forked from extern/shorewall_code
Update release notes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9557 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
e6fa6a5153
commit
d34d0a5dfa
@ -4,7 +4,7 @@ Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
|
||||
released late in 2009.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
R E L E A S E 4 . 3 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
|
||||
@ -12,7 +12,14 @@ released late in 2009.
|
||||
Shorewall package.
|
||||
|
||||
2) The interfaces file OPTIONs have been extended to largely remove the
|
||||
need for the hosts file.
|
||||
need for the hosts file.
|
||||
|
||||
3) It is now possible to define PREROUTING and OUTPUT marking rules
|
||||
that cause new connections to use the same provider as an existing
|
||||
connection of the same kind.
|
||||
|
||||
4) Shorewall now supports NOTRACK rules (this feature will also be
|
||||
released in Shorewall 4.2.7).
|
||||
|
||||
Problems corrected in 4.3.6
|
||||
|
||||
@ -47,12 +54,65 @@ None.
|
||||
|
||||
New Features in Shorewall 4.3.6
|
||||
|
||||
None.
|
||||
1) To allow bypassing of connection tracking for certain traffic,
|
||||
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
|
||||
added.
|
||||
|
||||
New Features in Shorewall 4.4
|
||||
Columns in the file are:
|
||||
|
||||
SOURCE - <zone>[:<interface>][:<address list>]
|
||||
|
||||
DEST - [<address list>]
|
||||
|
||||
PROTO - <protocol name or number>
|
||||
|
||||
DEST PORT(S) - <port number list>
|
||||
|
||||
SOURCE PORT(S) - <port number list>
|
||||
|
||||
USER/GROUP - [<user>][:<group>]
|
||||
|
||||
May only be specified if the SOURCE <zone> is $FW.
|
||||
|
||||
Traffic that matches all given criteria will not be subject to
|
||||
connection tracking. For such traffic, your policies and/or rules
|
||||
must deal with ALL of the packets involved, in both the original
|
||||
and the opposite directions. All untracked traffic is passed
|
||||
through the relevant rules in the NEW section of the rules
|
||||
file. Untracked encapsulated tunnel traffic can be handled by
|
||||
entries in /etc/shorewall/tunnels just like tracked traffic
|
||||
is. Because every packet of an untracked connection must pass
|
||||
through the NEW section rules, it is suggested that rules that deal
|
||||
with untracked traffic should appear at the top of the file.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/tunnels:
|
||||
|
||||
#TYPE ZONE GATEWAY
|
||||
6to4 net
|
||||
|
||||
/etc/shorewall/notrack
|
||||
|
||||
#SOURCE DEST PROTO DEST SOURCE USER/
|
||||
# PORT(S) PORT(S) GROUP
|
||||
net:!192.88.99.1 - 41
|
||||
|
||||
Given that 192.88.99.1 is an anycast address, many hosts can
|
||||
respond to outward traffic to that address. The entry in
|
||||
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
|
||||
/etc/shorewall/notrack prevents the inbound traffic from creating
|
||||
additional useless conntrack entries.
|
||||
|
||||
As part of this change, the 'show' command is enhanced to support a
|
||||
'show raw' command that is an alias for 'show -t raw'. The raw
|
||||
table is where NOTRACK rules are created. The dump command is also
|
||||
enhanced to display the contents of the raw table.
|
||||
|
||||
New Features in Shorewall 4.3
|
||||
|
||||
1) The Shorewall packaging has been completely revamped in Shorewall
|
||||
4.4.
|
||||
4.3.
|
||||
|
||||
The new packages are:
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user