diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm
index 59fdce88b..03c7fe2a4 100644
--- a/Shorewall-Website/News.htm
+++ b/Shorewall-Website/News.htm
@@ -9,7 +9,7 @@
Shorewall News Archive
Tom Eastep
-Copyright © 2001-2004 Thomas M. Eastep
+Copyright © 2001-2005 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
@@ -18,11 +18,470 @@ Texts. A copy of the license is included in the section entitled “GNU Free
Documentation License”.
-2004-10-25
+
2005-01-04
-9/23/2004 -
+12/24/2004 -
+Shorewall 2.2.0 RC2
+
+New Features:
+
+
+ - By popular demand, the default port for Open VPN tunnels is now
+1194 (the IANA-reserved port number for Open VPN).
+
+12/19/2004 -
+Shorewall 2.2.0 RC1
+
+Problems Corrected:
+
+ - The syntax of the add and delete command has been clarified in
+the help summary produced by /sbin/shorewall.
+
+New Features:
+
+ - TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
+type. OpenVPN entries in /etc/shorewall/tunnels have this format:
+
+ openvpn[:{tcp|udp}][:<port>]
+<zone> <gateway>
+
+Examples:
+ openvpn:tcp net 1.2.3.4 # TCP tunnel on port 5000
openvpn:3344 net 1.2.3.4 # UDP on port 3344
openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455
+
+ - A new 'ipsecvpn' script is included in the tarball and in the
+RPM. The RPM installs the file in the Documentation directory
+(/usr/share/doc/packages/shorewall-2.2.0-0RC1).
+
+This script is intended for use on Roadwarrior laptops for establishing
+an IPSEC SA to/from remote networks. The script has some limitations:
+
+ - Only one instance of the script may be used at a
+time.
+ - Only the first SPD accessed will be instantiated
+at the remote gateway. So while the script creates SPDs to/from the
+remote gateway and each network listed in the NETWORKS setting at the
+front of the script, only one of these may be used at a time.
+
+
+12/11/2004 -
+Shorewall 2.2.0 Beta 8
+
+Problems Corrected:
+
+ - A typo in the /etc/shorewall/interfaces file has been corrected.
+ - Previously, the "add" and "delete" commands were generating
+incorrect policy matches when policy match support was available.
+
+New Features:
+
+ - Recent 2.6 kernels include code that evaluates TCP packets based
+on TCP Window analysis. This can cause packets that were previously
+classified as NEW or ESTABLISHED to be classified as INVALID.
+
+The new kernel code can be disabled by including this command in your
+/etc/shorewall/init file:
+
+ echo 1 >
+/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+
+Additional kernel logging about INVALID TCP packets may be obtained by
+adding this command to /etc/shorewall/init:
+
+ echo 1 >
+/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
+
+Traditionally, Shorewall has dropped INVALID TCP packets early. The new
+DROPINVALID option allows INVALID packets to be passed through the
+normal rules chains by setting DROPINVALID=No.
+
+If not specified or if specified as empty (e.g., DROPINVALID="") then
+DROPINVALID=Yes is assumed.
+
+
+ - The "shorewall add" and "shorewall delete" commands now accept a
+list of hosts to add or delete.
+
+Examples:
+
+ shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12
+ shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12
+
+The above commands may also be written:
+
+ shorewall add eth1:1.2.3.4,2.3.4.5 z12
+ shorewall delete eth1:1.2.3.4,2.3.4.5 z12
+
+
+
+12/04/2004 -
+Shorewall 2.2.0 Beta 7
+
+Problems Corrected:
+
+ - The "shorewall add" and "shorewall delete" commands now work in a
+bridged environment. The syntax is:
+
+ shorewall
+add <interface>[:<port>]:<address> <zone>
+ shorewall
+delete <interface>[:<port>]:<address> <zone>
+
+ Examples:
+
+ shorewall
+add br0:eth2:192.168.1.3 OK
+ shorewall
+delete br0:eth2:192.168.1.3 OK
+
+
+ - Previously, "shorewall save" created an out-of-sequence restore
+script. The commands saved in the user's /etc/shorewall/start script
+were executed prior to the Netfilter configuration being restored. This
+has been corrected so that "shorewall save" now places those commands
+at the end of the script.
+
+To accomplish this change, the "restore base" file
+(/var/lib/shorewall/restore-base) has been split into two files:
+
+/var/lib/shorewall/restore-base -- commands to be executed before
+Netfilter the configuration is restored.
