forked from extern/shorewall_code
Update web site for Beta 8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3961 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1245d66d1f
commit
e7d77af793
208
web/News.htm
208
web/News.htm
@ -1,12 +1,10 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||
<meta name="revised" content="$Id$" />
|
||||
|
||||
<meta name="revised"
|
||||
content="$Id$">
|
||||
<title>Shorewall News</title>
|
||||
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: left;">Shorewall News and Announcements<br>
|
||||
@ -22,203 +20,37 @@ Texts. A copy of the license is included in the section entitled “<span
|
||||
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
|
||||
Documentation License</a></span>”.<br>
|
||||
</p>
|
||||
<p>May 27, 2006<br>
|
||||
</p>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p></p>
|
||||
|
||||
|
||||
<!-- Shorewall Release 3.0.5 -->
|
||||
|
||||
<span style="font-weight: bold;">2006-05-27 Shorewall 2.4.9<br>
|
||||
</span><span style="font-weight: bold;"></span>
|
||||
<pre>Problems corrected in 2.4.9<br><br>1) Updated the bogons file to reflect recent IANA allocations.<br><br>2) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq and<br> if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall start" will<br> fail with the error 'Error: an inet prefix is expected rather than "SAME".'.<br><br>3) It is now possible to exclude a single source MAC address using<br> !<MAC address>. Previously, a startup error occurred.<br></pre>
|
||||
<span style="font-weight: bold;">2006-05-06 Shorewall 3.0.7<br>
|
||||
</span>
|
||||
|
||||
<pre>Problems corrected in 3.0.7
|
||||
|
||||
1) Previously, if your kernel did not supply the mangle table FORWARD chain
|
||||
then "shorewall [re]start" would fail. Now, if your mangle table does
|
||||
not supply this chain Shorewall will avoid using either that chain or
|
||||
the mangle table POSTROUTING chain. This change is strictly to stop Shorewall
|
||||
from blowing up during [re]start on very old kernels (such as 2.4.17
|
||||
running on a PS2); if your kernel does not support these chains and you
|
||||
try to mark packets in either of them using entries in
|
||||
/etc/shorewall/tcrules, [re]start will fail.
|
||||
|
||||
2) Previously, if there were more than 10 IP addresses on a multi-ISP interface,
|
||||
some of the routing rules generated by Shorewall were placed after the
|
||||
default rule which resulted in them not being recognized.
|
||||
|
||||
3) When install.sh is used to install on a Debian or Ubuntu system, the
|
||||
SUBSYSLOCK option in shorewall.conf was not being cleared.
|
||||
It will now be cleared, provided that Perl is installed on the system.
|
||||
|
||||
4) When exclusion lists appeared in the /etc/shorewall/tcrules file, the
|
||||
resulting 'exclusion chains' (whose names begin with 'excl_') were not
|
||||
deleted as part of 'shorewall [re]start'. This meant that 'refresh'
|
||||
would fail, either the first or second time that it was done since
|
||||
the last 'shorewall [re]start'.
|
||||
|
||||
Other changes in 3.0.7
|
||||
|
||||
None.
|
||||
|
||||
</pre>
|
||||
|
||||
<pre>Problems corrected in 3.0.7<br><br>1) Previously, if your kernel did not supply the mangle table FORWARD chain<br> then "shorewall [re]start" would fail. Now, if your mangle table does<br> not supply this chain Shorewall will avoid using either that chain or<br> the mangle table POSTROUTING chain. This change is strictly to stop Shorewall<br> from blowing up during [re]start on very old kernels (such as 2.4.17<br> running on a PS2); if your kernel does not support these chains and you<br> try to mark packets in either of them using entries in<br> /etc/shorewall/tcrules, [re]start will fail.<br><br>2) Previously, if there were more than 10 IP addresses on a multi-ISP interface,<br> some of the routing rules generated by Shorewall were placed after the<br> default rule which resulted in them not being recognized.<br><br>3) When install.sh is used to install on a Debian or Ubuntu system, the<br> SUBSYSLOCK option in shorewall.conf was not being cleared.<br> It will now be cleared, provided that Perl is installed on the system.<br><br>4) When exclusion lists appeared in the /etc/shorewall/tcrules file, the<br> resulting 'exclusion chains' (whose names begin with 'excl_') were not<br> deleted as part of 'shorewall [re]start'. This meant that 'refresh'<br> would fail, either the first or second time that it was done since<br> the last 'shorewall [re]start'.<br><br>Other changes in 3.0.7<br><br>None.<br><br></pre>
|
||||
<!-- Shorewall Release 3.0.5 ENDS-->
|
||||
|
||||
<!-- Shorewall moving to Subversion -->
|
||||
|
||||
<span style="font-weight: bold;">2006-03-28 Shorewall moved to Subversion <br/> </span>
|
||||
|
||||
<pre> Effectively today, Shorewall source code repository was migrated to Subversion SCM.
