled, the
capabilities were mis-detected.<br>
</li>
<li>The 'firewall' script is not purging temporary restore files in
/var/lib/shorewall. These files have names of the form "restore-nnnnn".</li>
<li>The /var/lib/shorewall/restore script did not load the kernel
modules specified in /etc/shorewall/modules.</li>
<li>Specifying a null common action in /etc/shorewall/actions (e.g.,
:REJECT) results in a startup error.</li>
<li>If /var/lib/shorewall does not exist, shorewall start fails.</li>
<li>DNAT rules with a dynamic source zone don't work properly. When
used, these rules cause the rule to be checked against ALL input, not
just input from the designated zone.</li>
<li>The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.</li>
<li>Shorewall checks netfilter capabilities before loading kernel
modules. Hence if kernel module autoloading isn't enabled, the
capabilities will be misdetected.</li>
<li>The 'newnotsyn' option in /etc/shorewall/hosts has no effect.</li>
<li>The file /etc/init.d/shorewall now gets proper ownership when the
RPM is built by a non-root user.</li>
<li>Rules that specify bridge ports in both the SOURCE and DEST
columns no longer cause "shorewall start" to fail.</li>
<li>Comments in the rules file have been added to advise users that
"all" in the SOURCE or DEST column does not affect intra-zone traffic.</li>
<li>With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are
now passed through the blacklisting chains. Without this change, it is
not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks.</li>
</ol>
<p><b><a name="2_0_2c"></a>5/21/2004 - Shorewall 2.0.2c</b></p>
One problem corrected:<br>
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:<br>
<ol>
<li>&nbsp;DNAT rules with a dynamic source zone don't work
properly. When used, these rules cause the rule to be checked against
ALL input,&nbsp; not just input from the designated zone.<br>
</li>
</ol>
<p><b><a name="2_0_2b"></a>5/18/2004 - Shorewall 2.0.2b</b><b>&nbsp;</b></p>
<p>Corrects two problems:</p>
<ol>
<li>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.<br>
<br>
</li>
<li>If /var/lib/shorewall does not exist, shorewall start fails.<br>
</li>
</ol>
<p><b><a name="2_0_2a"></a>5/15/2004 - Shorewall 2.0.2a</b><b> </b><br>
</p>
<p>Corrects two problems:<br>
</p>
<ol>
<li>Temporary restore files were not being removed from
/var/lib/shorewall. These files have names of the form
'restore-nnnnn'.&nbsp;
You can remove files that have accumulated with the command: <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;rm -f /var/lib/shorewall/restore-[0-9]* <br>
<br>
</li>
<li>The restore script did not load kernel modules. The result
was that after a cold load, applications like FTP and IRC DCC didn't
work. <br>
<br>
To correct: <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;1) Install 2.0.2a <br>
&nbsp;&nbsp;&nbsp;&nbsp;2) "shorewall restart" <br>
&nbsp;&nbsp;&nbsp;&nbsp;3) "shorewall save" </li>
</ol>
<p><b><a name="2_0_2"></a>5/13/2004 - Shorewall 2.0.2</b><b>&nbsp;</b></p>
<p>Problems Corrected since 2.0.1<br>
</p>
<ol>
<li>The /etc/init.d/shorewall script installed on Debian by
install.sh failed silently due to a missing file
(/usr/share/shorewall/wait4ifup). That file is not part of the normal
Shorewall distribution and is provided by the Debian maintainer.</li>
<li>A meaningless warning message out of the proxyarp file
processing has been eliminated.</li>
<li>The "shorewall delete" command now correctly removes all
dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
Engel for this correction.</li>
</ol>
Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:<br>
<ol>
<li>Extension Scripts -- In order for extension scripts to work
properly with the new iptables-save/restore integration (see New
Feature 1 below), some change may be required to your extension
scripts. If your extension scripts are executing commands other than
iptables then those commands must also be written to the restore file
(a temporary file in /var/lib/shorewall that is renamed
/var/lib/shorewall/restore-base at the end of the operation).<br>
<br>
The following functions should be of help:<br>
<br>
A. save_command() -- saves the passed command to the restore file.<br>
<br>
&nbsp;&nbsp;&nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; save_command echo Operation
Complete<br>
<br>
&nbsp;&nbsp; That command would simply write "echo Operation Complete"
to the restore file.<br>
<br>
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.<br>
<br>
&nbsp; &nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; run_and_save_command "echo 1 &gt;
/proc/sys/net/ipv4/icmp_echo_ignore_all"<br>
<br>
&nbsp;&nbsp;&nbsp; Note that as in this example, when the command
involves file redirection then the entire command must be enclosed in
quotes. This applies to all of the functions described here.<br>
<br>
C. ensure_and_save_command() -- runs the passed command. If the command
fails, the firewall is restored to it's prior saved state and the
operation is terminated. If the command succeeds, the command is
written to the restore file.<br>
<br>
</li>
<li>Dynamic Zone support -- If you don't need to use the
"shorewall add" and "shorewall delete commands, you should set
DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.</li>
<li>The 'dropNonSyn' standard builtin action has been replaced with
the 'dropNotSyn' standard builtin action. The old name can still be
used but will generate a warning.</li>
</ol>
New Features:<br>
<ol>
<li>Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and restart.
The elements of this integration are as follows:<br>
<li>Shorewall now supports multiple saved configurations.</li>
<ol>
<li>The default saved configuration (restore script) in
/var/lib/shorewall is now specified using the RESTOREFILE option in
shorewall.conf. If this variable isn't set then to maintain backward
compatibility, 'restore' is assumed.<br>
<br>
a) The 'shorewall save' command now saves the current configuration in
addition to the current dynamic blacklist. If you have dynamic zones,
you will want to issue 'shorewall save' when the zones are empty or the
current contents of the zones will be restored by the 'shorewall
restore' and 'shorewall -f start' commands.<br>
The value of RESTOREFILE must be a simple file name; no slashes ("/")
may be included.<br>
</li>
<li>The "save" command has been extended to be able to specify the
name of a saved configuration.<br>
<br>
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; shorewall
save [ &lt;file name&gt; ]<br>
<br>
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there is no
saved configuration, a normal 'shorewall start' is performed.<br>
The current state is saved to /var/lib/shorewall/&lt;file name&gt;. If
no &lt;file name&gt; is given, the configuration is saved to the file
determined by the RESTOREFILE setting.</li>
<li>The "restore" command has been extended to be able to specify
the name of a saved configuration:<br>
<br>
d) The /etc/init.d/shorewall script now translates the 'start' command
into 'shorewall -f start' so that fast restart is possible.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; shorewall
restore [ &lt;file name&gt; ]<br>
<br>
e) When a state-changing command encounters an error and there is
current saved configuration, that configuration will be restored
(currently, the firewall is placed in the 'stopped' state).<br>
The firewall state is restored from /var/lib/shorewall/&lt;file
name&gt;. If no &lt;file name&gt; is given, the firewall state is
restored from the file determined by the RESTOREFILE setting.</li>
<li>The "forget" command has changed. Previously, the command
unconditionally removed the /var/lib/shorewall/save file which records
the current dynamic blacklist. The "forget" command now leaves that
file alone.<br>
<br>
f) If you have previously saved the running configuration and want
Shorewall to discard it, use the 'shorewall forget' command. WARNING:
iptables 1.2.9 is broken with respect to iptables-save; if your kernel
has connection tracking match support, you must patch iptables 1.2.9
with the iptables patch availale from the Shorewall errata page.<br>
Also, the "forget" command has been extended to be able to specify the
name of a saved configuration:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
shorewall forget [ &lt;file name&gt; ]<br>
<br>
The file /var/lib/shorewall/&lt;file name&gt; is removed. If no
&lt;file name&gt; is given, the file determined by the RESTOREFILE
setting is removed.</li>