+
+/var/lib/shorewall/restore-tail -- commands to be executed after the
+Netfilter configuration is restored.
+
+
+ - Previously, traffic from the firewall to a dynamic zone member
+host did not need to match the interface specified when the host was
+added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
+zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
+the fw->Z policies and rules. This has been corrected.
+ - Shorewall uses the temporary chain 'fooX1234' to probe iptables
+for detrmining which features are supported. Previously, if that chain
+happened to exist when Shorewall was run, capabilities were
+mis-detected.
+
+New Features:
+
+ - You can now use the "shorewall show zones" command to display the
+current contents of the zones. This is particularly useful if you use
+dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
+
+ Example:
+
+ ursa:/etc/shorewall #
+shorewall show zones
+ Shorewall-2.2.0-Beta7 Zones
+at ursa - Sat Nov 27 11:18:25 PST 2004
+
+ loc
+
+eth0:192.168.1.0/24
+
+eth1:1.2.3.4
+ net
+
+eth0:0.0.0.0/0
+ WiFi
+
+eth1:0.0.0.0/0
+ sec
+
+eth1:0.0.0.0/0
+
+ ursa:/etc/shorewall #
+
+
+ - Variable expansion may now be used with the INCLUDE directive.
+
+ Example:
+
+ /etc/shorewall/params
+
+
+FILE=/etc/foo/bar
+
+ Any other config file:
+
+
+INCLUDE $FILE
+
+
+ - The output of "shorewall status" now includes the results of "ip
+-stat link ls". This helps diagnose performance problems caused by link
+errors.
+ - Previously, when rate-limiting was specified in
+/etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded
+the specified rate was silently dropped. Now, if a log
+level is given in the entry (LEVEL column) then drops are logged at
+that level at a rate of 5/min with a burst of 5.
+
+
+12/02/2004 -
+Shorewall 2.0.13
+
+Problems Corrected:
+
+ - A typo in /usr/share/shorewall/firewall caused the "shorewall
+add" to issue an error message:
+ /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found
+
+
+12/01/2004 -
+Shorewall 2.0.12
+
+Problems Corrected:
+
+ - A typo in shorewall.conf (NETNOTSYN) has been corrected.
+ - The "shorewall add" and "shorewall delete" commands now work in a
+bridged environment. The syntax is:
+
+ shorewall add
+<interface>[:<bridge port>][:<address>] <zone>
+ shorewall delete
+<interface>[:<bridge port>][:<address>] <zone>
+
+Examples:
+
+ shorewall add br0:eth2:192.168.1.3 OK
+ shorewall delete br0:eth2:192.168.1.3 OK
+
+
+ - Previously, "shorewall save" created an out-of-sequence restore
+script. The commands saved in the user's /etc/shorewall/start script
+were executed prior to the Netfilter configuration being restored. This
+has been corrected so that "shorewall save" now places those commands
+at the end of the script.
+
+To accomplish this change, the "restore base" file
+(/var/lib/shorewall/restore-base) has been split into two files:
+
+ /var/lib/shorewall/restore-base -- commands to be executed
+before the Netfilter configuration is restored.
+
+ /var/lib/shorewall/restore-tail -- commands to be executed
+after the Netfilter configuration is restored.
+
+
+ - Previously, traffic from the firewall to a dynamic zone member
+host did not need to match the interface specified when the host was
+added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
+zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
+the fw->Z policies and rules. This has been corrected.
+
+New Features:
+
+ - Variable expansion may now be used with the INCLUDE directive.
+
+Example:
+
+ /etc/shorewall/params
+
+
+FILE=/etc/foo/bar
+
+ Any other config file:
+
+
+INCLUDE $FILE
+
+
+11/26/2004 -
+Shorewall 2.2.0 Beta 6
+
+Beta 5 was more or less DOA. Here's Beta 6.
+
+Problems Corrected:
+
+ - Fixed a number of problems associated with not having an IPTABLES
+value assigned in shorewall.conf
+ - Corrected a 'duplicate chain' error on "shorewall add" when the
+'mss' option is present in /etc/shorewall/ipsec.
+
+
+11/26/2004 -
+Shorewall 2.2.0 Beta 5
+
+Problems corrected:
+
+ - A typo in shorewall.conf (NETNOTSYN) has been corrected.