|
||||
|
||||
Please read <a href="https://sourceforge.net/svn/?group_id=22587">https://sourceforge.net/svn/?group_id=22587 </a>
|
||||
and <a href="http://www.shorewall.net/download.htm#SVN"> http://www.shorewall.net/download.htm#SVN </a>
|
||||
<!-- Shorewall moving to Subversion --><span style="font-weight: bold;">2006-03-28
|
||||
Shorewall moved to Subversion <br>
|
||||
</span>
|
||||
<pre> Effectively today, Shorewall source code repository was migrated to Subversion SCM.<br><br>Please read <a
|
||||
href="https://sourceforge.net/svn/?group_id=22587">https://sourceforge.net/svn/?group_id=22587 </a>
|
||||
and <a
|
||||
href="http://www.shorewall.net/download.htm#SVN"> http://www.shorewall.net/download.htm#SVN </a>
|
||||
for more information.
|
||||
|
||||
</pre>
|
||||
|
||||
<!-- Moving to Subversion ENDS -->
|
||||
|
||||
|
||||
<!-- Shorewall Release 3.0.5 -->
|
||||
|
||||
<!-- Moving to Subversion ENDS --><!-- Shorewall Release 3.0.5 -->
|
||||
<span style="font-weight: bold;">2006-03-28 Shorewall 3.0.6<br>
|
||||
</span>
|
||||
|
||||
<pre>Problems corrected in 3.0.6
|
||||
|
||||
1) A typo in the output of "help drop" has been corrected.
|
||||
|
||||
2) Previously, 'shorewall start' would fail in the presence of a network
|
||||
interface named 'inet'.
|
||||
|
||||
3) A shell syntax error was reported when duplicate policies appeared in
|
||||
/etc/shorewall/policy.
|
||||
|
||||
4) The iptable_nat and iptable_mangle modules were previously omitted
|
||||
from /etc/shorewall/modules.
|
||||
|
||||
5) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq
|
||||
and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall
|
||||
start" will fail with the error 'Error: an inet prefix is expected rather
|
||||
than "SAME".'.
|
||||
|
||||
6) Previously, the 'routeback' option was ignored in an entry in the
|
||||
/etc/shorewall/hosts file that referred to a (set of) bridge port(s).
|
||||
|
||||
Example:
|
||||
|
||||
dmz xenbr0:vif+ routeback
|
||||
|
||||
Other changes in 3.0.6
|
||||
|
||||
1) A 'refreshed' extension script has been added -- it is executed after
|
||||
"shorewall refresh" has finished.
|
||||
</pre>
|
||||
|
||||
<pre>Problems corrected in 3.0.6<br><br>1) A typo in the output of "help drop" has been corrected.<br><br>2) Previously, 'shorewall start' would fail in the presence of a network<br> interface named 'inet'.<br><br>3) A shell syntax error was reported when duplicate policies appeared in<br> /etc/shorewall/policy.<br><br>4) The iptable_nat and iptable_mangle modules were previously omitted<br> from /etc/shorewall/modules.<br><br>5) If you use SAME or SAME:nodst in the ADDRESS column of /etc/shorewall/masq <br> and if you set ADD_SNAT_ALIASES=Yes in shorewall.conf, then "shorewall <br> start" will fail with the error 'Error: an inet prefix is expected rather <br> than "SAME".'.<br><br>6) Previously, the 'routeback' option was ignored in an entry in the<br> /etc/shorewall/hosts file that referred to a (set of) bridge port(s).<br><br> Example:<br><br> dmz xenbr0:vif+ routeback<br><br>Other changes in 3.0.6<br><br>1) A 'refreshed' extension script has been added -- it is executed after<br> "shorewall refresh" has finished.<br></pre>
|
||||
<!-- Shorewall Release 3.0.5 ENDS-->
|
||||
|
||||
<!-- Shorewall Release 3.0.5 -->
|
||||
|
||||
<span style="font-weight: bold;">2006-02-10 Shorewall 3.0.5<br>
|
||||
<!-- Shorewall Release 3.0.5 --><span style="font-weight: bold;">2006-02-10
|
||||
Shorewall 3.0.5<br>
|
||||
</span>
|
||||
|
||||
<pre>Problems corrected in Shorewall 3.0.5
|
||||
|
||||
1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts
|
||||
but not when Shorewall was restored.
