From e7d77af793d38a3ca147d1ef71915e6cfbf0547d Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 30 May 2006 16:32:57 +0000 Subject: [PATCH] Update web site for Beta 8 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3961 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- web/News.htm | 210 ++++------------------------------------ web/shorewall_index.htm | 13 +-- 2 files changed, 28 insertions(+), 195 deletions(-) diff --git a/web/News.htm b/web/News.htm index 99863f1e1..ca3b758cd 100644 --- a/web/News.htm +++ b/web/News.htm @@ -1,12 +1,10 @@ - - - + Shorewall News -

Shorewall News and Announcements
@@ -22,203 +20,37 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

+

May 27, 2006
+

- - - +2006-05-27 Shorewall 2.4.9
+ +
Problems corrected in 2.4.9

1)  Updated the bogons file to reflect recent IANA allocations.

2)  If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq and
    if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall start" will
    fail with the error 'Error: an inet prefix is expected rather than "SAME".'.

3)  It is now possible to exclude a single source MAC address using
    !<MAC address>. Previously, a startup error occurred.
2006-05-06 Shorewall 3.0.7
 - -
Problems corrected in 3.0.7
-
-1)  Previously, if your kernel did not supply the mangle table FORWARD chain
-    then "shorewall [re]start" would fail. Now, if your mangle table does
-    not supply this chain Shorewall will avoid using either that chain or
-    the mangle table POSTROUTING chain. This change is strictly to stop Shorewall
-    from blowing up during [re]start on very old kernels (such as 2.4.17
-    running on a PS2); if your kernel does not support these chains and you
-    try to mark packets in either of them using entries in
-    /etc/shorewall/tcrules, [re]start will fail.
-
-2)  Previously, if there were more than 10 IP addresses on a multi-ISP interface,
-    some of the routing rules generated by Shorewall were placed after the
-    default rule which resulted in them not being recognized.
-
-3)  When install.sh is used to install on a Debian or Ubuntu system, the
-    SUBSYSLOCK option in shorewall.conf was not being cleared.
-    It will now be cleared, provided that Perl is installed on the system.
-
-4)  When exclusion lists appeared in the /etc/shorewall/tcrules file, the
-    resulting 'exclusion chains' (whose names begin with 'excl_') were not
-    deleted as part of 'shorewall [re]start'. This meant that 'refresh'
-    would fail, either the first or second time that it was done since
-    the last 'shorewall [re]start'.
-
-Other changes in 3.0.7
-
-None.
-
-
- +
Problems corrected in 3.0.7

1)  Previously, if your kernel did not supply the mangle table FORWARD chain
    then "shorewall [re]start" would fail. Now, if your mangle table does
    not supply this chain Shorewall will avoid using either that chain or
    the mangle table POSTROUTING chain. This change is strictly to stop Shorewall
    from blowing up during [re]start on very old kernels (such as 2.4.17
    running on a PS2); if your kernel does not support these chains and you
    try to mark packets in either of them using entries in
    /etc/shorewall/tcrules, [re]start will fail.

2)  Previously, if there were more than 10 IP addresses on a multi-ISP interface,
    some of the routing rules generated by Shorewall were placed after the
    default rule which resulted in them not being recognized.

3)  When install.sh is used to install on a Debian or Ubuntu system, the
    SUBSYSLOCK option in shorewall.conf was not being cleared.
    It will now be cleared, provided that Perl is installed on the system.

4)  When exclusion lists appeared in the /etc/shorewall/tcrules file, the
    resulting 'exclusion chains' (whose names begin with 'excl_') were not
    deleted as part of 'shorewall [re]start'. This meant that 'refresh'
    would fail, either the first or second time that it was done since
    the last 'shorewall [re]start'.

Other changes in 3.0.7

None.