+
+New Features:
+
+ - For consistency, the CLIENT PORT(S) column in the tcrules file
+has been renamed SOURCE PORT(S).
+ - The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now
+shown in the output of "shorewall status".
+ - A new IPTABLES option has been added to shorewall.conf. IPTABLES
+can be used to designate the iptables executable to be used by
+Shorewall. If not specified, the iptables executable determined by the
+PATH setting is used.
+
+
+11/23/2004 -
+Shorewall 2.0.11
+
+Problems corrected:
+
+ - The INSTALL file now include special instructions for Slackware
+users.
+ - The bogons file has been updated.
+ - Service names are replaced by port numbers in /etc/shorewall/tos.
+ - A typo in the install.sh file that caused an error during a new
+install has been corrected.
+
+New Features:
+
+ - The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
+
+
+11/19/2004 -
+Shorewall 2.2.0 Beta 4
+
+Problems Corrected:
+
+ - A cut and paste error resulted in some nonsense in the
+description of the IPSEC column in /etc/shorewall/masq.
+ - A typo in /etc/shorewall/rules has been corrected.
+ - The bogons file has been updated.
+ - The "shorewall add" command previously reported success but did
+nothing -- now it works.
+
+New Features:
+
+ - The AllowNNTP action now allows NNTP over SSL/TLS (NNTPS).
+
+
+11/09/2004 -
+Shorewall 2.2.0 Beta 3
+
+Problems Corrected:
+
+ - Missing '#' in the rfc1918 file has been corrected.
+ - The INSTALL file now includes special instructions for Slackware
+users.
+
+New Features:
+
+ - In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may
+now appear in the DEST column as in:
+ #MARK/ SOURCE DEST PROTO PORT(S)
#CLASSIFY
1:30 - eth0 tcp 25
+
+
+11/02/2004 -
+Shorewall 2.2.0 Beta 2
+
+Problems Corrected:
+
+ - The "shorewall check" command results in the (harmless) error
+message:
+
+
+/usr/share/shorewall/firewall: line 2753:
+
+check_dupliate_zones: command not found
+
+
+ - The AllowNTP standard action now allows outgoing responses to
+broadcasts.
+ - A clarification has been added to the hosts file's description of
+the 'ipsec' option pointing out that the option is redundent if the
+zone named in the ZONE column has been designated an IPSEC zone in the
+/etc/shorewall/ipsec file.
+
+New Features:
+
+ - The SUBNET column in /etc/shorewall/rfc1918 has been renamed
+SUBNETS and it is now possible to specify a list of addresses in that
+column.
+
+
+10/25/2004 -
+Shorewall 2.0.10
+
+Problems Corrected:
+
+ - The GATEWAY column was previously ignored in 'pptpserver' entries
+in /etc/shorewall/tunnels.
+ - When log rule numbers are included in the LOGFORMAT, duplicate
+rule numbers could previously be generated.
+ - The /etc/shorewall/tcrules file now includes a note to the effect
+that rule evaluation continues after a match.
+ - The error message produced if Shorewall couldn't obtain the
+routes
+through an interface named in the SUBNET column of /etc/shorewall/masq
+was less than helpful since it didn't include the interface name.
+
+
+New Features:
+
+ - The "shorewall status" command has been enhanced to include the
+values of key /proc settings:
+
+Example from a two-interface firewall:
+
+/proc
+
+ /proc/sys/net/ipv4/ip_forward = 1
+ /proc/sys/net/ipv4/conf/all/proxy_arp = 0
+ /proc/sys/net/ipv4/conf/all/arp_filter = 0
+ /proc/sys/net/ipv4/conf/all/rp_filter = 0
+ /proc/sys/net/ipv4/conf/default/proxy_arp = 0
+ /proc/sys/net/ipv4/conf/default/arp_filter = 0
+ /proc/sys/net/ipv4/conf/default/rp_filter = 0
+ /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
+ /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
+ /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
+ /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
+ /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
+ /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
+ /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
+ /proc/sys/net/ipv4/conf/lo/arp_filter = 0
+ /proc/sys/net/ipv4/conf/lo/rp_filter = 0
+
+
+
+10/24/2004 -
+Shorewall 2.2.0 Beta1
+
+The first beta in the 2.2 series is now available. Download
+location is:
+
+
+The features available in this release and the migration
+considerations are covered in the release
+notes. Highlights include:
+
+
+ - The behavior produced by specifying a log level in an action
+invocation is now much more rational. Previously, all packets sent to
+the action were logged; now each rule within the invoked action behaves
+as if logging had been specified on it.
