forked from extern/shorewall_code
Update change log and release notes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@545 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
554970dcc4
commit
882030789d
@ -1,15 +1,7 @@
|
|||||||
Changes since 1.4.1
|
Changes since 1.4.2
|
||||||
|
|
||||||
1. Re-order steps in the 'check' command so that the policy file is
|
1. The 'add' and 'delete' commands no longer leave behind a temporary
|
||||||
checked before the rules file.
|
directory in /tmp.
|
||||||
|
|
||||||
2. Create an intermediate chain for input from zones defined in terms
|
2. Added support for 6to4 tunnels.
|
||||||
of specific hosts or networks.
|
|
||||||
|
|
||||||
3. Fixed common.def to use 'reject' rather than 'REJECT'.
|
|
||||||
|
|
||||||
4. Added support for INCLUDE directive in all files.
|
|
||||||
|
|
||||||
5. Made traceroute -I work.
|
|
||||||
|
|
||||||
6. Add 'routeback' interface and host attribute.
|
|
||||||
|
|||||||
@ -2,89 +2,10 @@ This is a minor release of Shorewall.
|
|||||||
|
|
||||||
Problems Corrected:
|
Problems Corrected:
|
||||||
|
|
||||||
1) TCP connection requests rejected out of the common chain are now
|
1) There were several cases where Shorewall would fail to remove a
|
||||||
properly rejected with TCP RST; previously, some of these requests
|
temporary directory from /tmp. These cases have been corrected.
|
||||||
were rejeced with an ICMP port-unreachable response.
|
|
||||||
|
|
||||||
2) 'traceroute -I' from behind the firewall previously timed out on the
|
|
||||||
first hop (e.g., to the firewall). This has been worked around.
|
|
||||||
|
|
||||||
New Features:
|
New Features:
|
||||||
|
|
||||||
1) Where an entry in the/etc/shorewall/hosts file specifies a
|
1) IPV6-IPV4 (6to4) tunnels are now supported in the
|
||||||
particular host or network, Shorewall now creates an intermediate
|
/etc/shorewall/tunnels file.
|
||||||
chain for handling input from the related zone. This can
|
|
||||||
substantially reduce the number of rules traversed by connections
|
|
||||||
requests from such zones.
|
|
||||||
|
|
||||||
2) Any file may include an INCLUDE directive. An INCLUDE directive
|
|
||||||
consists of the word INCLUDE followed by a file name and causes the
|
|
||||||
contents of the named file to be logically included into the file
|
|
||||||
containing the INCLUDE. File names given in an INCLUDE directive
|
|
||||||
are assumed to reside in /etc/shorewall or in an alternate
|
|
||||||
configuration directory if one has been specified for the command.
|
|
||||||
|
|
||||||
Examples:
|
|
||||||
shorewall/params.mgmt:
|
|
||||||
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
|
|
||||||
TIME_SERVERS=4.4.4.4
|
|
||||||
BACKUP_SERVERS=5.5.5.5
|
|
||||||
----- end params.mgmt -----
|
|
||||||
|
|
||||||
|
|
||||||
shorewall/params:
|
|
||||||
# Shorewall 1.3 /etc/shorewall/params
|
|
||||||
[..]
|
|
||||||
#######################################
|
|
||||||
|
|
||||||
INCLUDE params.mgmt
|
|
||||||
|
|
||||||
# params unique to this host here
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
||||||
----- end params -----
|
|
||||||
|
|
||||||
|
|
||||||
shorewall/rules.mgmt:
|
|
||||||
ACCEPT net:$MGMT_SERVERS $FW tcp 22
|
|
||||||
ACCEPT $FW net:$TIME_SERVERS udp 123
|
|
||||||
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
|
|
||||||
----- end rules.mgmt -----
|
|
||||||
|
|
||||||
shorewall/rules:
|
|
||||||
# Shorewall version 1.3 - Rules File
|
|
||||||
[..]
|
|
||||||
#######################################
|
|
||||||
|
|
||||||
INCLUDE rules.mgmt
|
|
||||||
|
|
||||||
# rules unique to this host here
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
----- end rules -----
|
|
||||||
|
|
||||||
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
|
|
||||||
directives are ignored.
|
|
||||||
|
|
||||||
3) Routing traffic from an interface back out that interface continues
|
|
||||||
to be a problem. While I firmly believe that this should never
|
|
||||||
happen, people continue to want to do it. To limit the damage that
|
|
||||||
such nonsense produces, I have added a new 'routeback' option in
|
|
||||||
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
|
|
||||||
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
|
|
||||||
other words, 'routeback' can't be used as an option for a multi-zone
|
|
||||||
interface. The 'routeback' option CAN be specified however on
|
|
||||||
individual group entries in /etc/shorewall/hosts.
|
|
||||||
|
|
||||||
The 'routeback' option is similar to the old 'multi' option with two
|
|
||||||
exceptions:
|
|
||||||
|
|
||||||
a) The option pertains to a particular zone,interface,address tuple.
|
|
||||||
|
|
||||||
b) The option only created infrastructure to pass traffic from
|
|
||||||
(zone,interface,address) tuples back to themselves (the 'multi'
|
|
||||||
option affected all (zone,interface,address) tuples associated with
|
|
||||||
the given 'interface').
|
|
||||||
|
|
||||||
See the 'Upgrade Issues' for information about how this new option
|
|
||||||
may affect your configuration.
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user