|
||||
|
||||
2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the
|
||||
policy match patch and the Netfilter/IPSEC patches, previously an
|
||||
entry in /etc/shorewall/tunnels was not sufficient in cases where:
|
||||
|
||||
a) gw<->gw traffic was encrypted
|
||||
b) The gw<->gw policy through the tunnel was not ACCEPT
|
||||
|
||||
Thanks to Tuomo Soini, this has been corrected. By simply including the
|
||||
remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no
|
||||
additional rules are required.
|
||||
|
||||
3) Extra blank output lines are no longer produced by install.sh (patch
|
||||
courtesy of Tuomo Soini).
|
||||
|
||||
4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the
|
||||
rules file previously didn't work (they had the "--syn" parameter
|
||||
added to them which resulted in a rule that no traffic would match).
|
||||
|
||||
WARNING: If you use the QUEUE target from an action, Shorewall will
|
||||
still insert --syn if the protocol is tcp. So you don't want to
|
||||
invoke such an action from the ESTABLISHED section of the rules
|
||||
file.
|
||||
|
||||
5) The description of the SOURCE column in /etc/shorewall/rules has been
|
||||
improved (patch courtesy of Ed Suominen).
|
||||
|
||||
6) The 'allow', 'drop' and 'reject' commands no longer produce iptables
|
||||
errors when executed while Shorewall is not started.
|
||||
|
||||
7) The spelling of "maximize-throughput" has been corrected in the code
|
||||
that implements tcclasses parsing. Patch courtesy of Paul Traina.
|
||||
|
||||
8) Shorewall now generates the correct match for devices in
|
||||
/etc/shorewall/tcdevices that are actually bridge ports.
|
||||
|
||||
New Features in Shorewall 3.0.5
|
||||
|
||||
1) The facilities available for dealing with the TOS field in
|
||||
/etc/shorewall/tcclasses has been expended. The OPTIONS field is now may
|
||||
contain a comma-separates list of the following:
|
||||
|
||||
tos=0x<value>[/0x<mask>] (mask defaults to 0xff)
|
||||
- this lets you define a classifier
|
||||
for the given <value>/<mask> combination
|
||||
of the IP packet's TOS/Precedence/DiffSrv
|
||||
octet (aka the TOS byte). Please note,
|
||||
classifiers override all mark settings,
|
||||
so if you define a classifer for a class,
|
||||
all traffic having that mark will go in it
|
||||
regardless of any mark set on the packet
|
||||
by a firewall/mangle filter.
|
||||
|
||||
NOTE: multiple tos= statements may be
|
||||
applied per class and per interface, but
|
||||
a given value/mask pair is valid for only
|
||||
ONE class per interface.
|
||||
|
||||
tos-<tosname> - aliases for the following TOS octet
|
||||
value and mask encodings. TOS encodings
|
||||
of the "TOS byte" have been deprecated in
|
||||
favor of diffserve classes, but programs
|
||||
like ssh, rlogin, and ftp still use them.
|
||||
|
||||
tos-minimize-delay 0x10/0x10
|
||||
tos-maximize-throughput 0x08/0x08
|
||||
tos-maximize-reliability 0x04/0x04
|
||||
tos-minimize-cost 0x02/0x02
|
||||
tos-normal-service 0x00/0x1e
|
||||
|
||||
tcp-ack - defined causes an tc filter to
|
||||
be created that puts all tcp ack
|
||||
packets on that interface that have
|
||||
an size of <=64 Bytes to go in this
|
||||
class. This is useful for speeding up
|
||||
downloads. Please note that the size
|
||||
of the ack packets is limited to 64
|
||||
bytes as some applications (p2p for
|
||||
example) use to make every packet an
|
||||
ack packet which would cause them
|
||||
all into here. We want only packets
|
||||
WITHOUT payload to match, so the size
|
||||
limit.
