forked from extern/shorewall_code
One-to-one NAT and updated common.def
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@790 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
dbfc838988
commit
64bd2c9035
@ -1,40 +1,5 @@
|
||||
Changes since 1.4.7
|
||||
Changes since 1.4.8
|
||||
|
||||
1) Applied patch from Tuomo Soini that fixes syntax error occuring with
|
||||
some versions of 'ash'.
|
||||
1) Replace "Static NAT" with "One-to-one NAT".
|
||||
|
||||
2) Applied Andrew Zhoglo's patch that avoids using multiport match for
|
||||
ICMP.
|
||||
|
||||
3) Added support for QUEUE target.
|
||||
|
||||
4) Fix error handling after "Unable to determine the routes..."
|
||||
|
||||
5) Fix handling of LOGUNCLEAN
|
||||
|
||||
6) Added BLACKLISTNEWONLY support.
|
||||
|
||||
7) Correct optimization for 'complex' zones.
|
||||
|
||||
8) Fix tcrules processing.
|
||||
|
||||
9) Liberalize chain names used in the accounting file.
|
||||
|
||||
10) Fix the fix for 'complex' zones (twice).
|
||||
|
||||
11) Remove incorrect comment from shorewall.conf regarding Debian
|
||||
lockfiles.
|
||||
|
||||
12) Change "_exists" suffix (including _nat_exists) to an "exists_"
|
||||
prefix to allow chain names beginning with a digit without
|
||||
lengthening the variable name.
|
||||
|
||||
13) Applied and improved Eric Bowles's fix for route filtering.
|
||||
|
||||
14) Corrected handling of /32 addresses with broadcast in maclist
|
||||
processing.
|
||||
|
||||
15) Generate error for NONE policy where source or destination zone is
|
||||
the firewall itself.
|
||||
|
||||
16) Fix 'routeback' for wildcard interfaces.
|
||||
2) Change SMB common rules to DROP.
|
||||
|
||||
@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 135 -j reject
|
||||
run_iptables -A common -p udp --dport 137:139 -j reject
|
||||
run_iptables -A common -p udp --dport 445 -j reject
|
||||
run_iptables -A common -p tcp --dport 139 -j reject
|
||||
run_iptables -A common -p tcp --dport 445 -j reject
|
||||
run_iptables -A common -p tcp --dport 135 -j reject
|
||||
run_iptables -A common -p udp --dport 135 -j DROP
|
||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||||
run_iptables -A common -p udp --dport 445 -j DROP
|
||||
run_iptables -A common -p tcp --dport 139 -j DROP
|
||||
run_iptables -A common -p tcp --dport 445 -j DROP
|
||||
run_iptables -A common -p tcp --dport 135 -j DROP
|
||||
############################################################################
|
||||
# UPnP
|
||||
#
|
||||
|
||||
@ -103,6 +103,11 @@
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# routeback - If specified, indicates that Shorewall
|
||||
# should include rules that allow filtering
|
||||
# traffic arriving on this interface back
|
||||
# out that same interface.
|
||||
#
|
||||
# arp_filter - If specified, this interface will only
|
||||
# respond to ARP who-has requests for IP
|
||||
# addresses configured on the interface.
|
||||
|
||||
@ -4,11 +4,12 @@
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
# This file is used to define static Network Address Translation (NAT).
|
||||
# This file is used to define one-to-one Network Address Translation
|
||||
# (NAT).
|
||||
#
|
||||
# WARNING: If all you want to do is simple port forwarding, do NOT use this
|
||||
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
|
||||
# cases, Proxy ARP is a better solution that static NAT.
|
||||
# cases, Proxy ARP is a better solution that one-to-one NAT.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
|
||||
@ -1,114 +1,24 @@
|
||||
This is a minor release of Shorewall.
|
||||
|
||||
Problems Corrected since version 1.4.7:
|
||||
Problems Corrected since version 1.4.8:
|
||||
|
||||
1) Tuomo Soini has supplied a correction to a problem that occurs using
|
||||
some versions of 'ash'. The symptom is that "shorewall start" fails
|
||||
with:
|
||||
|
||||
local: --limit: bad variable name
|
||||
iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
|
||||
cannot open shared object file: No such file or directory
|
||||
Try `iptables -h' or 'iptables --help' for more information.
|
||||
|
||||
2) Andres Zhoglo has supplied a correction that avoids trying to use
|
||||
the multiport match iptables facility on ICMP rules.
