From 723d0823be4a784b19647789e67d0be5f4655ade Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 12 Mar 2005 20:55:45 +0000 Subject: [PATCH] Shorewall-2.2.2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2002 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/shorewall_index.htm | 97 ++++++++++++++++++++++++--- 1 file changed, 89 insertions(+), 8 deletions(-) diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index e334d71b9..7ecd3eb79 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -28,12 +28,12 @@ to 2.x releases of Shorewall. For older versions:

target="_top">here.

-

The current 2.2 Stable Release is 2.2.1 -- Here are the release +

The current 2.2 Stable Release is 2.2.2 -- Here are the release notes and here are the known + href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2/known_problems.txt">known problems and updates.
+ href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.2/errata/">updates.

GNU Free Documentation License”.

-

2005-02-15

+

2005-03-12

Table of Contents

Introduction @@ -64,7 +64,9 @@ Shorewall on Mandrake® with a two-interface setup?
License

News

Shorewall + style="text-decoration: underline;">Shorewall +2.2.2
+Shorewall 2.2.1
End of Support for Shorewall 1.4
Shorewall @@ -126,7 +128,7 @@ that most closely matches your environment and follow the step by step instructions.

Looking for Information?

The Documentation -Index is a good place to start as is the Quick Search in the +Index is a good place to start as is the Site Search in the frame above.

Running Shorewall on Mandrake® with a two-interface setup?

@@ -137,7 +139,7 @@ uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

-Update: I've been +Update: I have been informed by Mandrake Development that this problem has been corrected in Mandrake 10.0 Final (the problem still exists in the 10.0 Community release).

@@ -164,6 +166,81 @@ of the license is included in the section entitled "GNU Free Documentation License".

News

+03/12/2005 +Shorewall 2.2.2
+
+Problems Corrected:
+
    +
  1. The SOURCE column in the /etc/shorewall/tcrules file now +correctly allows IP ranges (assuming that your iptables and kernel +support ranges).
    +
    2. +
  2. If A is a user-defined action and you have file /etc/shorewall/A +then when that file is invoked by Shorewall during [re]start, the $TAG +value may be incorrect.
    3. +
  3. Previously, if an iptables command generating a logging rule +failed, the Shorewall [re]start was still successful. This error is now +considered fatal and Shorewall will be either restored from the last +save (if any) or it will be stopped.
    4. +
  4. The port numbers for UDP and TCP were previously reversed in the +/usr/share/shorewall/action.AllowPCA file.
    5. +
  5. Previously, the 'install.sh' script did not update the +/usr/share/shorewall/action.* files.
    6. +
  6. Previously, when an interface name appeared in the DEST column of +/etc/shorewall/tcrules, the name was not validated against the set of +defined interfaces and bridge ports.
    +
    7. +
+New Features:
+
    +
  1. The SOURCE column in the /etc/shorewall/tcrules file now allows +$FW to be optionally followed by ":" and a host/network address or +address range.
    2. +
  2. Shorewall now clears the output device only if it is a terminal. +This avoids ugly control sequences being placed in files when +/sbin/shorewall output is redirected.
    3. +
  3. The output from 'arp -na' has been added to the 'shorewall +status' display.
    4. +
  4. The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges +to appear in port lists handled by "multiport match". If Shorewall +detects this capability, it will use "multiport match" for port lists +containing port ranges. Be cautioned that each port range counts for +TWO ports and a port list handled with "multiport match" can still +specify a maximum of 15 ports.
    +
    +As always, if a port list in /etc/shorewall/rules is incompatible with +"multiport match", a separate iptables rule will be generated for each +element in the list.
    5. +
  5. Traditionally, the RETURN target in the 'rfc1918' file has caused +'norfc1918' processing to cease for a packet if the packet's source IP +address matches the rule. Thus, if you have:
    +
    +    +SUBNETS          TARGET
    +    +192.168.1.0/24   RETURN
    +
    +then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though +you also have:
    +
    +    +SUBNETS          TARGET
    +    +10.0.0.0/8       logdrop
    +
    +Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to +be logged and dropped since while the packet's source matches the +RETURN rule, the packet's destination matches the 'logdrop' rule.
    +
    +If not specified or specified as empty (e.g., RFC1918_STRICT="") then +RFC1918_STRICT=No is assumed.
    +
    +WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables +support 'Connection Tracking' match.
    +
    6. +
02/15/2005 Shorewall 2.2.1

@@ -317,6 +394,10 @@ that level for all rules recursively invoked by the action

Example: /etc/shorewall/action.foo:

+ Update: I've been +informed by Mandrake Development that this problem has been corrected +in Mandrake 10.0 Final (the problem still exists in the 10.0 +Community release).
ACCEPT    -    -    tcp    22
bar:info