diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std index a80dfdf7d..7c461c186 100644 --- a/Shorewall2/actions.std +++ b/Shorewall2/actions.std @@ -28,7 +28,8 @@ AllowPOP3 #Allow reading mail via POP3 AllowIMAP #Allow reading mail via IMAP AllowTelnet #Allow Telnet Access (not recommended for use over the #Internet) -AllowVNC #Allow VNC, Displays 0-9 +AllowVNC #Allow VNC viewer->server, Displays 0-9 +AllowVNCL #Allow VNC server->viewer in listening mode AllowNTP #Allow Network Time Protocol (ntpd) AllowRdate #Allow remote time (rdate). AllowNNTP #Allow network news (Usenet). diff --git a/Shorewall2/firewall b/Shorewall2/firewall index a3aa9d139..d5844bb9e 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -2800,7 +2800,7 @@ add_a_rule() fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" fi - if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then + if [ -z "$dnat_only" ]; then if [ -n "$serv" ]; then for serv1 in $(separate_list $serv); do for srv in $(ip_range $serv1); do @@ -3793,10 +3793,10 @@ setup_masq() ;; esac + addrlist= if [ -n "$addresses" ]; then - temp= for address in $(separate_list $addresses); do - temp="$temp --to-source $address" + addrlist="$addrlist --to-source $address" done fi @@ -3804,7 +3804,7 @@ setup_masq() for s in $subnet; do if [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet -j SNAT $temp + addnatrule $chain -s $s -d $destnet -j SNAT $addrlist done echo " To $destination from $s through ${interface} using $addresses" else @@ -3814,9 +3814,9 @@ setup_masq() echo " To $destination from $s through ${interface}" fi done - elif [ -n "$address" ]; then + elif [ -n "$addresses" ]; then for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -j SNAT $temp + addnatrule $chain -d $destnet -j SNAT $addrlist done echo " To $destination from $source through ${interface} using $addresses" else diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e116d0fd0..567dba86b 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -135,8 +135,13 @@ Issues when migrating from Shorewall to Shorewall2: Mirrors #Accept traffic from Shorewall Mirrors - Drop:DROP - Reject:REJECT + MyDrop:DROP + MyReject:REJECT + + At any rate, if you have an existing /etc/shorewall/actions file, + then you MUST either add "INCLUDE /etc/shorewall/actions.std" to + that file or you must include the definitions similar to mine above + in your /etc/shorewall/actions file. 5) The /etc/shorewall2 directory no longer contains a 'users' file or a 'usersets' file. Similar functionality is now available using @@ -150,14 +155,14 @@ Issues when migrating from Shorewall to Shorewall2: The last column in /etc/shorewall2/rules is now labeled USER/GROUP and may contain: - [!][:] + [!][:] [!][:] - [!]: [!]: - [!]: - [!]: - [!]: + [!]: [!]: + [!]: + [!]: + [!]: 6) It is no longer possible to specify rate limiting in the ACTION column of /etc/shorewall2/rules -- you must use the RATE LIMIT diff --git a/Shorewall2/rules b/Shorewall2/rules index ed8598514..8311cfc25 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -36,6 +36,7 @@ # Like REDIRET but only generates the # REDIRECT iptables rule and not # the companion ACCEPT rule. +# # CONTINUE -- (For experts only). Do not process # any of the following rules for this # (source zone,destination zone). If