+ - Support for the 2.6 Kernel's native IPSEC implementation is now
+available.
+ - Support for ipp2p is included.
+ - Support for the iptables CONNMARK facility is now included in
+Shorewall.
+ - A new LOGALLNEW option facilitates problem analysis.
+ - Users with a large static blacklist can now defer loading the
+blacklist until after the rest of the ruleset has been enabled. Doing
+so can decrease substantially the amount of time that connections are
+disabled during shorewall [re]start.
+ - Support for the iptables 'iprange match' feature has been
+enabled. Users whose kernel and iptables contain this feature can use
+ip address ranges in most places in their Shorewall configuration where
+a CIDR netowrk can be used.
+ - Accepting of source routing and martian logging may now be
+enabled/disabled on each interface.
+ - Shorewall now supports the CLASSIFY iptable target.
+
+9/23/2004 -
Shorewall 2.0.9
Problems Corrected:
diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm
index 221ec019e..4bcbe0fa7 100644
--- a/Shorewall-Website/shorewall_index.htm
+++ b/Shorewall-Website/shorewall_index.htm
@@ -28,8 +28,8 @@ to 2.x releases of Shorewall. For older versions:
target="_top">here.
-The current 2.0 Stable Release is 2.0.13 -- Here are the release
+The current 2.0 Stable Release is 2.0.14 -- Here are the release
notes.
The current Developement Release is 2.2.0 RC3 -- Here
are the .
style="font-weight: bold;">Preparing for Shorewall 2.2 -- End of
support life for Shorewall 1.4 is Near!
-Copyright © 2001-2004 Thomas M. Eastep
+Copyright © 2001-2005 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software
@@ -51,7 +51,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with
no Back-Cover Texts. A copy of the license is included in the section
entitled “GNU
Free Documentation License”.
-2004-12-31
+2005-01-03
Table of Contents
Introduction
@@ -66,31 +66,12 @@ Shorewall
Shorewall on Mandrake® with a two-interface setup?
License
News
-Mandrake-specific RPMs available
+
Shorewall
+2.0.14
+Mandrake-specific RPMs available
Redhat/Fedora-specific RPMs available
Shorewall
-2.2.0 RC3
-Shorewall
-2.2.0 RC2
-Shorewall
-2.2.0 RC1
-Shorewall 2.2.0 Beta 8
-Shorewall 2.2.0 Beta 7
-Shorewall
-2.0.13
-Shorewall
-2.0.12
-Shorewall 2.2.0 Beta 6
-Shorewall 2.2.0 Beta 5
-Shorewall
-2.0.11
-Shorewall 2.2.0 Beta 4
-Shorewall 2.2.0 Beta 3
-Shorewall 2.2.0 Beta 2
-Shorewall
-2.0.10
-Shorewall 2.2.0 Beta 1
+2.2.0 RC3
Leaf
@@ -182,6 +163,26 @@ of the license is included in the section entitled "GNU Free
Documentation License".
News
+
01/03/2005 -
+Shorewall 2.0.14
+
+New Features:
+
+ - Previously, when rate-limiting was specified in
+/etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded
+the specified rate was silently dropped. Now, if a log level is given
+in the entry (LEVEL column) then drops are logged at that level at a
+rate of 5/min with a burst of 5.
+
+
+Problems Corrected:
+
+ - A typo in the /etc/shorewall/interfaces file has been fixed.
+ - "bad variable" error messages occurring during "shorewall stop"
+and "shorewall clear" have been eliminated.
+ - A misleading typo in /etc/shorewall/tunnels has been corrected.
+
+
12/31/2004
- Mandrake-specific 2.2.0 RC3 RPMs available
@@ -219,464 +220,7 @@ message but would not generate an iptables rule.
A misleading typo in /etc/shorewall/tunnels has been corrected.
-12/24/2004 -
-Shorewall 2.2.0 RC2
-
-New Features:
-
- - By popular demand, the default port for Open VPN tunnels is now
-1194 (the IANA-reserved port number for Open VPN).
-
-12/19/2004 -
-Shorewall 2.2.0 RC1
-
-Problems Corrected:
-
- - The syntax of the add and delete command has been clarified in
-the help summary produced by /sbin/shorewall.
