From 98f828f1c98edb3bebbae5aed55904f0516137c0 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 14 Dec 2005 16:18:38 +0000 Subject: [PATCH] Console-friendly shorewall.conf git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3163 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 ++ Shorewall/releasenotes.txt | 106 ++++++++++++++----------------------- Shorewall/shorewall.conf | 23 ++++---- 3 files changed, 57 insertions(+), 76 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 27a19c3e1..3cfb0f715 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in 3.0.4 + +1) Console-friendly version of shorewall.conf. + Changes in 3.0.3 1) Implement "shorewall show macros" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d11ae37b4..4be25e056 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.0.3 +Shorewall 3.0.4 Note to users upgrading from Shorewall 2.x @@ -46,71 +46,10 @@ Note to users upgrading from Shorewall 2.x Please see the "Migration Considerations" below for additional upgrade information. -Problems Corrected in 3.0.3 +Problems Corrected in 3.0.4 -1) The comments in the /etc/shorewall/shorewall.conf and - /etc/shorewall/hosts files have been changed to clarify when - BRIDGING=Yes is required when dealing with bridges. - -2) Thanks to Tuomo Soini, formatting of the comments in the tcdevices - and tcclasses files has been cleaned up. - -3) Specifying 'trace' on the 'safe-start' and 'safe-restart' command no - longer fails. - -4) The output of "shorewall help restore" has been corrected. It previously - printed incorrect syntax for that command. - -5) The README.txt file in the tarball was stale and contained incorrect - information. It has been corrected. - -6) The shorewall.conf default setting of CLEAR_TC was previously "No". Given - that the default setting of TC_ENABLED is "Internal", the setting of - CLREAR_TC has been changed to the more appropriate value of "Yes". - -7) Specifying an interface name in the SOURCE column of /etc/shorewall/tcrules - resulted in a startup error. - -8) When the 'install.sh' script is used on Debian, it now creates - /var/log/shorewall-init.log. And if perl is installed on the system then - STARTUP_ENABLED=Yes is specified in shorewall.conf (the user must still - set startup=1 in /etc/default/shorewall). - -New Features in 3.0.3 - -1) A "shorewall show macros" command has been added. This command displays - a list of the standard macros along with a brief description of each. - -2) The '-q' option is now supported with 'safe-start' and 'safe-restart'. - -3) The value "-" is now allowed in the ADDRESS/SUBNET column of - /etc/shorewall/blacklist. That value is equivalent to specifying - 0.0.0.0/0 in that column. - -4) The output of "shorewall show tc" and "shorewall show classifiers" is - now included in the output from "shorewall dump". This will aid us in - analyzing traffic shaping problems. - -5) You can now specify 'none' in the COPY column of /etc/shorewall/providers - to signal that you want Shorewall to only copy routes through the interface - listed in the INTERFACE column. - - Note: This works on older versions of Shorewall as well. It is - now documented. - -6) An 'ipdecimal' command has been added to /sbin/shorewall. This command - converts between dot-quad and decimal. - - Example: - - gateway:/etc/openvpn# shorewall ipdecimal 192.168.1.4 - 3232235780 - gateway:/etc/openvpn# shorewall ipdecimal 3232235780 - 192.168.1.4 - gateway:/etc/openvpn# - -7) /etc/init.d/shorewall now supports a 'reload' command which is - synonymous with the 'restart' command. +1) The shorewall.conf file is once again "console friendly". Patch is + courtesy of Tuomo Soini. Migration Considerations for Users upgrading from Shorewall 2.x. @@ -794,3 +733,40 @@ New Features in 3.0.2 1) A new Webmin macro has been added. This macro assumes that Webmin is running on its default port (10000). + +New Features in 3.0.3 + +1) A "shorewall show macros" command has been added. This command displays + a list of the standard macros along with a brief description of each. + +2) The '-q' option is now supported with 'safe-start' and 'safe-restart'. + +3) The value "-" is now allowed in the ADDRESS/SUBNET column of + /etc/shorewall/blacklist. That value is equivalent to specifying + 0.0.0.0/0 in that column. + +4) The output of "shorewall show tc" and "shorewall show classifiers" is + now included in the output from "shorewall dump". This will aid us in + analyzing traffic shaping problems. + +5) You can now specify 'none' in the COPY column of /etc/shorewall/providers + to signal that you want Shorewall to only copy routes through the interface + listed in the INTERFACE column. + + Note: This works on older versions of Shorewall as well. It is + now documented. + +6) An 'ipdecimal' command has been added to /sbin/shorewall. This command + converts between dot-quad and decimal. + + Example: + + gateway:/etc/openvpn# shorewall ipdecimal 192.168.1.4 + 3232235780 + gateway:/etc/openvpn# shorewall ipdecimal 3232235780 + 192.168.1.4 + gateway:/etc/openvpn# + +7) /etc/init.d/shorewall now supports a 'reload' command which is + synonymous with the 'restart' command. + diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index a7b31fe0d..786881127 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -395,9 +395,9 @@ IP_FORWARDING=On # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # -# WARNING: Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added during -# processing of the "shorewall restart" command. As a consequence, connections -# using those addresses may be severed. +# WARNING: Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added +# during processing of the "shorewall restart" command. As a consequence, +# connections using those addresses may be severed. # ADD_IP_ALIASES=Yes @@ -410,9 +410,9 @@ ADD_IP_ALIASES=Yes # say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" # unless you are sure that you need it -- most people don't!!! # -# WARNING: Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added during -# processing of the "shorewall restart" command. As a consequence, connections -# using those addresses may be severed. +# WARNING: Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added +# during processing of the "shorewall restart" command. As a consequence, +# connections using those addresses may be severed. # ADD_SNAT_ALIASES=No @@ -688,11 +688,12 @@ DISABLE_IPV6=Yes # # BRIDGING # -# If you wish to restrict connections through a bridge (see http://bridge.sf.net), -# then set BRIDGING=Yes. Your kernel must have the physdev match option -# enabled; that option is available at the above URL for 2.4 kernels and -# is included as a standard part of the 2.6 series kernels. If not -# specified or specified as empty (BRIDGING="") then "No" is assumed. +# If you wish to restrict connections through a bridge +# (see http://bridge.sf.net), then set BRIDGING=Yes. Your kernel must have +# the physdev match option enabled; that option is available at the above URL +# for 2.4 kernels and is included as a standard part of the 2.6 series +# kernels. If not specified or specified as empty (BRIDGING="") then "No" is +# assumed. # BRIDGING=No