holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Console-friendly shorewall.conf

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3163 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-12-14 16:18:38 +00:00
parent 9d61e79412
commit 98f828f1c9
3 changed files with 57 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 3.0.4
1) Console-friendly version of shorewall.conf.
Changes in 3.0.3 Changes in 3.0.3
1) Implement "shorewall show macros" 1) Implement "shorewall show macros"

106
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.0.3 Shorewall 3.0.4
Note to users upgrading from Shorewall 2.x Note to users upgrading from Shorewall 2.x
@ -46,71 +46,10 @@ Note to users upgrading from Shorewall 2.x
Please see the "Migration Considerations" below for additional upgrade Please see the "Migration Considerations" below for additional upgrade
information. information.
Problems Corrected in 3.0.3 Problems Corrected in 3.0.4
1) The comments in the /etc/shorewall/shorewall.conf and 1) The shorewall.conf file is once again "console friendly". Patch is
/etc/shorewall/hosts files have been changed to clarify when courtesy of Tuomo Soini.
BRIDGING=Yes is required when dealing with bridges.
2) Thanks to Tuomo Soini, formatting of the comments in the tcdevices
and tcclasses files has been cleaned up.
3) Specifying 'trace' on the 'safe-start' and 'safe-restart' command no
longer fails.
4) The output of "shorewall help restore" has been corrected. It previously
printed incorrect syntax for that command.
5) The README.txt file in the tarball was stale and contained incorrect
information. It has been corrected.
6) The shorewall.conf default setting of CLEAR_TC was previously "No". Given
that the default setting of TC_ENABLED is "Internal", the setting of
CLREAR_TC has been changed to the more appropriate value of "Yes".
7) Specifying an interface name in the SOURCE column of /etc/shorewall/tcrules
resulted in a startup error.
8) When the 'install.sh' script is used on Debian, it now creates
/var/log/shorewall-init.log. And if perl is installed on the system then
STARTUP_ENABLED=Yes is specified in shorewall.conf (the user must still
set startup=1 in /etc/default/shorewall).
New Features in 3.0.3
1) A "shorewall show macros" command has been added. This command displays
a list of the standard macros along with a brief description of each.
2) The '-q' option is now supported with 'safe-start' and 'safe-restart'.
3) The value "-" is now allowed in the ADDRESS/SUBNET column of
/etc/shorewall/blacklist. That value is equivalent to specifying
0.0.0.0/0 in that column.
4) The output of "shorewall show tc" and "shorewall show classifiers" is
now included in the output from "shorewall dump". This will aid us in
analyzing traffic shaping problems.
5) You can now specify 'none' in the COPY column of /etc/shorewall/providers
to signal that you want Shorewall to only copy routes through the interface
listed in the INTERFACE column.
Note: This works on older versions of Shorewall as well. It is
now documented.
6) An 'ipdecimal' command has been added to /sbin/shorewall. This command
converts between dot-quad and decimal.
Example:
gateway:/etc/openvpn# shorewall ipdecimal 192.168.1.4
3232235780
gateway:/etc/openvpn# shorewall ipdecimal 3232235780
192.168.1.4
gateway:/etc/openvpn#
7) /etc/init.d/shorewall now supports a 'reload' command which is
synonymous with the 'restart' command.
Migration Considerations for Users upgrading from Shorewall 2.x. Migration Considerations for Users upgrading from Shorewall 2.x.
@ -794,3 +733,40 @@ New Features in 3.0.2
1) A new Webmin macro has been added. This macro assumes that Webmin is 1) A new Webmin macro has been added. This macro assumes that Webmin is
running on its default port (10000). running on its default port (10000).
New Features in 3.0.3
1) A "shorewall show macros" command has been added. This command displays
a list of the standard macros along with a brief description of each.
2) The '-q' option is now supported with 'safe-start' and 'safe-restart'.
3) The value "-" is now allowed in the ADDRESS/SUBNET column of
/etc/shorewall/blacklist. That value is equivalent to specifying
0.0.0.0/0 in that column.
4) The output of "shorewall show tc" and "shorewall show classifiers" is
now included in the output from "shorewall dump". This will aid us in
analyzing traffic shaping problems.
5) You can now specify 'none' in the COPY column of /etc/shorewall/providers
to signal that you want Shorewall to only copy routes through the interface
listed in the INTERFACE column.
Note: This works on older versions of Shorewall as well. It is
now documented.
6) An 'ipdecimal' command has been added to /sbin/shorewall. This command
converts between dot-quad and decimal.
Example:
gateway:/etc/openvpn# shorewall ipdecimal 192.168.1.4
3232235780
gateway:/etc/openvpn# shorewall ipdecimal 3232235780
192.168.1.4
gateway:/etc/openvpn#
7) /etc/init.d/shorewall now supports a 'reload' command which is
synonymous with the 'restart' command.

23
Shorewall/shorewall.conf
View File

@ -395,9 +395,9 @@ IP_FORWARDING=On
# for each NAT external address that you give in /etc/shorewall/nat. If you say # for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself. # "No" or "no", you must add these aliases youself.
# #
# WARNING: Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added during # WARNING: Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added
# processing of the "shorewall restart" command. As a consequence, connections # during processing of the "shorewall restart" command. As a consequence,
# using those addresses may be severed. # connections using those addresses may be severed.
# #
ADD_IP_ALIASES=Yes ADD_IP_ALIASES=Yes
@ -410,9 +410,9 @@ ADD_IP_ALIASES=Yes
# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" # say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
# unless you are sure that you need it -- most people don't!!! # unless you are sure that you need it -- most people don't!!!
# #
# WARNING: Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added during # WARNING: Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added
# processing of the "shorewall restart" command. As a consequence, connections # during processing of the "shorewall restart" command. As a consequence,
# using those addresses may be severed. # connections using those addresses may be severed.
# #
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
@ -688,11 +688,12 @@ DISABLE_IPV6=Yes
# #
# BRIDGING # BRIDGING
# #
# If you wish to restrict connections through a bridge (see http://bridge.sf.net), # If you wish to restrict connections through a bridge
# then set BRIDGING=Yes. Your kernel must have the physdev match option # (see http://bridge.sf.net), then set BRIDGING=Yes. Your kernel must have
# enabled; that option is available at the above URL for 2.4 kernels and # the physdev match option enabled; that option is available at the above URL
# is included as a standard part of the 2.6 series kernels. If not # for 2.4 kernels and is included as a standard part of the 2.6 series
# specified or specified as empty (BRIDGING="") then "No" is assumed. # kernels. If not specified or specified as empty (BRIDGING="") then "No" is
# assumed.
# #
BRIDGING=No BRIDGING=No