holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update the web site for 3.2.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5240 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-01-17 00:09:16 +00:00
parent a7140da85b
commit 7735d5d8d7
2 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
web/News.htm
View File

@ -11,7 +11,7 @@
</h1>
<span style="font-weight: bold;">Tom Eastep<br>
<br>
</span>Copyright © 2001-2006 Thomas M. Eastep<br>
</span>Copyright © 2001-2007 Thomas M. Eastep<br>
<p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
@ -20,21 +20,32 @@ Texts. A copy of the license is included in the section entitled “<span
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a></span>”.<br>
</p>
<p>December 14, 2006<br>
<p>January 16, 2007<br>
</p>
<hr style="width: 100%; height: 2px;">
<p></p>
<!-- Shorewall Release 3.0.5 -->
<span style="font-weight: bold;">2006-11-14 Shorewall 3.2.7<br>
<!-- Shorewall Release 3.0.5 --> <span style="font-weight: bold;">2007-01-16
Shorewall 3.2.8<br>
</span><span style="font-weight: bold;"></span>
<pre>Problems Corrected in 3.2.8<br><br>1) The 'ash' shell produced an error when processing an entry with a<br> log tag from /etc/shorewall/rules.<br><br>2) If the file /etc/shorewall/init did not exist, then the compiler<br> would incorrectly copy /usr/share/shorewall/init into the<br> compiled script. /usr/share/shorewall/init is a symbolic link<br> to the Shorewall init script (usually /etc/init.d/shorewall).<br><br>3) Previously, "ipp2p:udp" was incorrectly rejected in the PROTO<br> column of an action definition.<br><br>Other Changes in 3.2.8.<br><br>1) New macros for network printing protocols have been added,<br> courtesy of Tuomo Soini. Tuomo also provided a macro for TFTP.<br><br> The print-oriented macros are:<br><br> macro.IPP<br> macro.Jetdirect<br> macro.Printer<br></pre>
<span style="font-weight: bold;"></span><span style="font-weight: bold;"></span>
<pre><span style="font-weight: bold;"></span></pre>
<hr style="width: 100%; height: 2px;">
<pre><span style="font-weight: bold;">2006-12-14 Shorewall 3.2.7</span><br></pre>
<pre>Problems Corrected in 3.2.7<br><br>1) Handling of saved ipsets in /etc/shorewall/ipsets is broken when<br> used on a system running Shorewall Lite. If there is a file named<br> 'ipsets' on the CONFIG_PATH when the firewall script is compiled,<br> then the compiled script attempts to restore the ipsets from that<br> file (which may not exist on the firewall system).<br><br>2) The 'try' command failed on systems whose /bin/sh is Busybox ash:<br><br> /sbin/shorewall: export: 2158: Illegal option -n<br><br>3) Previously, Shorewall has assumed that the root user is named<br> 'root'. Beginning with this release, the root user may have a<br> different name. This required the addition of an '-r' option for<br> the 'shorewall load' and 'shorewall reload' commands.<br><br> [re]load [ -e ] [ -c ] [ -r &lt;root user&gt; ] [ &lt;dir&gt; ] system<br><br> Example: shorewall reload -r foobar firewall<br><br>4) On systems with a light-weight shell such as ash or dash for /bin/sh,<br> the output of "shorewall show macros" was garbled.<br><br>Other Changes in 3.2.7<br><br>1) Prior to this release, on firewall systems with Shorewall Lite<br> installed, the local modules file is used to determine which kernel<br> modules to load. Beginning with this release, if there is a<br> 'modules' file in the export directory when the firewall script is<br> compiled, then that file will be copied into the compiled script<br> and used on the firewall system.<br><br>2) When syslogd is run with the -C option (which in some<br> implementations causes syslogd to log to an in-memory circular<br> buffer), /sbin/shorewall will now use the 'logread' command to read<br> the log from that buffer. This is for combatibility with OpenWRT.<br><br>3) Failures of the start, restart and restore commands are now logged<br> using 'logger'. These failures are logged with the 'kern' facility <br> and 'err' priority. As part of this change, normal state changes<br> are now logged with the 'kern' facility and 'info' priority.<br></pre>
<span style="font-weight: bold;">2006-11-18 Shorewall 3.2.6<br>
<span style="font-weight: bold;"></span>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2006-11-18
Shorewall 3.2.6<br>
</span><span style="font-weight: bold;"></span>