-
-New Features:
-
- - TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
-type. OpenVPN entries in /etc/shorewall/tunnels have this format:
-
- openvpn[:{tcp|udp}][:<port>]
-<zone> <gateway>
-
-Examples:
- openvpn:tcp net 1.2.3.4 # TCP tunnel on port 5000
openvpn:3344 net 1.2.3.4 # UDP on port 3344
openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455
-
- - A new 'ipsecvpn' script is included in the tarball and in the
-RPM. The RPM installs the file in the Documentation directory
-(/usr/share/doc/packages/shorewall-2.2.0-0RC1).
-
-This script is intended for use on Roadwarrior laptops for establishing
-an IPSEC SA to/from remote networks. The script has some limitations:
-
- - Only one instance of the script may be used at a
-time.
- - Only the first SPD accessed will be instantiated
-at the remote gateway. So while the script creates SPDs to/from the
-remote gateway and each network listed in the NETWORKS setting at the
-front of the script, only one of these may be used at a time.
-
-
-12/11/2004 -
-Shorewall 2.2.0 Beta 8
-
-Problems Corrected:
-
- - A typo in the /etc/shorewall/interfaces file has been corrected.
- - Previously, the "add" and "delete" commands were generating
-incorrect policy matches when policy match support was available.
-
-New Features:
-
- - Recent 2.6 kernels include code that evaluates TCP packets based
-on TCP Window analysis. This can cause packets that were previously
-classified as NEW or ESTABLISHED to be classified as INVALID.
-
-The new kernel code can be disabled by including this command in your
-/etc/shorewall/init file:
-
- echo 1 >
-/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
-
-Additional kernel logging about INVALID TCP packets may be obtained by
-adding this command to /etc/shorewall/init:
-
- echo 1 >
-/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
-
-Traditionally, Shorewall has dropped INVALID TCP packets early. The new
-DROPINVALID option allows INVALID packets to be passed through the
-normal rules chains by setting DROPINVALID=No.
-
-If not specified or if specified as empty (e.g., DROPINVALID="") then
-DROPINVALID=Yes is assumed.
-
-
- - The "shorewall add" and "shorewall delete" commands now accept a
-list of hosts to add or delete.
-
-Examples:
-
- shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12
- shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12
-
-The above commands may also be written:
-
- shorewall add eth1:1.2.3.4,2.3.4.5 z12
- shorewall delete eth1:1.2.3.4,2.3.4.5 z12
-
-
-
-12/04/2004 -
-Shorewall 2.2.0 Beta 7
-
-Problems Corrected:
-
- - The "shorewall add" and "shorewall delete" commands now work in a
-bridged environment. The syntax is:
-
- shorewall
-add <interface>[:<port>]:<address> <zone>
- shorewall
-delete <interface>[:<port>]:<address> <zone>
-
- Examples:
-
- shorewall
-add br0:eth2:192.168.1.3 OK
- shorewall
-delete br0:eth2:192.168.1.3 OK
-
-
- - Previously, "shorewall save" created an out-of-sequence restore
-script. The commands saved in the user's /etc/shorewall/start script
-were executed prior to the Netfilter configuration being restored. This
-has been corrected so that "shorewall save" now places those commands
-at the end of the script.
-
-To accomplish this change, the "restore base" file
-(/var/lib/shorewall/restore-base) has been split into two files:
-
-/var/lib/shorewall/restore-base -- commands to be executed before
-Netfilter the configuration is restored.
-
-/var/lib/shorewall/restore-tail -- commands to be executed after the
-Netfilter configuration is restored.
-
-
- - Previously, traffic from the firewall to a dynamic zone member
-host did not need to match the interface specified when the host was
-added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
-zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
-the fw->Z policies and rules. This has been corrected.
- - Shorewall uses the temporary chain 'fooX1234' to probe iptables
-for detrmining which features are supported. Previously, if that chain
-happened to exist when Shorewall was run, capabilities were
-mis-detected.
-
-New Features:
-
- - You can now use the "shorewall show zones" command to display the
-current contents of the zones. This is particularly useful if you use
-dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
-
- Example:
-
- ursa:/etc/shorewall #
-shorewall show zones
- Shorewall-2.2.0-Beta7 Zones
-at ursa - Sat Nov 27 11:18:25 PST 2004
-
- loc
-
-eth0:192.168.1.0/24
-
-eth1:1.2.3.4
- net
-
-eth0:0.0.0.0/0
- WiFi
-
-eth1:0.0.0.0/0
- sec
-
-eth1:0.0.0.0/0
-
- ursa:/etc/shorewall #
-
-
- - Variable expansion may now be used with the INCLUDE directive.
