From e30c2a7ec8041959e238afb068d7dcf2cb9454a5 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 13 Jan 2004 22:33:26 +0000 Subject: [PATCH] Shorewall 1.4.9 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1081 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/News.htm | 117 +++++++++++++++++++- Shorewall-Website/Shorewall_index_frame.htm | 3 - Shorewall-Website/download.htm | 25 ++--- Shorewall-Website/seattlefirewall_index.htm | 19 ++-- Shorewall-Website/shorewall_index.htm | 2 +- Shorewall-Website/sourceforge_index.htm | 18 +-- 6 files changed, 143 insertions(+), 41 deletions(-) diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index 7f0ff1866..74602efdd 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -9,7 +9,7 @@

Shorewall News Archive

Tom Eastep

-Copyright © 2001-2003 Thomas M. Eastep
+Copyright © 2001-2004 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; @@ -18,9 +18,116 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2003-12-31
+

2004-01-13

+

1/13/2004 - Shorewall 1.4.9
+

+

Problems Corrected since version 1.4.8:
+

+
    +
  1. There has been a low continuing level of confusion over the +terms "Source NAT" (SNAT) and "Static NAT". To avoid future +confusion, all instances of "Static NAT" have been replaced with +"One-to-one NAT" in the documentation and configuration files.
    2. +
  2. The description of NEWNOTSYN in shorewall.conf has been +reworded for clarity.
    3. +
  3. Wild-card rules (those involving "all" as SOURCE or DEST) +will +no longer produce an error if they attempt to add a rule that would +override a NONE policy. The logic for expanding these wild-card +rules now simply skips those (SOURCE,DEST) pairs that have a NONE +policy.
    4. +
  4. DNAT rules that also specified SNAT now work reliably. +Previously, +there were cases where the SNAT specification was effectively ignored.
    5. +
+

Migration Issues:
+
+    None.
+
+New Features:
+

+
    +
  1. The documentation has been completely rebased to Docbook +XML. The +documentation is now released as separate HTML and XML packages.
    2. +
  2. To cut down on the number of "Why are these ports closed +rather +than stealthed?" questions, the SMB-related rules in +/etc/shorewall/common.def have been changed from 'reject' to +'DROP'.
    3. +
  3. For easier identification, packets logged under the +'norfc1918' +interface option are now logged out of chains named 'rfc1918'. +Previously, such packets were logged under chains named +'logdrop'.
    4. +
  4. Distributors and developers seem to be regularly inventing +new +naming conventions for kernel modules. To avoid the need to change +Shorewall code for each new convention, the MODULE_SUFFIX option +has been added to shorewall.conf. MODULE_SUFFIX may be set to the +suffix for module names in your particular distribution. If +MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the +list "o gz ko o.gz".
    +
    +To see what suffix is used by your distribution:
    +
    +ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    +
    +All of the files listed should have the same suffix (extension). +Set MODULE_SUFFIX to that suffix.
    +
    +Examples:
    +
    +     If all files end in ".kzo" then set +MODULE_SUFFIX="kzo"
    +     If all files end in ".kz.o" then set +MODULE_SUFFIX="kz.o"
    5. +
  5. Support for user defined rule ACTIONS has been implemented +through two new files:
    +
    +/etc/shorewall/actions - used to list the user-defined ACTIONS.
    +/etc/shorewall/action.template - For each user defined +<action>, copy this file to +/etc/shorewall/action.<action> and add the appropriate rules +for that <action>. Once an <action> has been defined, +it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.) +in /etc/shorewall/rules.
    +
    +Example: You want an action that logs a packet at the 'info' level +and accepts the connection.
    +
    +In /etc/shorewall/actions, you would add:
    +
    +     LogAndAccept
    +
    +You would then copy /etc/shorewall/action.template to +/etc/shorewall/action.LogAndAccept and in that file, you would add the +two +rules:
    +        LOG:info
    +        ACCEPT
    6. +
  6. The default value for NEWNOTSYN in shorewall.conf is now +"Yes" (non-syn +TCP packets that are not part of an existing connection are filtered +according to the rules and policies rather than being dropped). I have +made this change for two reasons:
    +
    +a) NEWNOTSYN=No tends to result in lots of "stuck" connections since +any timeout during TCP session tear down results in the firewall +dropping all of the retries.
    +
    +b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in +lots of confusing messages when a connection got "stuck". While I could +have changed the default value of LOGNEWNOTSYN to suppress logging, I +dislike defaults that silently throw away packets.
    7. +
  7. The common.def file now contains an entry that silently drops +ICMP +packets with a null source address. Ad Koster reported a case where +these were occuring frequently as a result of a broken system on his +external network.
    8. +

12/29/2003 - Shorewall 1.4.9 Beta 2

http://shorewall.net/pub/shorewall/Beta
@@ -98,7 +205,8 @@ In /etc/shorewall/actions, you would add:
     LogAndAccept

You would then copy /etc/shorewall/action.template to -/etc/shorewall/LogAndAccept and in that file, you would add the two +/etc/shorewall/action.LogAndAccept and in that file, you would add the +two rules:
        LOG:info
        ACCEPT
@@ -194,7 +302,8 @@ In /etc/shorewall/actions, you would add:
     LogAndAccept

You would then copy /etc/shorewall/action.template to -/etc/shorewall/LogAndAccept and in that file, you would add the two +/etc/shorewall/action.LogAndAccept and in that file, you would add the +two rules:
        LOG:info
        ACCEPT
diff --git a/Shorewall-Website/Shorewall_index_frame.htm b/Shorewall-Website/Shorewall_index_frame.htm index b2d977b30..8f7518a8f 100644 --- a/Shorewall-Website/Shorewall_index_frame.htm +++ b/Shorewall-Website/Shorewall_index_frame.htm @@ -45,9 +45,6 @@ Repository -

Valid XHTML 1.0!