<li>The "shorewall -f start" command restores the state from the
file determined by the RESTOREFILE setting.</li>
</ol>
<li>"!" is now allowed in accounting rules.</li>
<li>Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must match
the name of an entry in /etc/shorewall/interfaces or the name of a
bridge port appearing in /etc/shorewall/hosts).</li>
<li>A new 'rejNotSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.<br>
<br>
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
action. The old name will be accepted until the next major release of
Shorewall but will generate a warning.<br>
<br>
Several new logging actions involving "New not SYN" packets have been
added:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; logNewNotSyn&nbsp; -- logs
the packet with disposition = LOG<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dLogNewNotSyn -- logs the
packet with disposition = DROP<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rLogNewNotSyn -- logs the
packet with disposition = REJECT<br>
<br>
The packets are logged at the log level specified in the LOGNEWNOTSYN
option in shorewall.conf. If than option is empty or not specified,
then 'info' is assumed.<br>
<br>
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):</li>
<ol>
<li>To simulate the behavior of NEWNOTSYN=No:
<ol>
<li>Add 'NoNewNotSyn' to /etc/shorewall/actions.</li>
<li>Create /etc/shorewall/action.NoNewNotSyn containing:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dLogNotSyn<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dropNotSyn<br>
<br>
</li>
<li>The previous implementation of dynamic zones was difficult
to maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf.<br>
<li>Early in your rules file, place:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
NoNewNotSyn&nbsp;&nbsp; all&nbsp;&nbsp; all&nbsp;&nbsp;&nbsp;&nbsp; tcp<br>
<br>
</li>
<li>In earlier Shorewall 2.0 releases, Shorewall searches in
order the following directories for configuration files.<br>
</ol>
</li>
<li>Drop 'New not SYN' packets from the net only. Don't log them:</li>
<ol>
<li>Early in your rules file, place:<br>
<br>
a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) /etc/shorewall<br>
c) /usr/share/shorewall<br>
<br>
In this release, the CONFIG_PATH option is added to shorewall.conf.
CONFIG_PATH contains a list of directory names separated by colons
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
Shorewall searches for shorewall.conf according to the old rules and
for other configuration files as follows:<br>
<br>
a) The directory specified in a 'try' command or specified using the -c
option.<br>
b) Each directory in $CONFIG_PATH is searched in sequence.<br>
<br>
In case it is not obvious, your CONFIG_PATH should include
/usr/share/shorewall and your shorewall.conf file must be in the
directory specified via -c or in a try command, in /etc/shorewall or in
/usr/share/shorewall.<br>
<br>
For distribution packagers, the default CONFIG_PATH is set in
/usr/share/shorewall/configpath. You can customize this file to have a
default that differs from mine.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dropNotSyn&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp;&nbsp; tcp<br>
<br>
</li>
<li>Previously, in /etc/shorewall/nat a Yes (or yes) in the
LOCAL column would only take effect if the ALL INTERFACES column also
contained Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column.<br>
</ol>
</ol>
<li>Slackware users no longer have to modify the install.sh script
before installation. Tuomo Soini has provided a change that allows the
INIT and FIREWALL variables to be specified outside the script as in:<br>
<br>
</li>
<li>The folks at Mandrake have created yet another kernel
module naming convention (module names end in "ko.gz"). As a
consequence, beginning with this release, if MODULE_SUFFIX isn't
specified in shorewall.conf, then the default value is "o gz ko o.gz
ko.gz".<br>
<br>
</li>
<li>An updated bogons file is included in this release.<br>
<br>
</li>
<li>In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and the
log tag.<br>
<br>
Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT:info:ftp
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 21<br>
<br>
