forked from extern/shorewall_code
Update to Beta 4
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6490 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c03b030025
commit
9ab052f772
@ -10,6 +10,8 @@ Changes in 4.0.0 Beta 3
|
|||||||
|
|
||||||
5) Add new bridge code.
|
5) Add new bridge code.
|
||||||
|
|
||||||
|
6) Fix bad bug in exclusion.
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 2
|
Changes in 4.0.0 Beta 2
|
||||||
|
|
||||||
1) Fix screwup in get_routed_networks().
|
1) Fix screwup in get_routed_networks().
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -21,6 +21,9 @@ Problems corrected in 4.0.0 Beta 4.
|
|||||||
attempt to override NONE policies with the result that the compile
|
attempt to override NONE policies with the result that the compile
|
||||||
phase fails (Shorewall-perl only).
|
phase fails (Shorewall-perl only).
|
||||||
|
|
||||||
|
2) When exclusion is used in the /etc/shorewall/hosts file, correct
|
||||||
|
rules are now generated.
|
||||||
|
|
||||||
Other changes in Shorewall 4.0.0 Beta 3.
|
Other changes in Shorewall 4.0.0 Beta 3.
|
||||||
|
|
||||||
1) Shorewall-perl has a new implementation of bridging code that works
|
1) Shorewall-perl has a new implementation of bridging code that works
|
||||||
@ -172,15 +175,83 @@ Migration Considerations:
|
|||||||
b) Now that Netfilter has features to deal reasonably with port lists,
|
b) Now that Netfilter has features to deal reasonably with port lists,
|
||||||
I see no reason to duplicate those features in Shorewall. The
|
I see no reason to duplicate those features in Shorewall. The
|
||||||
Bourne-shell compiler goes to great pain (in some cases) to
|
Bourne-shell compiler goes to great pain (in some cases) to
|
||||||
break very long port lists ( > 15 where port ranges in lists count
|
break very long port lists ( > 15 where port ranges in lists
|
||||||
as two ports) into individual rules. In the new compiler, I'm
|
count as two ports) into individual rules. In the new compiler, I'm
|
||||||
avoiding the ugliness required to do that. The new compiler just
|
avoiding the ugliness required to do that. The new compiler just
|
||||||
generates an error if your list is too long. It will also produce
|
generates an error if your list is too long. It will also produce
|
||||||
an error if you insert a port range into a port list and you don't
|
an error if you insert a port range into a port list and you don't
|
||||||
have extended multiport support.
|
have extended multiport support.
|
||||||
|
|
||||||
c) BRIDGING=Yes is not supported. The kernel code necessary to
|
c) The old BRIDGEING=Yes support has been replaced by new bridge
|
||||||
support this option was removed in Linux kernel 2.6.20.
|
support that uses the reduced 'physdev match' capabilities found
|
||||||
|
in kernel 2.6.20 and later. This new implementation may be used
|
||||||
|
where it is desired to control traffic through a bridge.
|
||||||
|
|
||||||
|
The new implementation includes the following features:
|
||||||
|
|
||||||
|
a) A new "Bridge Port" zone type is defined. Specify 'bport' or
|
||||||
|
'bport4' in the TYPE column of /etc/shorewall/zones.
|
||||||
|
|
||||||
|
Bridge Port zones must be a sub-zone of a regular ipv4 zone
|
||||||
|
that represents all hosts attached to the bridge.
|
||||||
|
|
||||||
|
b) A new 'bridge' option is defined for entries in
|
||||||
|
/etc/shorewall/interfaces. Bridges should have this option
|
||||||
|
specified if traffic through the bridge is to be controlled
|
||||||
|
with rules/policies.
|
||||||
|
|
||||||
|
c) Bridge ports must now be defined in
|
||||||
|
/etc/shorewall/interfaces. The INTERFACE column contains
|
||||||
|
both the bridge name and the port name separated by a colon
|
||||||
|
(e.g., "br0:eth1"). No OPTIONS are allowed for bridge
|
||||||
|
ports. The bridge must be defined before its ports.
