From 5c8c4d1306d56090892b0bc777771914f0a0fbd2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 08:49:26 -0700 Subject: [PATCH 1/7] Update the Download page to mention the Git repository Signed-off-by: Tom Eastep --- web/download.htm | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/web/download.htm b/web/download.htm index 504f4676e..8e70020db 100644 --- a/web/download.htm +++ b/web/download.htm @@ -28,11 +28,14 @@ SVN
 + Git
+

-
2009-03-02 +
2009-04-12

Package Information

Before trying to install, we strongly urge you to read and print a @@ -508,6 +511,17 @@ Shorewall version 4.2.4. +

Git

+Beginning with Shorewall 4.3, the Shorewall project is migrating from +SVN to Git. You may browse the Shorewall +Git repository at Sourceforge.
+
+To create your own copy of the repository, use this command:
+
+
git clone git://shorewall.git.sourceforge.net/gitroot/shorewall
+
+
Copyright ©  2001-2009 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this From e7c71eecb80446fd2a55c1b322cea415b71d5d1a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 09:19:32 -0700 Subject: [PATCH 2/7] Update download page to include Ben Montgomery's Ubuntu Repository Signed-off-by: Tom Eastep --- web/download.htm | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/web/download.htm b/web/download.htm index 8e70020db..a9e74fc98 100644 --- a/web/download.htm +++ b/web/download.htm @@ -16,11 +16,14 @@ cellspacing="0"> - Package Information
- + Package Information
+ + Distribution-specific Download Sites
+ Download Sites
+ style="font-weight: bold;">Standard Download Sites
Finding Updates that Correct Known Problems
@@ -118,6 +121,7 @@ single execution of the rpm utility.

Here are the installation instructions.

+

Distribution-specific Download Sites

Once you've printed the appropriate QuickStart Guide, download the appropriate modules:

You will probably also want to download the HTML version of the documentation for easy reference.

-

Download Sites

+

Standard Download Sites

Use the sites below to download the tarball, the documentation and the standard RPM for @@ -353,21 +365,6 @@ using our public key -

Redhat and Fedora RPMS -provided -by Simon Matter: http://www.invoca.ch/pub/packages/shorewall/
-
-Slackware SlackBuild scripts are -at http://slackbuilds.org/result/?search=shorewall&sv=.
-
-OpenWRT package provided by Marc Zonzon: http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&section=WRTMemo&subsec=shorewall
-
-Leaf/Bering package is available at http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:3
-

Finding Updates that Correct Known Problems

Beginning with Shorewall 4.0.6, updated packages that include fixes to From ebd7a139fad97b14f73a8eb820714e82c4cc93c9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 09:24:19 -0700 Subject: [PATCH 3/7] Add a link in the download page. Improve readability of the LEAF/Bering bullet Signed-off-by: Tom Eastep --- web/download.htm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/web/download.htm b/web/download.htm index a9e74fc98..e1777f5d5 100644 --- a/web/download.htm +++ b/web/download.htm @@ -150,7 +150,8 @@ it from the Arch Linux site.

  • If you run a SUSE, Linux PPC, Trustix or TurboLinux distribution with a 2.4 -or 2.6 kernel, you can use the standard RPM version (note: the RPM +or 2.6 kernel, you can use the standard RPM version +(note: the RPM should also work with other distributions that store init scripts in /etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me @@ -184,7 +185,10 @@ Hardy Heron.
    or one if it's derivatives, you can download a .lrp file from the Leaf site.

    -From the LEAF Bering-uClibc Team: We try to provide the latest stable +From the LEAF Bering-uClibc Team:
    +
    +

    +
    We try to provide the latest stable version shortly after release, but we also want to do some internal tests before making it available. So we may be behind sometimes. But better be sure that the new version is running on LEAF, than being too @@ -200,9 +204,9 @@ shorewall.lrp is part of the packages page:
    which itself links to cvs:

    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream
    + href="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream">http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream

    -

    +
  • Shorewall packages for Slackware From 52546657f19ac63e78aa28d3068728e697751a25 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 14:38:33 -0700 Subject: [PATCH 4/7] Add a connection rate limiting doc Signed-off-by: Tom Eastep --- docs/ConnectionRate.xml | 99 ++++++++++++++++++++++++++++++++++++ docs/Documentation_Index.xml | 11 +++- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 docs/ConnectionRate.xml diff --git a/docs/ConnectionRate.xml b/docs/ConnectionRate.xml new file mode 100644 index 000000000..fe4c2e745 --- /dev/null +++ b/docs/ConnectionRate.xml @@ -0,0 +1,99 @@ + + +
    + + + + Connection Rate Limiting + + + + Tom + + Eastep + + + + + + + 2008 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
    + Introduction + + Shorewall supports several mechanisms for limiting connection rates. + These are described in the following sections. + + Rates are expressed in terms of a connections per unit + time and a burst. An + interval is calculated by dividing the unit of time + by the number of connections allowed in that unit of time + (connections/{||||week|month}[:burst] + + Example: 4/min:5 + + + Connections = 4 + + Unit of time = 1 minute + + Interval = 1 minute/4 = 15 seconds. + + Burst = 5 + + + As each connection arrives,if the burst count is > 0 the + burst count is reduced by one and the connection is + accepted. After each interval (15 seconds) that passes without a + connection arriving, the burst count is incremented + by 1 but is not allowed to exceed its initial setting (5). + + By default, the aggregate connection rate is limited. If the + specification is preceeded by "" or + "", then the rate is limited per SOURCE or per + DESTINATION IP address respectively. + +
    + Policy Rate Limiting + + The LIMIT:BURST column in the + /etc/shorewall/policy file applies to TCP + connections that are subject to the policy. The limiting is applied + BEFORE the connection request is passed through the rules generated by + entries in /etc/shorewall/rules. Those connections + in excess of the limit are logged and dropped. +
    + +
    + Rules Rate Limiting + + The RATE LIMIT column in the + /etc/shorewall/rules file allows limiting of + ACCEPT, DNAT and Action rules. +
    + +
    + Limit Action + + The Limit Action is a + legacy mechanism that limits connections per source IP. It does not + support the notion of a burst size. +
    +
    +
    diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index ac73a6945..3f304b3fb 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -55,11 +55,20 @@ - 6to4 Tunnels + KVM (Kernel-mode Virtual Machine) + + + + + 6to4 Tunnels + + Limiting Connection + Rates + Shorewall Setup Guide From 271c339903458e859cda294ef77184292c878822 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 18:50:33 -0700 Subject: [PATCH 5/7] Make the mss interface option clear Signed-off-by: Tom Eastep --- manpages/shorewall-interfaces.xml | 2 +- manpages6/shorewall6-interfaces.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index c09355a2a..256e2e953 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -349,7 +349,7 @@ loc eth2 - mss[=number] + role="bold">mss=number Added in Shorewall 4.0.3. Causes forwarded TCP SYN diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index d0f59b07f..7989ff702 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -133,7 +133,7 @@ loc eth2 - mss[=number] + role="bold">mss=number Causes forwarded TCP SYN packets entering or leaving on From 516d361d09b739864d2966dbb480c0de83fa7e95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 13 Apr 2009 07:26:01 -0700 Subject: [PATCH 6/7] Clarify the usage of the GATEWAY column when USE_DEFAULT_RT = Yes Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index ae17297c3..09429aa30 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1042,16 +1042,6 @@ gateway:~ #Note that because we used a priority of 1000, the for inserting rules that bypass the main table. - - All provider gateways must be specified explicitly in the - GATEWAY column. 'detect' may not be specified. Note that for ppp - interfaces, the GATEWAY may remain unspecified ("-"). - 'detect' may be specified for interfaces whose - configuration is managed by dhcpcd. Shorewall will use dhcpcd's - database to determine the gateway IP address. - - - You should disable all default route management outside of Shorewall. If a default route is inadvertently added to the main @@ -1059,6 +1049,14 @@ gateway:~ #Note that because we used a priority of 1000, the working except for those routing rules in the priority range 1-998. + + + For ppp interfaces, the GATEWAY may remain unspecified ("-"). + For those interfaces managed by dhcpcd or dhclient, you may specify + 'detect' in the GATEWAY column; Shorewall will use the dhcp client's + database to determine the gateway IP address. All other interfaces + must have a GATEWAY specified explicitly. + Although 'balance' is automatically assumed when From eafad3389eaf5b24ee23e7640b7ce6816efeeede Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 14 Apr 2009 15:20:03 -0700 Subject: [PATCH 7/7] Fix Typo in FTP doc Signed-off-by: Tom Eastep --- docs/FTP.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/FTP.xml b/docs/FTP.xml index 6e81ff89d..abba2bd82 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -196,7 +196,7 @@ ftp> uname -r - Note: If you are running kernel 3.6.19 or earlier, then the module + Note: If you are running kernel 2.6.19 or earlier, then the module names are ip_nat_ftp and ip_conntrack_ftp and they are normally loaded from