diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm index 07d3e3f14..91a28b4ad 100644 --- a/Shorewall-docs/Documentation.htm +++ b/Shorewall-docs/Documentation.htm @@ -105,6 +105,15 @@ rules. This file was added in version 1.4.7.
(/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall beginning in version 1.3.9) that describes the version of Shorewall installed on your system. +
  • users and +usersets - files in /etc/shorewall allowing connections originating +on the firewall to be policed by the user id and/or group id of the +user.
    • +
  • actions and action.template - +files in /etc/shorewall that allow you to define your own actions for +rules in /etc/shorewall/rules.
    +

    • /etc/shorewall/params

    You may use the file /etc/shorewall/params file to set shell @@ -1189,6 +1198,9 @@ facility is provided to allow interfacing to +

  • A <user-defined +action> (Shorewall 1.4.9 and later)
    +

    • Beginning with Shorewall version 1.4.7, you may rate-limit the rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
    @@ -2846,7 +2858,7 @@ Validation Documentation.

    /etc/shorewall/ecn (Added in Version 1.4.0)

    This file is described in the ECN Control Documentation.
    -

    Updated 11/15/2003 - Tom +

    Updated 12/08/2003 - Tom Eastep

    Copyright ©

  • /etc/shorewall/accounting - define IP traffic accounting rules
  • /etc/shorewall/usersets and /etc/shorewall/users - define sets of users/groups with -similar access rights
    +similar access rights
    • +
  • /etc/shorewall/actions and /etc/shorewall/action.template - +define your own actions for rules in /etc/shorewall/rules (shorewall +1.4.9 and later).

    • Comments

    diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm index acb9055d5..a86de7fb9 100644 --- a/Shorewall-docs/mailing_list.htm +++ b/Shorewall-docs/mailing_list.htm @@ -156,7 +156,10 @@ reporting guidelines    .
    href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies" target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-newbies

    To post to the list, post to shorewall-newbies@lists.shorewall.net.

    + href="mailto:shorewall-newbies@lists.shorewall.net">shorewall-newbies@lists.shorewall.net.
    +

    +

    The list archives are at http://lists.shorewall.net/pipermail/shorewall-newbies.

    Shorewall Users Mailing List

    The Shorewall Users Mailing list provides a way for users to get answers to questions and to report problems. Information diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index c15aeda91..0bff8c7b5 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -104,10 +104,92 @@ setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

    News

    +

    12/07/2003 - Shorewall 1.4.9 Beta 1 (New)
    +

    +
    http://shorewall.net/pub/shorewall/Beta
    + ftp://shorewall.net/pub/shorewall/Beta
    +
    +

    Problems Corrected since version 1.4.8:
    +

    +
      +
    1. There has been a low continuing level of confusion over the +terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, +all instances of "Static NAT" have been replaced with "One-to-one NAT" +in the documentation and configuration files.
      2. +
    2. The description of NEWNOTSYN in shorewall.conf has been +reworded for clarity.
      3. +
    3. Wild-card rules (those involving "all" as SOURCE or DEST) +will no longer produce an error if they attempt to add a rule that would +override a NONE policy. The logic for expanding these wild-card rules +now simply skips those (SOURCE,DEST) pairs that have a NONE policy.
      +
      4. +
    +

    Migration Issues:
    +
    +    None.
    +
    +New Features:
    +

    +
      +
    1. To cut down on the number of "Why are these ports closed +rather than stealthed?" questions, the SMB-related rules in +/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
      2. +
    2. For easier identification, packets logged under the +'norfc1918' interface option are now logged out of chains named +'rfc1918'. Previously, such packets were logged under chains named +'logdrop'.
      3. +
    3. Distributors and developers seem to be regularly inventing +new naming conventions for kernel modules. To avoid the need to change +Shorewall code for each new convention, the MODULE_SUFFIX option has +been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix +for module names in your particular distribution. If MODULE_SUFFIX is +not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
      +
      +To see what suffix is used by your distribution:
      +
      +ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
      +
      +All of the files listed should have the same suffix (extension). Set +MODULE_SUFFIX to that suffix.
      +
      +Examples:
      +
      +     If all files end in ".kzo" then set +MODULE_SUFFIX="kzo"
      +     If all files end in ".kz.o" then set +MODULE_SUFFIX="kz.o"
      4. +
    4. Support for user defined rule ACTIONS has been implemented +through two new files:
      +
      +/etc/shorewall/actions - used to list the user-defined ACTIONS.
      +/etc/shorewall/action.template - For each user defined <action>, +copy this file to /etc/shorewall/action.<action> and add the +appropriate rules for that <action>. Once an <action> has +been defined, it may be used like any of the builtin ACTIONS (ACCEPT, +DROP, etc.) in /etc/shorewall/rules.
      +
      +Example: You want an action that logs a packet at the 'info' level and +accepts the connection.
      +
      +In /etc/shorewall/actions, you would add:
      +
      +     LogAndAccept
      +
      +You would then copy /etc/shorewall/action.template to +/etc/shorewall/LogAndAccept and in that file, you would add the two +rules:
      +        LOG:info
      +        ACCEPT
      +
      +
      5. +