<pre>Problems Corrected in 3.2.6.<br><br>1) When using a light-weight shell (e.g., ash) with multiple<br>providers, the /etc/iproute2/rt_tables database may become corrupted.<br><br>2) A startup error occurred when the LENGTH or TOS column was<br> non-empty in /etc/shorewall/tcrules.<br><br>3) A startup error resulted when whitespace as included in LOGFORMAT.<br><br>4) Previously, when conntrack match support was not available, the<br> 'norfc1918' option on an interface or host group was incorrectly<br> filtering IPSEC traffic whose source IP address was reserved by RFC<br> 1918.<br><br>5) If a DNAT or REDIRECT rule was used where the effective policy<br> between the source and final destination zones is ACCEPT, the ACCEPT<br> part of the rule was not generated. This was intended as an<br> optimizaiton but it could lead to confusing results if there was a<br> DROP or REJECT rule following.<br><br> This optimization has been removed. You may always use DNAT- and<br> REDIRECT- to suppress generation of the ACCEPT rule.<br><br>6) Shorewall[-lite] previously would return an error exit status to a<br> "start" command where Shorewall was already running. It not returns<br> a "success" status.<br><br>7) The install.sh scripst have been corrected to work properly when <br> used to create packages on Slackware and Arch Linux.<br><br>5) A change in version 3.2.5 broke Mac Filtration in some<br> cases. Result was:<br><br> Setting up MAC Filtration -- Phase 1...<br> iptables v1.3.6: policy match: invalid policy `--dir'<br> Try `iptables -h' or 'iptables --help' for more information.<br> ERROR: Command "/sbin/iptables -A eth1_fwd -s 0.0.0.0/0 -m state <br> --state NEW -m policy --pol --dir in -j eth1_mac" Failed<br><br>6) At VERBOSITY 1 and higher, the 'shorewall add' and 'shorewall<br> delete' commands generated a fractured message. The message<br> contents depended in the setting of IPSECFILE as follows:<br><br> IPSECFILE=ipsec<br><br> ipsec...<br><br> IPSECFILE=zones<br><br> IPSEC...<br><br> The messages have been corrected and are only produced at VERBOSITY<br> 2 and higher as follows:<br><br> IPSECFILE=ipsec<br><br> Processing /etc/shorewall/ipsec...<br><br> IPSECFILE=zones<br><br> Processing IPSEC...<br><br>7) Previously, when &lt;action&gt;:none appeared in a rule, the name of the<br> action chain created was preceded by "%" and might have a one- or<br> two-digit number appended. If both &lt;action&gt; and &lt;action&gt;:none<br> appeared, then two chains were created. This has been corrected<br> such that &lt;action&gt; and &lt;action&gt;:none are treated identically.<br><br>8) If SAVE_IPSETS=Yes in shorewall.conf, the "shorewall[-lite] save"<br> command produced error messages as follows:<br><br> Dynamic Rules Saved<br> Currently-running Configuration Saved to /var/lib/shorewall/restore<br> grep: /var/lib/shorewall/restore-base: No such file or directory<br> grep: /var/lib/shorewall/restore-base: No such file or directory<br> Current Ipset Contents Saved to<br> /var/lib/shorewall/restore-ipsets<br><br>9) If BRIDGING=No in shorewall.conf, then an attempt to define a zone<br> using ipsets fails as follows:<br><br> ERROR: BRIDGING=Yes is needed for this zone definition: z eth0:+iset<br><br>Other Changes in 3.2.6.<br><br>1) The "shorewall [re]load" command now supports a "-c" option.<br><br> Example:<br><br> shorewall reload -c gateway<br><br> When -c is given, Shorewall will capture the capabilities of the<br> remote system to a file named "capabilities" in the export<br> directory before compiling the configuration.<br><br> If the file "capabilities" does not currently exist in the <br> export directory then "-c" is automatically assumed.<br><br>2) If 0 (zero) is specified for the IN-BANDWIDTH in<br> /etc/shorewall/tcdevices then no ingress qdisc will be created for<br> the device.<br></pre>
<span style="font-weight: bold;">2006-10-28 Shorewall 3.2.5<br>
<span style="font-weight: bold;"></span>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2006-10-28
Shorewall 3.2.5<br>
</span><span style="font-weight: bold;"></span>
<pre>Problems Corrected in 3.2.5<br><br>1) Entries such as the following in /etc/shorewall/masq generate a<br> run-time error:<br><br> eth0 eth1!192.168.1.12 206.124.146.176<br><br> Omitting the exclusion (!192.168.1.12) avoids the error.<br><br>2) Previously, the 'provider' portion of the packet mark was not being<br> cleared after routing for traffic that originates on the firewall<br> itself.<br><br>3) In prior releases, it was not possible to mark an outgoing packet<br> with a high mark (HIGH_ROUTE_MARKS=Yes) when the packet originated<br> on the firewall itself.<br><br>4) The detected capabilities were not displayed by 'shorewall dump'<br> when the effective VERBOSITY was less than 2.<br><br>Other changes in 3.2.5<br><br>1) For users whose kernel and iptables have Extended MARK Target<br> support, it is now possible to logically AND or OR a value into the<br> current packet mark by preceding the mark value (and optional mask)<br> with an ampersand ("&amp;") or vertical bar ("|") respectively.<br><br> Example: To logically OR the value 4 into the mark value for<br> packets from 192.168.1.1:<br><br> #MARK SOURCE<br> |4 192.168.1.1<br><br>2) A new macro (macro.RDP) has been added for Microsoft Remote<br> Desktop. This macro was contributed by Tuomo Soini.<br><br>3) A new 'maclog' extension file has been added. This file is<br> processed just before logging based on the setting of<br> MACLIST_LOG_LEVEL is done. When the script is copyied at compile<br> time, the CHAIN variable will contain the name of the chain where<br> rules should be inserted. Remember that if you have specified<br> MACLIST_TABLE=mangle, then your run_iptables commands should<br> include "-t mangle".<br><br>4) Beginning with this release, Shorewall and Shorewall lite will<br> share the same change log and release notes.<br></pre>