|
||||
|
||||
NOTE: This option is only valid for
|
||||
ONE class per interface.
|
||||
|
||||
Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,
|
||||
these were tested using a mask of 0xff (example: tos-minimize-delay was
|
||||
equivalent to 0x10/0xff). Now each bit is tested individually.
|
||||
|
||||
This enhancement is courtesy of Paul Traina.
|
||||
</pre>
|
||||
<pre>Problems corrected in Shorewall 3.0.5<br><br>1) Previously, if /etc/shorewall/ipsets existed, it was run when Shorewall starts<br> but not when Shorewall was restored.<br><br>2) When using the NETKEY IPSEC implementation in kernel 2.6 but without the<br> policy match patch and the Netfilter/IPSEC patches, previously an<br> entry in /etc/shorewall/tunnels was not sufficient in cases where:<br><br> a) gw<->gw traffic was encrypted<br> b) The gw<->gw policy through the tunnel was not ACCEPT<br><br> Thanks to Tuomo Soini, this has been corrected. By simply including the<br> remote VPN zone in the GATEWAY ZONE column for the tunnel's entry, no<br> additional rules are required.<br><br>3) Extra blank output lines are no longer produced by install.sh (patch<br> courtesy of Tuomo Soini).<br><br>4) TCP packets sent to QUEUE by rules in the ESTABLISHED section of the<br> rules file previously didn't work (they had the "--syn" parameter<br> added to them which resulted in a rule that no traffic would match).<br><br> WARNING: If you use the QUEUE target from an action, Shorewall will<br> still insert --syn if the protocol is tcp. So you don't want to<br> invoke such an action from the ESTABLISHED section of the rules<br> file.<br><br>5) The description of the SOURCE column in /etc/shorewall/rules has been<br> improved (patch courtesy of Ed Suominen).<br><br>6) The 'allow', 'drop' and 'reject' commands no longer produce iptables<br> errors when executed while Shorewall is not started.<br><br>7) The spelling of "maximize-throughput" has been corrected in the code<br> that implements tcclasses parsing. Patch courtesy of Paul Traina.<br><br>8) Shorewall now generates the correct match for devices in<br> /etc/shorewall/tcdevices that are actually bridge ports.<br><br>New Features in Shorewall 3.0.5<br><br>1) The facilities available for dealing with the TOS field in<br> /etc/shorewall/tcclasses has been expended. The OPTIONS field is now may<br> contain a comma-separates list of the following:<br><br> tos=0x<value>[/0x<mask>] (mask defaults to 0xff)<br> - this lets you define a classifier<br> for the given <value>/<mask> combination<br> of the IP packet's TOS/Precedence/DiffSrv<br> octet (aka the TOS byte). Please note,<br> classifiers override all mark settings,<br> so if you define a classifer for a class,<br> all traffic having that mark will go in it<br> regardless of any mark set on the packet<br> by a firewall/mangle filter.<br><br> NOTE: multiple tos= statements may be<br> applied per class and per interface, but<br> a given value/mask pair is valid for only<br> ONE class per interface.<br><br> tos-<tosname> - aliases for the following TOS octet<br> value and mask encodings. TOS encodings<br> of the "TOS byte" have been deprecated in<br> favor of diffserve classes, but programs<br> like ssh, rlogin, and ftp still use them.<br><br> tos-minimize-delay 0x10/0x10<br> tos-maximize-throughput 0x08/0x08<br> tos-maximize-reliability 0x04/0x04<br> tos-minimize-cost 0x02/0x02<br> tos-normal-service 0x00/0x1e<br><br> tcp-ack - defined causes an tc filter to<br> be created that puts all tcp ack<br> packets on that interface that have<br> an size of <=64 Bytes to go in this<br> class. This is useful for speeding up<br> downloads. Please note that the size<br> of the ack packets is limited to 64<br> bytes as some applications (p2p for<br> example) use to make every packet an<br> ack packet which would cause them<br> all into here. We want only packets<br> WITHOUT payload to match, so the size<br> limit.<br><br> NOTE: This option is only valid for<br> ONE class per interface.<br><br> Note that the semantics of 'tos-<tosname>' have changed slightly. Previously,<br> these were tested using a mask of 0xff (example: tos-minimize-delay was<br> equivalent to 0x10/0xff). Now each bit is tested individually.<br><br> This enhancement is courtesy of Paul Traina.<br></pre>
