Minor updates for 1.4.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -17,3 +17,7 @@ Changes since 1.4.8
 8) Add /etc/shorewall/actions and /etc/shorewall/action.template
 
 9) Fix SNAT handling in DNAT rules.
+
+10) Change default to NEWNOTSYN=Yes
+
+11) Add rule to drop null source addressed ICMPs.

Shorewall/common.def

@@ -37,7 +37,12 @@ run_iptables -A common -d 224.0.0.0/4     -j DROP
 run_iptables -A common -p tcp --dport 113 -j reject
 ############################################################################
 # DNS -- Silenty drop late replies
+#
 run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+############################################################################
+# ICMP -- Silently drop null-address ICMPs
+#
+run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
 
 
 

Shorewall/releasenotes.txt

@@ -26,16 +26,19 @@ None.
 
 New Features:
 
-1) To cut down on the number of "Why are these ports closed rather than
+1) The documentation has been completely rebased to Docbook XML. The
+   documentation is now released as separate HTML and XML packages.
+
+2) To cut down on the number of "Why are these ports closed rather than
    stealthed?" questions, the SMB-related rules in
    /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
 
-2) For easier identification, packets logged under the 'norfc1918'
+3) For easier identification, packets logged under the 'norfc1918'
    interface option are now logged out of chains named
    'rfc1918'. Previously, such packets were logged under chains named
    'logdrop'.
 
-3) Distributors and developers seem to be regularly inventing new
+4) Distributors and developers seem to be regularly inventing new
    naming conventions for kernel modules. To avoid the need to change
    Shorewall code for each new convention, the MODULE_SUFFIX option has
    been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
@@ -55,7 +58,7 @@ New Features:
 	    If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
 	    If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
 
-4) Support for user defined rule ACTIONS has been implemented through
+5) Support for user defined rule ACTIONS has been implemented through
    two new files:
 
    /etc/shorewall/actions         - used to list the user-defined ACTIONS.
@@ -80,3 +83,22 @@ New Features:
 
 	LOG:info
 	ACCEPT
+
+6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
+   (non-syn TCP packets that are not part of an existing connection are
+   filtered according to the rules and policies rather than being
+   dropped). I have made this change for two reasons:
+
+   a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
+   any timeout during TCP session tear down results in the firewall
+   dropping all of the retries.
+
+   b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
+   lots of confusing messages when a connection got "stuck". While I
+   could have changed the default value of LOGNEWNOTSYN to suppress
+   logging, I dislike defaults that silently throw away packets.
+
+7) The common.def file now contains an entry that silently drops ICMP
+   packets with a null source address. Ad Koster reported a case where
+   these were occuring frequently as a result of a broken system on his
+   external network.    

Shorewall/shorewall.conf

@@ -448,8 +448,15 @@ MUTEX_TIMEOUT=60
 #
 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
 # using the 'newnotsyn' option in /etc/shorewall/interfaces.
+#
+# I find that NEWNOTSYN=No tends to result in lots of "stuck"
+# connections because any network timeout during TCP session tear down
+# results in retries being dropped (Netfilter has removed the
+# connection from the conntrack table but the end-points haven't
+# completed shutting down the connection).  I therefore have chosen
+# NEWNOTSYN=Yes as the default value.
 
-NEWNOTSYN=No
+NEWNOTSYN=Yes
 
 #
 # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT

Shorewall/shorewall.spec

@@ -106,10 +106,11 @@ fi
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
 %attr(0544,root,root) /usr/share/shorewall/help
-%doc documentation
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
+- Remove Documentation from this RPM
 * Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
 - Updated for Beta 2
 * Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>