<span style="font-weight: bold;">2006-10-6 Shorewall 3.0.9<br>
<span style="font-weight: bold;"></span>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2006-10-6
Shorewall 3.0.9<br>
</span><span style="font-weight: bold;"></span>
<pre>Problems corrected in 3.0.9<br><br>1) When using a light-weight shell like ash or dash, "shorewall<br> [re]start" fails when using the built-in traffic shaper. The error<br> messages resemble these:<br><br> local: 3: eth0:: bad variable name<br> ERROR: Command "tc class add dev eth0 parent 1: classid 1:1 htb rate 800kbit mtu" Failed<br><br>2) The output formating of the 'hits' command under BusyBox 1.2.0 has<br> been corrected.<br><br>3) In prior versions, setting 'mss=' in /etc/shorewall/zones did not<br> affect traffic to/from the firewall zone. That has been corrected.<br><br>4) Previously, using IP address ranges in the accounting file could<br> cause non-fatal iptables errors during shorewall [re]start.<br><br>Other changes in 3.0.9<br><br>1) It is now possible to use the special value 'detect' in the ADDRESS<br> column of /etc/shorewall/masq. This allows you to specify SNAT (as<br> opposed to MASQUERADE) without having to know the ip address of the<br> external interface. Shorewall must be restarted each time that the<br> external address (the address of the interface named in the<br> INTERFACE column) changes.<br><br>2) Experimental optimization for PPP devices has been added to the<br> providers file. If you omit the GATEWAY column for a ppp device (or<br> enter "-" in the column) then Shorewall will generate routes<br> for the named INTERFACE that do not specify a gateway IP address<br> (the peer address will be assumed).<br><br>3) Normally, Shorewall tries to protect users from themselves by<br> preventing PREROUTING and OUTPUT tcrules from being applied to<br> packets that have been marked by the 'track' option in<br> /etc/shorewall/providers.<br><br> If you really know what you are doing and understand packet marking<br> thoroughly, you can set TC_EXPERT=Yes in shorewall.conf and<br> Shorewall will not include these cautionary checks.<br><br>4) Previously, CLASSIFY tcrules were always processed out of the<br> POSTROUTING chain. Beginning with this release, they are processed<br> out of the POSTROUTING chain *except* when the SOURCE is<br> $FW[:&lt;address&gt;] in which case the rule is processed out of the<br> OUTPUT chain.<br></pre>
<span style="font-weight: bold;"></span>

12
web/shorewall_index.htm
View File

@ -12,7 +12,7 @@
<body dir="ltr" lang="en-US">
<h1>Shoreline Firewall (Shorewall)</h1>
<p>Copyright
© 2001-2006 Thomas M. Eastep</p>
© 2001-2007 Thomas M. Eastep</p>
<p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software
@ -20,7 +20,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with
no Back-Cover Texts. A copy of the license is included in the section
entitled “<a href="GnuCopyright.htm" target="_self">GNU Free
Documentation License</a>”.</p>
<p>2006-12-27</p>
<p>2007-01-16</p>
<hr>
<h2>Table of Contents</h2>
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
@ -104,17 +104,17 @@ Features page</a>.<br>
<h3><a name="Releases"></a>Current Shorewall Versions</h3>
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current
Stable Release</span> version
is&nbsp; 3.2.7<br>
is&nbsp; 3.2.8<br>
</p>
<ul style="margin-left: 40px;">
<li>Here are the <a
href="http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.7/releasenotes.txt">release
href="http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/releasenotes.txt">release
notes</a> <br>
</li>
<li>Here are the <a
href="http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.7/known_problems.txt">known
href="http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/known_problems.txt">known
problems</a> and <a
href="http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.7/errata/">updates</a>.</li>
href="http://www.shorewall.net/pub/shorewall/3.2/shorewall-3.2.8/errata/">updates</a>.</li>
</ul>
<div style="margin-left: 40px;">The <span style="font-weight: bold;">previous
Stable Release</span> version is 3.0.9<br>