    12/03/2003 - Support Torch Passed (New)

    -

    Effective today, I am reducing my participation in the +Effective today, I am reducing my participation in the day-to-day support of Shorewall. As part of this shift to community-based Shorewall support a new Shorewall @@ -115,11 +197,8 @@ Newbies mailing list has been established to field questions and problems from new users. I will not monitor that list personally. I will continue my active development of Shorewall and will be available via the development list to handle development -issues -- Tom.
    -

    -

    11/07/2003 - Shorewall 1.4.8 (New)
    +issues -- Tom. +

    11/07/2003 - Shorewall 1.4.8

    Problems Corrected since version 1.4.7:

    @@ -348,7 +427,7 @@ Children's Foundation. Thanks!
    -

    Updated 12/02/2003 - Tom Eastep +

    Updated 12/07/2003 - Tom Eastep

    diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm index 9e4dbff5c..328653784 100644 --- a/Shorewall-docs/shorewall_quickstart_guide.htm +++ b/Shorewall-docs/shorewall_quickstart_guide.htm @@ -97,7 +97,7 @@ in Shorewall
  • Configuration File Reference Manual
    • @@ -244,6 +247,8 @@ Firewall
  • Traffic Shaping/QOS
  • Troubleshooting (Things to try if it doesn't work)
    • +
  • User-defined Actions
    +
  • UID/GID Based Rules
  • Upgrade Issues
    @@ -268,7 +273,7 @@ firewall to a remote network.

    • If you use one of these guides and have a suggestion for improvement please let me know.

    -

    Last modified 11/22/2003 - Tom +

    Last modified 12/08/2003 - Tom Eastep

    Copyright 2002, 2003 Thomas M. Eastep
    diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index 6e403467c..849eae7b0 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -93,6 +93,87 @@ setup that matches the documentation on this site. See the

    News

    +

    12/07/2003 - Shorewall 1.4.9 Beta 1 (New)
    +

    +
    http://shorewall.net/pub/shorewall/Beta
    + ftp://shorewall.net/pub/shorewall/Beta
    +
    +

    Problems Corrected since version 1.4.8:
    +

    +
      +
    1. There has been a low continuing level of confusion over the +terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, +all instances of "Static NAT" have been replaced with "One-to-one NAT" +in the documentation and configuration files.
      2. +
    2. The description of NEWNOTSYN in shorewall.conf has been +reworded for clarity.
      3. +
    3. Wild-card rules (those involving "all" as SOURCE or DEST) +will no longer produce an error if they attempt to add a rule that +would override a NONE policy. The logic for expanding these wild-card +rules now simply skips those (SOURCE,DEST) pairs that have a NONE +policy.
      +
      4. +
    +

    Migration Issues:
    +
    +    None.
    +
    +New Features:
    +

    +
      +
    1. To cut down on the number of "Why are these ports closed +rather than stealthed?" questions, the SMB-related rules in +/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
      2. +
    2. For easier identification, packets logged under the +'norfc1918' interface option are now logged out of chains named +'rfc1918'. Previously, such packets were logged under chains named +'logdrop'.
      3. +
    3. Distributors and developers seem to be regularly inventing +new naming conventions for kernel modules. To avoid the need to change +Shorewall code for each new convention, the MODULE_SUFFIX option has +been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix +for module names in your particular distribution. If MODULE_SUFFIX is +not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
      +
      +To see what suffix is used by your distribution:
      +
      +ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
      +
      +All of the files listed should have the same suffix (extension). Set +MODULE_SUFFIX to that suffix.
      +
      +Examples:
      +
      +     If all files end in ".kzo" then set +MODULE_SUFFIX="kzo"
      +     If all files end in ".kz.o" then set +MODULE_SUFFIX="kz.o"
      4. +
    4. Support for user defined rule ACTIONS has been implemented +through two new files:
      +
      +/etc/shorewall/actions - used to list the user-defined ACTIONS.
      +/etc/shorewall/action.template - For each user defined <action>, +copy this file to /etc/shorewall/action.<action> and add the +appropriate rules for that <action>. Once an <action> has +been defined, it may be used like any of the builtin ACTIONS (ACCEPT, +DROP, etc.) in /etc/shorewall/rules.
      +
      +Example: You want an action that logs a packet at the 'info' level and +accepts the connection.
      +
      +In /etc/shorewall/actions, you would add:
      +
      +     LogAndAccept
      +
      +You would then copy /etc/shorewall/action.template to +/etc/shorewall/LogAndAccept and in that file, you would add the two +rules:
      +        LOG:info
      +        ACCEPT
      5. +

    12/03/2003 - Support Torch Passed (New)

    @@ -337,7 +418,7 @@ Children's Foundation.     Thanks!

    -

    Updated 12/03/2003 - Tom Eastep +

    Updated 12/07/2003 - Tom Eastep