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum
length of a log prefix supported by iptables is 29 characters; if a
larger prefix is generated, Shorewall will issue a warning message and
will truncate the prefix to 29 characters.<br>
<br>
</li>
<li>A new "-q" option has been added to /sbin/shorewall
commands. It causes the start, restart, check and refresh commands to
produce much less output so that warning messages are more visible
(when testing this change, I discovered a bug where a bogus warning
message was being generated).<br>
<br>
</li>
<li>Shorewall now uses 'modprobe' to load kernel modules if
that utility is available in the PATH; otherwise, 'insmod' is used.<br>
<br>
</li>
<li>It is now possible to restrict entries in the
/etc/shorewall/masq file to particular protocols and destination
port(s). Two new columns (PROTO and PORT(S)) have been added to the
file.<br>
<br>
Example:<br>
<br>
You want all outgoing SMTP traffic entering the firewall on eth1 to be
sent from eth0 with source IP address 206.124.146.177. You want all
other outgoing traffic from eth1 to be sent from eth0 with source IP
address 206.124.146.176.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.177 tcp&nbsp;&nbsp;&nbsp;&nbsp; 25<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; 206.124.146.176<br>
<br>
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!<br>
<br>
Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
the progress message at "shorewall start" would be:<br>
<br>
&nbsp;&nbsp;&nbsp; Masqueraded Networks and Hosts:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (tcp 25) from
10.0.0.0/8 through eth0 using 206.124.146.177<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To 0.0.0.0/0 (all) from 10.0.0.0/8
through eth0 using 206.124.146.176<br>
<br>
</li>
<li>Two new actions are available in the /etc/shorewall/rules
file.<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT+&nbsp;&nbsp;&nbsp; -- Behaves like ACCEPT
with the exception that it exempts matching connections from subsequent
DNAT[-] and REDIRECT[-] rules.<br>
&nbsp;&nbsp;&nbsp; NONAT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Exempts
matching connections from subsequent DNAT[-] and REDIRECT[-] rules.<br>
<br>
</li>
<li>A new extension script 'initdone' has been added. This
script is invoked at the same point as the 'common' script was
previously and is useful for users who mis-used that script under
Shorewall 1.x (the script was intended for adding rules to the 'common'
chain but many users treated it as a script for adding rules before
Shorewall's).<br>
<br>
</li>
<li>Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify settings
in the install.sh script before running it as follows:<br>
<br>
&nbsp;&nbsp;&nbsp; DEST="/etc/rc.d"<br>
&nbsp;&nbsp;&nbsp; INIT="rc.firewall"<br>
<br>
Thanks to Alex Wilms for helping with this change.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DEST=/etc/rc.d INIT=rc.firewall
./install.sh<br>
</li>
</ol>
<p><b><a name="LinuxFest"></a>4/17/2004 - Presentation at
LinuxFest NW</b><b><br>
</b></p>
<p>Today I gave a presentation at LinuxFest NW in Bellingham. The
presentation was entitled "<a
href="http://lists.shorewall.net/Shorewall_and_the_Enterprise.htm"
target="_blank">Shorewall
and the Enterprise</a>" and described the history of Shorewall and gave
an overview of its features.<br>
</p>
<ol>
</ol>
<p><a href="News.htm">More News</a></p>

9
Shorewall-Website/useful_links.html
View File

@ -10,7 +10,7 @@
<div class="titlepage">
<div>
<div>
<h1 class="title"><a id="usefull_links"></a>Useful Links</h1>
<h1 class="title">Useful Links</h1>
</div>
<div>
<div class="author">
@ -19,7 +19,7 @@
</div>
</div>
<div>
<p class="copyright">Copyright © 2003 Thomas M. Eastep</p>
<p class="copyright">Copyright © 2003-2004 Thomas M. Eastep</p>
</div>
<div>
<div class="legalnotice">
@ -33,10 +33,9 @@ Documentation License</a></span>”.</p>
</div>
</div>
<div>
<p class="pubdate">2003/12/30</p>
<p class="pubdate">2004-07-02</p>
</div>
</div>
<div></div>
<hr></div>
<div class="informaltable">
<table border="0">
@ -69,6 +68,8 @@ Shorewall: <a
</tr>
</tbody>
</table>
<script language="JavaScript1.1"
src="http://www.trendmicro.com/syndication/wtc/wtc_applet_js.asp"></script>
</div>
</div>
</body>