Copyright © 2001-2004 Thomas M. Eastep.

diff --git a/Shorewall-Website/download.htm b/Shorewall-Website/download.htm index 1d5e3d27e..e35c0682e 100644 --- a/Shorewall-Website/download.htm +++ b/Shorewall-Website/download.htm @@ -11,7 +11,7 @@

Shorewall Download

Tom Eastep

-Copyright ©  2001-2003 Thomas M. EastepCopyright ©  2001-2004 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this @@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2003-12-30
+

2004-01-13

I strongly urge you to read and print a copy of the     rsync://slovakia.shorewall.net/shorewall/pdf/

-

The documentation in HTML format is included in the .rpm and in the -.tgz -packages below.

+

The documentation in both XML and HTML formats is also available for +download from the Download Sites listed in the table below.
+

Once you've printed the appropriate QuickStart Guide, download one of the modules:

-

The documentation in HTML format is included in the .tgz and .rpm -files and there is an documentation .deb that also contains the -documentation.  The .rpm will install the documentation in -your default document directory which can be obtained using the -following command:
-

-
-

rpm --eval '%{_defaultdocdir}'

-
+

You will probably also want to download the HTML version of the +documentation for easy reference.

Please check the errata to see if there are updates that apply to the version that you have downloaded.

diff --git a/Shorewall-Website/seattlefirewall_index.htm b/Shorewall-Website/seattlefirewall_index.htm index 7bbe3f1c6..76235ffd8 100755 --- a/Shorewall-Website/seattlefirewall_index.htm +++ b/Shorewall-Website/seattlefirewall_index.htm @@ -78,7 +78,7 @@ any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". -

Copyright © 2001-2003 Thomas M. Eastep

+

Copyright © 2001-2004 Thomas M. Eastep

Running Shorewall on Mandrake with a two-interface setup?

If so, the documentation on this site will not apply directly to your setup. If you want to use the documentation that you find here, @@ -87,14 +87,10 @@ setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

News

-

12/29/2003 - Shorewall 1.4.9 Beta 2 (New)1/13/2004 - Shorewall 1.4.9 (New)

-

Problems Corrected since version 1.4.8:

  1. There has been a low continuing level of confusion over the @@ -167,7 +163,8 @@ In /etc/shorewall/actions, you would add:
         LogAndAccept

    You would then copy /etc/shorewall/action.template to -/etc/shorewall/LogAndAccept and in that file, you would add the two +/etc/shorewall/action.LogAndAccept and in that file, you would add the +two rules:
            LOG:info
            ACCEPT
    @@ -184,7 +181,11 @@ dropping all of the retries.
    b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in lots of confusing messages when a connection got "stuck". While I could have changed the default value of LOGNEWNOTSYN to suppress logging, I -dislike defaults that silently throw away packets.
    +dislike defaults that silently throw away packets.
    2. +
  2. The common.def file now contains an entry that silently +drops ICMP packets with a null source address. Ad Koster reported a +case where these were occuring frequently as a result of a broken +system on his external network.

@@ -233,7 +234,7 @@ Children's Foundation. Thanks!
-

Updated 12/29/2003 - Tom Eastep
+

Updated 01/13/2004 - Tom Eastep

diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index bede1c576..7184b4771 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -9,7 +9,7 @@ - + diff --git a/Shorewall-Website/sourceforge_index.htm b/Shorewall-Website/sourceforge_index.htm index 54453f5f9..02b109a8a 100644 --- a/Shorewall-Website/sourceforge_index.htm +++ b/Shorewall-Website/sourceforge_index.htm @@ -64,7 +64,7 @@ document under the terms of the GNU Free Documentation License, Version with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

-

Copyright © 2001-2003 Thomas M. Eastep

+

Copyright © 2001-2004 Thomas M. Eastep

This is the Shorewall 1.4 Web Site

The information on this site applies only to 1.4.x releases of Shorewall. For older versions:
@@ -92,14 +92,10 @@ and installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

News

-

12/29/2003 - Shorewall 1.4.9 Beta 2 1/13/2004 - Shorewall 1.4.9 (New)

-
http://shorewall.net/pub/shorewall/Beta
- ftp://shorewall.net/pub/shorewall/Beta
-

Problems Corrected since version 1.4.8:

    @@ -180,7 +176,8 @@ In /etc/shorewall/actions, you would add:
         LogAndAccept

    You would then copy /etc/shorewall/action.template to -/etc/shorewall/LogAndAccept and in that file, you would add the two +/etc/shorewall/action.LogAndAccept and in that file, you would add the +two rules:
            LOG:info
            ACCEPT @@ -198,6 +195,11 @@ b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in lots of confusing messages when a connection got "stuck". While I could have changed the default value of LOGNEWNOTSYN to suppress logging, I dislike defaults that silently throw away packets. +
  1. The common.def file now contains an entry that silently +drops ICMP +packets with a null source address. Ad Koster reported a case where +these were occuring frequently as a result of a broken system on his +external network.

12/28/2003 - www.shorewall.net/ftp.shorewall.net Back On-line (New) Thanks!

-

Updated 12/29/2003 - Tom +

Updated 01/13/2004 - Tom Eastep