-
- Example:
-
- /etc/shorewall/params
-
-
-FILE=/etc/foo/bar
-
- Any other config file:
-
-
-INCLUDE $FILE
-
-
- - The output of "shorewall status" now includes the results of "ip
--stat link ls". This helps diagnose performance problems caused by link
-errors.
- - Previously, when rate-limiting was specified in
-/etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded
-the specified rate was silently dropped. Now, if a log
-level is given in the entry (LEVEL column) then drops are logged at
-that level at a rate of 5/min with a burst of 5.
-
-
-12/02/2004 -
-Shorewall 2.0.13
-
-Problems Corrected:
-
- - A typo in /usr/share/shorewall/firewall caused the "shorewall
-add" to issue an error message:
- /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found
-
-
-12/01/2004 -
-Shorewall 2.0.12
-
-Problems Corrected:
-
- - A typo in shorewall.conf (NETNOTSYN) has been corrected.
- - The "shorewall add" and "shorewall delete" commands now work in a
-bridged environment. The syntax is:
-
- shorewall add
-<interface>[:<bridge port>][:<address>] <zone>
- shorewall delete
-<interface>[:<bridge port>][:<address>] <zone>
-
-Examples:
-
- shorewall add br0:eth2:192.168.1.3 OK
- shorewall delete br0:eth2:192.168.1.3 OK
-
-
- - Previously, "shorewall save" created an out-of-sequence restore
-script. The commands saved in the user's /etc/shorewall/start script
-were executed prior to the Netfilter configuration being restored. This
-has been corrected so that "shorewall save" now places those commands
-at the end of the script.
-
-To accomplish this change, the "restore base" file
-(/var/lib/shorewall/restore-base) has been split into two files:
-
- /var/lib/shorewall/restore-base -- commands to be executed
-before the Netfilter configuration is restored.
-
- /var/lib/shorewall/restore-tail -- commands to be executed
-after the Netfilter configuration is restored.
-
-
- - Previously, traffic from the firewall to a dynamic zone member
-host did not need to match the interface specified when the host was
-added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
-zone Z then traffic out of any firewall interface to 1.2.3.4 will obey
-the fw->Z policies and rules. This has been corrected.
-
-New Features:
-
- - Variable expansion may now be used with the INCLUDE directive.
-
-Example:
-
- /etc/shorewall/params
-
-
-FILE=/etc/foo/bar
-
- Any other config file:
-
-
-INCLUDE $FILE
-
-
-11/26/2004 -
-Shorewall 2.2.0 Beta 6
-
-Beta 5 was more or less DOA. Here's Beta 6.
-
-Problems Corrected:
-
- - Fixed a number of problems associated with not having an IPTABLES
-value assigned in shorewall.conf
- - Corrected a 'duplicate chain' error on "shorewall add" when the
-'mss' option is present in /etc/shorewall/ipsec.
-
-
-11/26/2004 -
-Shorewall 2.2.0 Beta 5
-
-Problems corrected:
-
- - A typo in shorewall.conf (NETNOTSYN) has been corrected.
-
-New Features:
-
- - For consistency, the CLIENT PORT(S) column in the tcrules file
-has been renamed SOURCE PORT(S).
- - The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now
-shown in the output of "shorewall status".
- - A new IPTABLES option has been added to shorewall.conf. IPTABLES
-can be used to designate the iptables executable to be used by
-Shorewall. If not specified, the iptables executable determined by the
-PATH setting is used.
-
-
-11/23/2004 -
-Shorewall 2.0.11
-
-Problems corrected:
-
- - The INSTALL file now include special instructions for Slackware
-users.
- - The bogons file has been updated.
- - Service names are replaced by port numbers in /etc/shorewall/tos.
- - A typo in the install.sh file that caused an error during a new
-install has been corrected.
-
-New Features:
-
- - The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
-
-
-11/19/2004 -
-Shorewall 2.2.0 Beta 4
-
-Problems Corrected:
-
- - A cut and paste error resulted in some nonsense in the
-description of the IPSEC column in /etc/shorewall/masq.