- - - -2006-03-28 Shorewall moved to Subversion
- -
 Effectively today, Shorewall source code repository was migrated to Subversion SCM.
-
-Please read https://sourceforge.net/svn/?group_id=22587 
-and  http://www.shorewall.net/download.htm#SVN 
+2006-03-28
+Shorewall moved to Subversion 

+
+
 Effectively today, Shorewall source code repository was migrated to Subversion SCM.

Please read https://sourceforge.net/svn/?group_id=22587 
+and  http://www.shorewall.net/download.htm#SVN 
 for more information.
 
-
 
-
-
-
-
-
-
+
+ 2006-03-28 Shorewall 3.0.6
 - -
Problems corrected in 3.0.6
-
-1)  A typo in the output of "help drop" has been corrected.
-
-2)  Previously, 'shorewall start' would fail in the presence of a network
-    interface named 'inet'.
-
-3)  A shell syntax error was reported when duplicate policies appeared in
-    /etc/shorewall/policy.
-
-4)  The iptable_nat and iptable_mangle modules were previously omitted
-    from /etc/shorewall/modules.
-
-5)  If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq 
-    and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall 
-    start" will fail with the error 'Error: an inet prefix is expected rather 
-    than "SAME".'.
-
-6)  Previously, the 'routeback' option was ignored in an entry in the
-    /etc/shorewall/hosts file that referred to a (set of) bridge port(s).
-
-    Example:
-
-            dmz        xenbr0:vif+           routeback
-
-Other changes in 3.0.6
-
-1)  A 'refreshed' extension script has been added -- it is executed after
-    "shorewall refresh" has finished.
-
- +
Problems corrected in 3.0.6

1)  A typo in the output of "help drop" has been corrected.

2)  Previously, 'shorewall start' would fail in the presence of a network
    interface named 'inet'.

3)  A shell syntax error was reported when duplicate policies appeared in
    /etc/shorewall/policy.

4)  The iptable_nat and iptable_mangle modules were previously omitted
    from /etc/shorewall/modules.

5)  If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq 
    and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall 
    start" will fail with the error 'Error: an inet prefix is expected rather 
    than "SAME".'.

6)  Previously, the 'routeback' option was ignored in an entry in the
    /etc/shorewall/hosts file that referred to a (set of) bridge port(s).

    Example:

            dmz        xenbr0:vif+           routeback

Other changes in 3.0.6

1)  A 'refreshed' extension script has been added -- it is executed after
    "shorewall refresh" has finished.
- - - -2006-02-10 Shorewall 3.0.5
+2006-02-10 +Shorewall 3.0.5
 - -
Problems corrected in Shorewall 3.0.5
-
-1)  Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
-    but not when Shorewall was restored.
-
-2)  When using the NETKEY IPSEC implementation in kernel 2.6 but without the
-    policy match patch and the Netfilter/IPSEC patches, previously an
-    entry in /etc/shorewall/tunnels was not sufficient in cases where:
-
-    a) gw<->gw traffic was encrypted
-    b) The gw<->gw policy through the tunnel was not ACCEPT
-
-    Thanks to Tuomo Soini, this has been corrected. By simply including the
-    remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
-    additional rules are required.
-
-3)  Extra blank output lines are no longer produced by install.sh (patch
-    courtesy of Tuomo Soini).
-
-4)  TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
-    rules file previously didn't work (they had the "--syn" parameter
-    added to them which resulted in a rule that no traffic would match).
-
-    WARNING: If you use the QUEUE target from an action, Shorewall will
-    still insert --syn if the protocol is tcp. So you don't want to
-    invoke such an action from the ESTABLISHED section of the rules
-    file.
-
-5)  The description of the SOURCE column in /etc/shorewall/rules has been
-    improved (patch courtesy of Ed Suominen).
-
-6)  The 'allow', 'drop' and 'reject' commands no longer produce iptables
-    errors when executed while Shorewall is not started.
-
-7)  The spelling of "maximize-throughput" has been corrected in the code
-    that implements tcclasses parsing. Patch courtesy of Paul Traina.
-
-8)  Shorewall now generates the correct match for devices in
-    /etc/shorewall/tcdevices that are actually bridge ports.
-
-New Features in Shorewall 3.0.5
-
-1)  The facilities available for dealing with the TOS field in
-    /etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
-    contain a comma-separates list of the following:
-
-	tos=0x<value>[/0x<mask>]	(mask defaults to 0xff)
-					- this lets you define a classifier
-					for the given <value>/<mask> combination
-					of the IP packet's TOS/Precedence/DiffSrv
-					octet (aka the TOS byte).  Please note,
-					classifiers override all mark settings,
-					so if you define a classifer for a class,
-					all traffic having that mark will go in it
-					regardless of any mark set on the packet
-					by a firewall/mangle filter.
-
-					NOTE: multiple tos= statements may be
-					applied per class and per interface, but
-					a given value/mask pair is valid for only
-					ONE class per interface.
-
-	tos-<tosname>			- aliases for the following TOS octet
-					value and mask encodings.  TOS encodings
-					of the "TOS byte" have been deprecated in
-					favor of diffserve classes, but programs
-					like ssh, rlogin, and ftp still use them.
-
-   					tos-minimize-delay 	 0x10/0x10
-					tos-maximize-throughput	 0x08/0x08
-					tos-maximize-reliability 0x04/0x04
-					tos-minimize-cost	 0x02/0x02
-					tos-normal-service	 0x00/0x1e
-
-	tcp-ack                 	-    defined causes an tc filter to
-					be created that puts all tcp ack
-					packets on that interface that have
-					an size of <=64 Bytes to go in this
-					class. This is useful for speeding up
-					downloads. Please note that the size
-					of the ack packets is limited to 64
-					bytes as some applications (p2p for
-					example) use to make every packet an
-					ack packet which would cause them
-					all into here. We want only packets
-					WITHOUT payload to match, so the size
-					limit.
-
-					NOTE: This option is only valid for
-					ONE class per interface.
-
-    Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
-    these were tested using a mask of 0xff (example: tos-minimize-delay was
-    equivalent to 0x10/0xff). Now each bit is tested individually.
-
-    This enhancement is courtesy of Paul Traina.
-
+
Problems corrected in Shorewall 3.0.5

1)  Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
    but not when Shorewall was restored.

2)  When using the NETKEY IPSEC implementation in kernel 2.6 but without the
    policy match patch and the Netfilter/IPSEC patches, previously an
    entry in /etc/shorewall/tunnels was not sufficient in cases where:

    a) gw<->gw traffic was encrypted
    b) The gw<->gw policy through the tunnel was not ACCEPT

    Thanks to Tuomo Soini, this has been corrected. By simply including the
    remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
    additional rules are required.

3)  Extra blank output lines are no longer produced by install.sh (patch
    courtesy of Tuomo Soini).

4)  TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
    rules file previously didn't work (they had the "--syn" parameter
    added to them which resulted in a rule that no traffic would match).

    WARNING: If you use the QUEUE target from an action, Shorewall will
    still insert --syn if the protocol is tcp. So you don't want to
    invoke such an action from the ESTABLISHED section of the rules
    file.

5)  The description of the SOURCE column in /etc/shorewall/rules has been
    improved (patch courtesy of Ed Suominen).

6)  The 'allow', 'drop' and 'reject' commands no longer produce iptables
    errors when executed while Shorewall is not started.

7)  The spelling of "maximize-throughput" has been corrected in the code
    that implements tcclasses parsing. Patch courtesy of Paul Traina.

8)  Shorewall now generates the correct match for devices in
    /etc/shorewall/tcdevices that are actually bridge ports.

New Features in Shorewall 3.0.5

1)  The facilities available for dealing with the TOS field in
    /etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
    contain a comma-separates list of the following:

	tos=0x<value>[/0x<mask>]	(mask defaults to 0xff)
					- this lets you define a classifier
					for the given <value>/<mask> combination
					of the IP packet's TOS/Precedence/DiffSrv
					octet (aka the TOS byte).  Please note,
					classifiers override all mark settings,
					so if you define a classifer for a class,
					all traffic having that mark will go in it
					regardless of any mark set on the packet
					by a firewall/mangle filter.

					NOTE: multiple tos= statements may be
					applied per class and per interface, but
					a given value/mask pair is valid for only
					ONE class per interface.

	tos-<tosname>			- aliases for the following TOS octet
					value and mask encodings.  TOS encodings
					of the "TOS byte" have been deprecated in
					favor of diffserve classes, but programs
					like ssh, rlogin, and ftp still use them.

   					tos-minimize-delay 	 0x10/0x10
					tos-maximize-throughput	 0x08/0x08
					tos-maximize-reliability 0x04/0x04
					tos-minimize-cost	 0x02/0x02
					tos-normal-service	 0x00/0x1e

	tcp-ack                 	-    defined causes an tc filter to
					be created that puts all tcp ack
					packets on that interface that have
					an size of <=64 Bytes to go in this
					class. This is useful for speeding up
					downloads. Please note that the size
					of the ack packets is limited to 64
					bytes as some applications (p2p for
					example) use to make every packet an
					ack packet which would cause them
					all into here. We want only packets
					WITHOUT payload to match, so the size
					limit.

					NOTE: This option is only valid for
					ONE class per interface.

    Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
    these were tested using a mask of 0xff (example: tos-minimize-delay was
    equivalent to 0x10/0xff). Now each bit is tested individually.

    This enhancement is courtesy of Paul Traina.
2006-01-05 Shorewall 3.0.4
 
Problems Corrected in 3.0.4

1)  The shorewall.conf file is once again "console friendly". Patch is
    courtesy of Tuomo Soini.

2)  A potential security hole has been closed. Previously, Shorewall ACCEPTed
    all traffic from a bridge port that was sent back out on the same port. If
    the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
    xenbr0:vif+), this could lead to traffic being passed in variance with the
    supplied policies and rules.

3)  Previously, an intra-zone policy of NONE would cause a startup error. That
    problem has been corrected.

4)  When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not
    add the retained aliases. This means that the following sequence of
    events resulted in missing aliases:

            shorewall start
            shorewall restart
            shorewall save
            reboot
            shorewall -f start (which is the default during boot up)

5)  When a 2.x standard action is invoked with a log level (example
    "AllowPing:info"), logging does not occur.

New Features in 3.0.4

1)  By popular demand, the 'Limit' action described at
    http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard
    action. Limit requires 'recent match' support in your kernel and iptables.

2)  DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This
    change is reported to improve Java startup time on some distributions.

3)  Shorewall now contains support for wildcard ports. In
    /etc/shorewall/hosts, you may specify the port name with trailing "+" then 
    use specific port names in rules.

    Example:

    /etc/shorewall/hosts

        vpn      br0:tap+

    /etc/shorewall/rules

        DROP      vpn:tap0              vpn:tap1          udp    9999

4)  For the benefit of those who run Shorewall on distributions that don't 
    autoload kernel modules, /etc/shorewall/modules now contains load commands 
    for a wide range of Netfilter modules.
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index f60bd6c51..c00b21f58 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -6,7 +6,8 @@ - +

Shoreline Firewall (Shorewall)

@@ -17,13 +18,13 @@ notes and here are the known problems and updates.

-

The current Development Version is 3.2.0 Beta 7 – Get it from +

The current Development Version is 3.2.0 Beta 8 – Get it from the download sites. Here are the release + href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta8/releasenotes.txt">release notes and here are the known + href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta8/known_problems.txt">known problems and updates
+ href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta8/errata/">updates

Copyright © 2001-2006 Thomas M. Eastep

@@ -34,7 +35,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2006-05-14

+

2006-05-30

Table of Contents

Introduction