From 2ac7b97ddea94d2ecfa6e633ab1071a4b6b514bb Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Aug 2005 22:42:35 +0000 Subject: [PATCH] Update versions to 2.5.3 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2566 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/fallback.sh | 2 +- Shorewall/install.sh | 2 +- Shorewall/releasenotes.txt | 74 ++++++++++++++++++++++++++++++++++++-- Shorewall/shorewall.spec | 4 ++- Shorewall/uninstall.sh | 2 +- 5 files changed, 78 insertions(+), 6 deletions(-) diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 2d6f64b10..e8d4632ec 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.5.2 +VERSION=2.5.3 usage() # $1 = exit status { diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 945fb393d..ea4d3cd09 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.5.2 +VERSION=2.5.3 usage() # $1 = exit status { diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 6015c135e..1fb87d2cd 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -72,6 +72,13 @@ New Features in Shorewall 2.5.3 Macros may be used in these sections provided that they expand to only these ACTIONs. + At the end of the ESTABLISHED and RELATED sections, there is an + implicit "ALLOW all all all" rule. + + RESTRICTION: If you specify FASTACCEPT=Yes in + /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED + sections must be empty. + 6) The value 'ipp2p' is once again allowed in the PROTO column of the rules file. It is recommended that rules specifying 'ipp2p' only be included in the ESTABLISHED section of the file. @@ -410,8 +417,8 @@ New Features in Shorewall 2.5.* If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains. If you set - FASTACCEPT=Yes then you may not specify ESTABLISHED policies in - /etc/shorewall/policy (see above). + FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or + RELATED sections of /etc/shorewall/rules. 9) Shorewall now generates an error if the 'norfc1918' option is specified for an interface with an RFC 1918 address. @@ -450,4 +457,67 @@ New Features in Shorewall 2.5.* scripts. The value of this variable is sometimes of interest to programmers providing custom /etc/shorewall/tcstart scripts. +14) Previously, if you defined any intra-zone rule(s) then any traffic + not matching the rule(s) was subject to normal policies (which + usually turned out to involve the all->all REJECT policy). Now, the + intra-zone ACCEPT policy will still be in effect in the presense of + intra-zone rules. That policy can still be overridden by an + explicit policy in your /etc/shorewall/policy file. + + Example: + + /etc/shorewall/rules: + + DNAT loc:!192.168.1.4 loc:192.168.1.4:3128 tcp 80 + + Any other loc->loc traffic will still be accepted. If you want to + also log that other loc->loc traffic at the info log level then + insert this into /etc/shorewall/policy: + + #SOURCE DEST POLICY LOG LEVEL + loc loc ACCEPT info + +15) Prior to Shorewall 2.5.3, the rules file only controlled packets in + the Netfilter states NEW and INVALID. Beginning with this release, + the rules file can also deal with packets in the ESTABLISHED and + RELATED states. + + The /etc/shorewall/rules file may now be divided into + "sections". Each section is introduced by a line that begins with + the keyword SECTION which is followed by the section name. Sections + are as listed below and must appear in the order shown. + + ESTABLISHED + + Rules in this section apply to packets in the ESTABLISHED + state. + + RELATED + + Rules in this section apply to packets in the RELATED state. + + NEW + + Rules in this section apply to packets in the NEW and INVALID + states. + + Rules in the ESTABLISHED and RELATED sections are limited to the + following ACTIONs: + + ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions. + + Macros may be used in these sections provided that they expand to + only these ACTIONs. + + At the end of the ESTABLISHED and RELATED sections, there is an + implicit "ALLOW all all all" rule. + + RESTRICTION: If you specify FASTACCEPT=Yes in + /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED + sections must be empty. + +16) The value 'ipp2p' is once again allowed in the PROTO column of + the rules file. It is recommended that rules specifying 'ipp2p' + only be included in the ESTABLISHED section of the file. + diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index c5fc3075a..c14180963 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.5.2 +%define version 2.5.3 %define release 1 %define prefix /usr @@ -155,6 +155,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn %changelog +* Fri Aug 26 2005 Tom Eastep tom@shorewall.net +- Updated to 2.5.3-1 * Tue Aug 16 2005 Tom Eastep tom@shorewall.net - Updated to 2.5.2-1 * Sun Aug 07 2005 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index d42315be1..df102e129 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=2.5.2 +VERSION=2.5.3 usage() # $1 = exit status {