- - A typo in /etc/shorewall/rules has been corrected.
- - The bogons file has been updated.
- - The "shorewall add" command previously reported success but did
-nothing -- now it works.
-
-New Features:
-
- - The AllowNNTP action now allows NNTP over SSL/TLS (NNTPS).
-
-
-11/09/2004 -
-Shorewall 2.2.0 Beta 3
-
-Problems Corrected:
-
- - Missing '#' in the rfc1918 file has been corrected.
- - The INSTALL file now includes special instructions for Slackware
-users.
-
-New Features:
-
- - In CLASSIFY rules (/etc/shorewall/tcrules), an interface name may
-now appear in the DEST column as in:
- #MARK/ SOURCE DEST PROTO PORT(S)
#CLASSIFY
1:30 - eth0 tcp 25
-
-
-11/02/2004 -
-Shorewall 2.2.0 Beta 2
-
-Problems Corrected:
-
- - The "shorewall check" command results in the (harmless) error
-message:
-
-
-/usr/share/shorewall/firewall: line 2753:
-
-check_dupliate_zones: command not found
-
-
- - The AllowNTP standard action now allows outgoing responses to
-broadcasts.
- - A clarification has been added to the hosts file's description of
-the 'ipsec' option pointing out that the option is redundent if the
-zone named in the ZONE column has been designated an IPSEC zone in the
-/etc/shorewall/ipsec file.
-
-New Features:
-
- - The SUBNET column in /etc/shorewall/rfc1918 has been renamed
-SUBNETS and it is now possible to specify a list of addresses in that
-column.
-
-
-10/25/2004 -
-Shorewall 2.0.10
-
-Problems Corrected:
-
- - The GATEWAY column was previously ignored in 'pptpserver' entries
-in /etc/shorewall/tunnels.
- - When log rule numbers are included in the LOGFORMAT, duplicate
-rule numbers could previously be generated.
- - The /etc/shorewall/tcrules file now includes a note to the effect
-that rule evaluation continues after a match.
- - The error message produced if Shorewall couldn't obtain the
-routes
-through an interface named in the SUBNET column of /etc/shorewall/masq
-was less than helpful since it didn't include the interface name.
-
-
-New Features:
-
- - The "shorewall status" command has been enhanced to include the
-values of key /proc settings:
-
-Example from a two-interface firewall:
-
-/proc
-
- /proc/sys/net/ipv4/ip_forward = 1
- /proc/sys/net/ipv4/conf/all/proxy_arp = 0
- /proc/sys/net/ipv4/conf/all/arp_filter = 0
- /proc/sys/net/ipv4/conf/all/rp_filter = 0
- /proc/sys/net/ipv4/conf/default/proxy_arp = 0
- /proc/sys/net/ipv4/conf/default/arp_filter = 0
- /proc/sys/net/ipv4/conf/default/rp_filter = 0
- /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
- /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
- /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
- /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
- /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
- /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
- /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
- /proc/sys/net/ipv4/conf/lo/arp_filter = 0
- /proc/sys/net/ipv4/conf/lo/rp_filter = 0
-
-
-
-10/24/2004 -
-Shorewall 2.2.0 Beta1
-
-The first beta in the 2.2 series is now available. Download
-location is:
-
-
-The features available in this release and the migration
-considerations are covered in the release
-notes. Highlights include:
-
-
- - The behavior produced by specifying a log level in an action
-invocation is now much more rational. Previously, all packets sent to
-the action were logged; now each rule within the invoked action behaves
-as if logging had been specified on it.
- - Support for the 2.6 Kernel's native IPSEC implementation is now
-available.
- - Support for ipp2p is included.
- - Support for the iptables CONNMARK facility is now included in
-Shorewall.
- - A new LOGALLNEW option facilitates problem analysis.
- - Users with a large static blacklist can now defer loading the
-blacklist until after the rest of the ruleset has been enabled. Doing
-so can decrease substantially the amount of time that connections are
-disabled during shorewall [re]start.
- - Support for the iptables 'iprange match' feature has been
-enabled. Users whose kernel and iptables contain this feature can use
-ip address ranges in most places in their Shorewall configuration where
-a CIDR netowrk can be used.
- - Accepting of source routing and martian logging may now be
-enabled/disabled on each interface.
- - Shorewall now supports the CLASSIFY iptable target.
-
+
More News
Leaf