holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Clean up release notes

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-23 06:55:54 -07:00
parent 54f9a0e671
commit 7c250cd5b3
1 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Shorewall/releasenotes.txt
View File

@ -33,17 +33,18 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
1) The implementation of the environmental variables LIBEXEC and 1) The implementation of the environmental variables LIBEXEC and
PERLLIB that was introduced in 4.4.19 has been changed PERLLIB that was introduced in 4.4.19 has been changed
slightly. The installers now allow absolute path names to be slightly. The installers now allow absolute path names to be
supplied so that the executables and/or Perl modules may be supplied in these variables so that the executables and/or Perl
installed under a top-level directory other than /usr. The change modules may be installed under a top-level directory other than
is compatible with 4.4.19 in that if a relative path name is /usr. The change is compatible with 4.4.19 in that if a relative
supplied, then '/usr/' is prepended to the name. path name is supplied, then '/usr/' is prepended to the supplied
name.
2) A new ACCOUNTING_TABLE option has been added to shorewall.conf and 2) A new ACCOUNTING_TABLE option has been added to shorewall.conf and
shorwall6.conf. The setting determines the Netfilter table (filter shorewall6.conf. The setting determines the Netfilter table (filter
or mangle) where accounting rules are created. or mangle) where accounting rules are created.
When ACCOUNTING_TABLE=mangle, the allowable sections in the When ACCOUNTING_TABLE=mangle, the allowable accounting file
accounting file are as follows: sections are:
PREROUTING PREROUTING
INPUT INPUT
@ -74,11 +75,13 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
release. release.
Use 'shorewall show capabilities' after installing this release Use 'shorewall show capabilities' after installing this release
to see if your kernel/iptables support the AUDIT target. to see if your kernel and iptables support the AUDIT target.
b) In /etc/shorewall/policy's POLICY column, the policy (and b) In /etc/shorewall/policy's POLICY column, the policy (and
default action, if any) may be followed by ':audit' to cause default action, if any) may be followed by ':audit' to cause
application of the policy to be audited. applications of the policy to be audited. This means that any
NEW connection that does not match any rule in the rules file
or in the applicable 'default action' will be audited.
Only ACCEPT, DROP and REJECT policies may be audited. Only ACCEPT, DROP and REJECT policies may be audited.
@ -111,7 +114,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
BLACKLIST_DISPOSITION A_DROP or A_REJECT BLACKLIST_DISPOSITION A_DROP or A_REJECT
MACLIST_DISPOSITION A_DROP MACLIST_DISPOSITION A_DROP
A_REJECT, unless A_REJECT, unless
MACLIST_TABLE=mangle MACLIST_TABLE=mangle
TCP_FLAGS_DISPOSITION A_DROP or A_REJECT TCP_FLAGS_DISPOSITION A_DROP or A_REJECT
e) A SMURF_DISPOSITION option has been added to e) A SMURF_DISPOSITION option has been added to
@ -120,8 +123,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
f) An 'audit' option has been added to the f) An 'audit' option has been added to the
/etc/shorewall/blacklist file which causes the packets matching /etc/shorewall/blacklist file which causes the packets matching
the entryto be audited. 'audit' may not be specified together the entry to be audited. 'audit' may not be specified together
with 'accept'. with 'whitelist'.
g) The builtin actions (dropBroadcast, rejNonSyn, etc.) now support g) The builtin actions (dropBroadcast, rejNonSyn, etc.) now support
an 'audit' parameter which causes all ACCEPT, DROP and REJECTs an 'audit' parameter which causes all ACCEPT, DROP and REJECTs
@ -130,14 +133,19 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
(action.Drop and action.Reject). (action.Drop and action.Reject).
Note: The builtin actions are those actions listed in the Note: The builtin actions are those actions listed in the
output of 'shorewall show actions' whose names begin with a output of 'shorewall show actions' with names begin with a
lower-case letter. lower-case letter.
Example:
#ACTION SOURCE DEST
rejNonSyn(audit) net all
6) Up to this release, the behaviors of 'start -f' and 'restart -f' 6) Up to this release, the behaviors of 'start -f' and 'restart -f'
has been inconsistent with AUTOMAKE=Yes. The 'start -f' and has been inconsistent. The 'start -f' command compares the
'restart -f' commands compares the modification times of modification times of /etc/shorewall[6] with
/etc/shorewall[6] with /var/lib/shorewall[6]/restore while /var/lib/shorewall[6]/restore while 'restart -f' compares with
AUTOMAKE compares with /var/lib/shorewall[6]/firewall. /var/lib/shorewall[6]/firewall.
To make the two consistent, a new LEGACY_FASTSTART option has been To make the two consistent, a new LEGACY_FASTSTART option has been
added. The default value when the option isn't specified is added. The default value when the option isn't specified is
@ -217,6 +225,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
17) A 'Universal' sample configuration is now availale for a 17) A 'Universal' sample configuration is now availale for a
'plug-and-play' firewall. 'plug-and-play' firewall.
18) Support for the AUDIT iptables target has been added.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V. M I G R A T I O N I S S U E S V. M I G R A T I O N I S S U E S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------