|
||||
|
||||
Example of rule that previously caused "shorewall start" to fail:
|
||||
|
||||
ACCEPT loc $FW icmp 0,8,11,12
|
||||
|
||||
3) Previously, if the following error message was issued, Shorewall
|
||||
was left in an inconsistent state.
|
||||
|
||||
Error: Unable to determine the routes through interface xxx
|
||||
|
||||
4) Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||
corrected.
|
||||
|
||||
5) In Shorewall 1.4.2, an optimization was added. This optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant
|
||||
rules and that the "optimization" turns out to be less than
|
||||
optimal. The implementation has now been corrected.
|
||||
|
||||
6) When the MARK value in a tcrules entry is followed by ":F" or ":P",
|
||||
the ":F" or ":P" was previously only applied to the first Netfilter
|
||||
rule generated by the entry. It is now applied to all entries.
|
||||
|
||||
7) The original fix for item 5) above contained a bug which caused the
|
||||
"<zone>_frwd" chain to have too few rules. That has been corrected
|
||||
(twice).
|
||||
|
||||
8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
|
||||
option has been removed from shorewall.conf.
|
||||
|
||||
9) Previously, neither the 'routefilter' interface option nor the
|
||||
ROUTE_FILTER parameter were working properly. This has been
|
||||
corrected (thanks to Eric Bowles for his patch). The definition
|
||||
of the ROUTE_FILTER option has changed however. Previously,
|
||||
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
||||
interfaces (which didn't work). Beginning with this release, setting
|
||||
ROUTE_FILTER=Yes will enable route filtering of all interfaces
|
||||
brought up while Shorewall is started. As a consequence,
|
||||
ROUTE_FILTER=Yes can coexist with the use of the 'routefilter'
|
||||
option in the interfaces file.
|
||||
|
||||
10) If MAC verification was enabled on an interface that had a /32
|
||||
address with a broadcast address then an error would occur during
|
||||
startup.
|
||||
|
||||
11) The NONE policy's intended use is to suppress the generating of
|
||||
rules that can't possibly be traversed. This means that a policy of
|
||||
NONE is inappropriate where the source or destination zone is
|
||||
$FW. Shorewall now generates an error message if such a policy is
|
||||
given in /etc/shorewall/policy. Previously such a policy caused
|
||||
"shorewall start" to fail.
|
||||
|
||||
12) The 'routeback' option was broken for wildcard interfaces (e.g.,
|
||||
"tun+"). This has been corrected so that 'routeback' now works as
|
||||
expected in this case.
|
||||
1) There has been a low level of confusion over the terms "Source NAT" (SNAT)
|
||||
and "Static NAT". To avoid future confusion, all instances of "Static
|
||||
NAT" have been replaced with "One-to-one NAT" in the documentation and
|
||||
configuration files.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
1. The definition of the ROUTE_FILTER option in shorewall.conf has
|
||||
changed as described in item 9) above.
|
||||
None.
|
||||
|
||||
New Features:
|
||||
|
||||
1. A new QUEUE action has been introduced for rules. QUEUE allows you
|
||||
to pass connection requests to a user-space filter such as ftwall
|
||||
(http://p2pwall.sourceforge.net). The ftwall program allows for
|
||||
effective filtering of p2p applications such as Kazaa.
|
||||
|
||||
For example, to use ftwall to filter P2P clients in your 'loc' zone,
|
||||
you would add the following rules:
|
||||
|
||||
QUEUE loc net tcp
|
||||
QUEUE loc net udp
|
||||
QUEUE loc fw udp
|
||||
|
||||
You would normally want to place those three rules BEFORE any ACCEPT
|
||||
rules for loc->net or loc->fw udp or tcp.
|
||||
|
||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with ftwall.
|
||||
|
||||
2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
|
||||
this option is set to "Yes", the blacklists (dynamic and static)
|
||||
are only consulted for new connection requests. When set to "No"
|
||||
(the default if the variable is not set), the blacklists are
|
||||
consulted on every packet.
|
||||
|
||||
Setting this option to "No" allows blacklisting to stop existing
|
||||
connections from a newly blacklisted host but is more expensive in
|
||||
terms of packet processing time. This is especially true if the
|
||||
blacklists contain a large number of entries.
|
||||
|
||||
3. Chain names used in the /etc/shorewall/accounting file may now begin
|
||||
with a digit ([0-9]) and may contain embedded dashes ("-").
|
||||
1) To cut down on the number of "Why are these ports closed rather than
|
||||
sealthed?" questions, the SMB-related rules in
|
||||
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user