|
||||
<span style="font-weight: bold;">2006-01-05 Shorewall 3.0.4<br>
|
||||
</span>
|
||||
<pre>Problems Corrected in 3.0.4<br><br>1) The shorewall.conf file is once again "console friendly". Patch is<br> courtesy of Tuomo Soini.<br><br>2) A potential security hole has been closed. Previously, Shorewall ACCEPTed<br> all traffic from a bridge port that was sent back out on the same port. If<br> the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,<br> xenbr0:vif+), this could lead to traffic being passed in variance with the<br> supplied policies and rules.<br><br>3) Previously, an intra-zone policy of NONE would cause a startup error. That<br> problem has been corrected.<br><br>4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not<br> add the retained aliases. This means that the following sequence of<br> events resulted in missing aliases:<br><br> shorewall start<br> shorewall restart<br> shorewall save<br> reboot<br> shorewall -f start (which is the default during boot up)<br><br>5) When a 2.x standard action is invoked with a log level (example<br> "AllowPing:info"), logging does not occur.<br><br>New Features in 3.0.4<br><br>1) By popular demand, the 'Limit' action described at<br> http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard<br> action. Limit requires 'recent match' support in your kernel and iptables.<br><br>2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This<br> change is reported to improve Java startup time on some distributions.<br><br>3) Shorewall now contains support for wildcard ports. In<br> /etc/shorewall/hosts, you may specify the port name with trailing "+" then <br> use specific port names in rules.<br><br> Example:<br><br> /etc/shorewall/hosts<br><br> vpn br0:tap+<br><br> /etc/shorewall/rules<br><br> DROP vpn:tap0 vpn:tap1 udp 9999<br><br>4) For the benefit of those who run Shorewall on distributions that don't <br> autoload kernel modules, /etc/shorewall/modules now contains load commands <br> for a wide range of Netfilter modules.<br></pre>
|
||||
|
@ -6,7 +6,8 @@
|
||||
<base target="_self">
|
||||
<meta name="GENERATOR" content="OpenOffice.org 2.0 (Linux)">
|
||||
<meta name="CREATED" content="20040920;15031500">
|
||||
<meta name="CHANGED" content="$Id$">
|
||||
<meta name="CHANGED"
|
||||
content="$Id$">
|
||||
</head>
|
||||
<body dir="ltr" lang="en-US">
|
||||
<h1>Shoreline Firewall (Shorewall)</h1>
|
||||
@ -17,13 +18,13 @@ notes</a> and here are the <a
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt">known
|
||||
problems</a> and <a
|
||||
href="http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/errata/">updates</a>.</p>
|
||||
<p>The current Development Version is 3.2.0 Beta 7 – Get it from
|
||||
<p>The current Development Version is 3.2.0 Beta 8 – Get it from
|
||||
the <a href="download.htm">download sites</a>. Here are the <a
|
||||
href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta7/releasenotes.txt">release
|
||||
href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta8/releasenotes.txt">release
|
||||
notes</a> and here are the <a
|
||||
href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta7/known_problems.txt">known
|
||||
href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta8/known_problems.txt">known
|
||||
problems</a> and <a
|
||||
href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta7/errata/">updates</a><br>
|
||||
href="http://www1.shorewall.net/pub/shorewall/development/3.2/shorewall-3.2.0-Beta8/errata/">updates</a><br>
|
||||
<br>
|
||||
Copyright
|
||||
© 2001-2006 Thomas M. Eastep</p>
|
||||
@ -34,7 +35,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with
|
||||
no Back-Cover Texts. A copy of the license is included in the section
|
||||
entitled “<a href="GnuCopyright.htm" target="_self">GNU Free
|
||||
Documentation License</a>”.</p>
|
||||
<p>2006-05-14</p>
|
||||
<p>2006-05-30</p>
|
||||
<hr>
|
||||
<h3>Table of Contents</h3>
|
||||
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
||||
|
Loading…
Reference in New Issue
Block a user