diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 6a08c6403..15f4d3e9e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -4,7 +4,7 @@ Shorewall 4.3 is the development thread for Shorewall 4.4 which will be released late in 2009. ---------------------------------------------------------------------------- - R E L E A S E 4 . 4 H I G H L I G H T S + R E L E A S E 4 . 3 H I G H L I G H T S ---------------------------------------------------------------------------- 1) Support for Shorewall-shell has been discontinued. Shorewall-perl @@ -12,7 +12,14 @@ released late in 2009. Shorewall package. 2) The interfaces file OPTIONs have been extended to largely remove the - need for the hosts file. + need for the hosts file. + +3) It is now possible to define PREROUTING and OUTPUT marking rules + that cause new connections to use the same provider as an existing + connection of the same kind. + +4) Shorewall now supports NOTRACK rules (this feature will also be + released in Shorewall 4.2.7). Problems corrected in 4.3.6 @@ -47,12 +54,65 @@ None. New Features in Shorewall 4.3.6 -None. +1) To allow bypassing of connection tracking for certain traffic, + /etc/shorewall/notrack and /etc/shorewall6/notrack files have been + added. -New Features in Shorewall 4.4 + Columns in the file are: + + SOURCE - [:][:
] + + DEST - [
] + + PROTO - + + DEST PORT(S) - + + SOURCE PORT(S) - + + USER/GROUP - [][:] + + May only be specified if the SOURCE is $FW. + + Traffic that matches all given criteria will not be subject to + connection tracking. For such traffic, your policies and/or rules + must deal with ALL of the packets involved, in both the original + and the opposite directions. All untracked traffic is passed + through the relevant rules in the NEW section of the rules + file. Untracked encapsulated tunnel traffic can be handled by + entries in /etc/shorewall/tunnels just like tracked traffic + is. Because every packet of an untracked connection must pass + through the NEW section rules, it is suggested that rules that deal + with untracked traffic should appear at the top of the file. + + Example: + + /etc/shorewall/tunnels: + + #TYPE ZONE GATEWAY + 6to4 net + + /etc/shorewall/notrack + + #SOURCE DEST PROTO DEST SOURCE USER/ + # PORT(S) PORT(S) GROUP + net:!192.88.99.1 - 41 + + Given that 192.88.99.1 is an anycast address, many hosts can + respond to outward traffic to that address. The entry in + /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in + /etc/shorewall/notrack prevents the inbound traffic from creating + additional useless conntrack entries. + + As part of this change, the 'show' command is enhanced to support a + 'show raw' command that is an alias for 'show -t raw'. The raw + table is where NOTRACK rules are created. The dump command is also + enhanced to display the contents of the raw table. + +New Features in Shorewall 4.3 1) The Shorewall packaging has been completely revamped in Shorewall - 4.4. + 4.3. The new packages are: