holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update paperwork for recent changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2817 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-06 20:30:27 +00:00
parent 748375d12d
commit 3675601597
2 changed files with 54 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/changelog.txt
View File

@ -1,3 +1,9 @@
Changes in 2.5.8
1) Fix 'shorewall refresh' with long tcrules entries.
2) Implement MACLIST_TABLE.
Changes in 2.5.7 Changes in 2.5.7
1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped. 1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped.

92
Shorewall/releasenotes.txt
View File

@ -1,53 +1,26 @@
Shorewall 2.5.7. Shorewall 2.5.8.
Problems Corrected in 2.5.7: Problems Corrected in 2.5.8:
1) In previous versions, when the command is 'start', 'restart' or 1) "shorewall refresh" will fail if there are entries in
'stop' then OUTPUT traffic to hosts listed in /etc/shorewall/tcrules with non-empty USER/GROUP or TEST columns.
/etc/shorewall/routestopped is not enabled if
ADMINISABSENTMINDED=Yes. That traffic is now enabled independent of
the setting of ADMINISABSENTMINDED.
2) The "shorewall refresh" command was clearing traffic shaping but not This problem may be corrected by replacing /usr/share/shorewall/firewall
reconfiguring it. with the 'firewall' file from the 'errata' subdirectory.
3) Previously, 'ipp2p' rules that specified logging would generate an New Features in 2.5.8:
error on "shorewall start". This is a bug in the ipp2p code but I
have included a workaround in Shorewall.
4) Fix "shorwall flush" vs mangle table. 1) Normally MAC verification triggered by the 'maclist' interface and host
options is done out of the INPUT and FORWARD chains of the filter table.
Users have reported that under some circulstances, MAC verification is
failing for forwarded packets.
New Features in 2.5.7: To work around this problem, a MACLIST_TABLE option has been added to
shorewall.conf. The default value is MACLIST_TABLE=filter which results
1) The output of "shorewall dump" now includes a capabilities report in the current behavior. If MACLIST_TABLE=mangle then filtering will
such as the one produced by "shorewall show capabilities". take place out of the PREROUTING chain of the mangle table. Because
the REJECT target may not be used in the PREROUTING chain, the settings
2) The "plain" zone type has been replaced by "ipv4". The types MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible.
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".
3) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
and /etc/shorewall/hosts. See the Migration Considerations for
instructions if you wish to block "new-not-syn" TCP packets.
4) The "shorewall show zones" command now displays the zone type. You
must have restarted Shorewall using this release before this feature
will work correctly.
5) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This is done to ensure that "shorewall refresh" will
work correctly.
6) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p"
keyword in the PROTOCOL column of the relevant files, the following
values may be specified:
ipp2p:tcp Equivalent to ipp2p and matches TCP traffic
only.
ipp2p:udp Matches UDP traffic.
ipp2p:all Matches both UDP and TCP traffic. You may
not specify a SOURCE PORT with this PROTOCOL.
Migration Considerations: Migration Considerations:
@ -572,3 +545,34 @@ New Features in Shorewall 2.5.*
it prevents the route cache from being flushed which preserves the it prevents the route cache from being flushed which preserves the
mapping of end-point address pairs to routes. mapping of end-point address pairs to routes.
22) The output of "shorewall dump" now includes a capabilities report
such as the one produced by "shorewall show capabilities".
23) The "plain" zone type has been replaced by "ipv4". The types
"IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
"ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".
24) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
and /etc/shorewall/hosts. See the Migration Considerations for
instructions if you wish to block "new-not-syn" TCP packets.
25) The "shorewall show zones" command now displays the zone type. You
must have restarted Shorewall using this release before this feature
will work correctly.
26) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This is done to ensure that "shorewall refresh" will
work correctly.
27) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p"
keyword in the PROTOCOL column of the relevant files, the following
values may be specified:
ipp2p:tcp Equivalent to ipp2p and matches TCP traffic
only.
ipp2p:udp Matches UDP traffic.
ipp2p:all Matches both UDP and TCP traffic. You may
not specify a SOURCE PORT with this PROTOCOL.