holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Document wildcard interface sfilter exemption.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-14 06:51:17 -07:00
parent 4d08ad0eea
commit f04321592c
3 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -2,6 +2,8 @@ Changes in Shorewall 4.4.20.3
1) Remove deprecated options from the .conf files. 1) Remove deprecated options from the .conf files.
2) Exempt wildcard interfaces from sfilter.
Changes in Shorewall 4.4.20.2 Changes in Shorewall 4.4.20.2
1) Reject degenerate tcpri entries. 1) Reject degenerate tcpri entries.

22
Shorewall/known_problems.txt
View File

@ -5,9 +5,13 @@
(unannotated) version of shorewall6.conf, regardless of the '-p' (unannotated) version of shorewall6.conf, regardless of the '-p'
option. option.
Corrected in 4.4.20.1
3) Fixed item 1 from 4.4.19.4 was inadvertently omitted from 3) Fixed item 1 from 4.4.19.4 was inadvertently omitted from
4.4.20. 4.4.20.
Corrected in 4.4.20.2
2) A defect introduced in 4.4.20 can cause the following failure at 2) A defect introduced in 4.4.20 can cause the following failure at
start/restart: start/restart:
@ -18,12 +22,18 @@
/etc/shorewall/tcdevices and the default HTB queuing discipline is /etc/shorewall/tcdevices and the default HTB queuing discipline is
used. used.
Corrected in 4.4.20.2
3) The 'sfilter' interface option introduced in 4.4.20 is not applied 3) The 'sfilter' interface option introduced in 4.4.20 is not applied
to traffic addressed to the firewall itself. to traffic addressed to the firewall itself.
Corrected in 4.4.20.2
4) IPSEC traffic is incorrectly included in the rules generated by 4) IPSEC traffic is incorrectly included in the rules generated by
sfiltering. sfiltering.
Corrected in 4.4.20.2
5) Shorewall 4.4.20 can, under some circumstances, fail during 5) Shorewall 4.4.20 can, under some circumstances, fail during
iptables-restore with a message such as the following: iptables-restore with a message such as the following:
@ -38,6 +48,18 @@
ERROR: iptables-restore Failed. Input is in ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input /var/lib/shorewall/.iptables-restore-input
Corrected in 4.4.20.2
6) The following extraneous warning message may be ignored: 6) The following extraneous warning message may be ignored:
WARNING: sfilter is ineffective with FASTACCEPT=Yes WARNING: sfilter is ineffective with FASTACCEPT=Yes
Corrected in 4.4.20.2
7) A simple configuration like the 'Universal' sample that includes a
single wildcard interface ('+' in the INTERFACE column) produces a
ruleset that blocks all incoming packets.
Workaround: Add the 'routeback' option to the entry in
/etc/shorewall/interfaces.

4
Shorewall/releasenotes.txt
View File

@ -18,6 +18,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
1) Deprecated options have been removed from the .conf files. 1) Deprecated options have been removed from the .conf files.
They remain in the man pages. They remain in the man pages.
2) A simple configuration like the 'Universal' sample that includes a
single wildcard interface ('+' in the INTERFACE column) produces a
ruleset that blocks all incoming packets.
4.4.20.2 4.4.20.2
1) Problem Corrected #1 from 4.4.19.4 was inadvertently omitted from 1) Problem Corrected #1 from 4.4.19.4 was inadvertently omitted from