|
||||||
|
|
||||||
|
Bridge Port (BP) zones have a number of limitations:
|
||||||
|
|
||||||
|
a) Each BP zone may only be associated with ports on a single
|
||||||
|
bridge.
|
||||||
|
|
||||||
|
b) BP zones may not be associated with interfaces that are not
|
||||||
|
bridge ports.
|
||||||
|
|
||||||
|
c) You may not have policies or rules where the DEST is a BP
|
||||||
|
zone but the source is not a BP zone. If you need such
|
||||||
|
rules, you must use the BP zone's parent zone as the DEST.
|
||||||
|
|
||||||
|
Example (Bridge br0 with ports eth1 and tap0):
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
fw firewall
|
||||||
|
net ipv4
|
||||||
|
loc ipv4
|
||||||
|
lan:loc bport
|
||||||
|
vpn:loc bport
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
net eth0 - ...
|
||||||
|
loc br0 - ...
|
||||||
|
lan eth1
|
||||||
|
vpn tap0
|
||||||
|
|
||||||
|
When using the /etc/shorewall/hosts file to define a bport4
|
||||||
|
zone, you specify only the port name:
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
fw firewall
|
||||||
|
net ipv4
|
||||||
|
loc ipv4
|
||||||
|
lan:loc bport
|
||||||
|
vpn:loc bport
|
||||||
|
|
||||||
|
/etc/shorewall/hosts
|
||||||
|
|
||||||
|
lan eth1:192.168.2.0/24 ...
|
||||||
|
|
||||||
|
|
||||||
d) The BROADCAST column in the interfaces file is essentially unused;
|
d) The BROADCAST column in the interfaces file is essentially unused;
|
||||||
if you enter anything in this column but '-' or 'detect', you will
|
if you enter anything in this column but '-' or 'detect', you will
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 4.0.0
|
%define version 4.0.0
|
||||||
%define release 0Beta3
|
%define release 0Beta4
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
@ -252,6 +252,8 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.0.0-0Beta4
|
||||||
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.0.0-0Beta3
|
- Updated to 4.0.0-0Beta3
|
||||||
* Tue May 15 2007 Tom Eastep tom@shorewall.net
|
* Tue May 15 2007 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-lite
|
%define name shorewall-lite
|
||||||
%define version 4.0.0
|
%define version 4.0.0
|
||||||
%define release 0Beta3
|
%define release 0Beta4
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||||
@ -99,6 +99,8 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.0.0-0Beta4
|
||||||
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.0.0-0Beta3
|
- Updated to 4.0.0-0Beta3
|
||||||
* Tue May 15 2007 Tom Eastep tom@shorewall.net
|
* Tue May 15 2007 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-perl
|
%define name shorewall-perl
|
||||||
%define version 4.0.0
|
%define version 4.0.0
|
||||||
%define release 0Beta3
|
%define release 0Beta4
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall Perl-based compiler.
|
Summary: Shoreline Firewall Perl-based compiler.
|
||||||
@ -81,6 +81,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%doc COPYING releasenotes.txt
|
%doc COPYING releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.0.0-0Beta4
|
||||||
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.0.0-0Beta3
|
- Updated to 4.0.0-0Beta3
|
||||||
* Sat May 26 2007 Tom Eastep tom@shorewall.net
|
* Sat May 26 2007 Tom Eastep tom@shorewall.net
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.0.0-Beta3
|
VERSION=4.0.0-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-shell
|
%define name shorewall-shell
|
||||||
%define version 4.0.0
|
%define version 4.0.0
|
||||||
%define release 0Beta3
|
%define release 0Beta4
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
@ -64,6 +64,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%doc COPYING INSTALL
|
%doc COPYING INSTALL
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.0.0-0Beta4
|
||||||
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.0.0-0Beta3
|
- Updated to 4.0.0-0Beta3
|
||||||
* Tue May 15 2007 Tom Eastep tom@shorewall.net
|
* Tue May 15 2007 Tom Eastep tom@shorewall.net
|
||||||
|
Loading…
Reference in New Issue
Block a user